Cyber Pulse: Edition 106

Read the latest edition of Cyber Pulse, our round-up of cyber news.

Zoom security issues raise concerns

An ex-NSA researcher revealed two zero-day security flaws have been uncovered in Zoom's macOS client version. The flaws could give local, unprivileged attackers root privileges, and allow them to access victims’ microphone and camera. The unpatched UNC path injection vulnerability in Zoom video conferencing can also let hackers steal your Windows login password.

Zoom issued a commitment to patch recently disclosed flaws and also enhance its bug bounty programme and shift all of its engineering resources to resolve further issues. They also committed to addressing some transparency issues as the application isn’t actually end-to-end encrypted and Zoom can still have access to your video meetings.

Beware of fake repackaged Zoom applications in your online store. While the user interface is identical to the original application, it comes with extra "functionality" that the user did not sign up for. According to Bitdefender, the malware tries to download its main payload from a command and control infrastructure. The functionality asks the device for admin permissions in English and Russian, based on the default language of the device. The malware also has the ability to start itself when the device is powered on.

Phishing pandemic: Top phishing sites taking advantage of Covid-19

Data analysed by Atlas VPN reveals the scope of cyber fraud amid the Coronavirus pandemic, including over 300k new websites created in March with coronavirus-related keywords. Downloading Coronavirus maps can also be a serious risk.

Reason Labs delved into this particular threat, albeit warnings about the map’s website had been issued before, cautioning users that such downloads will “steal credentials such as usernames, passwords, credit card numbers and other sensitive information.” Users do not need to download apps to run risks, malicious websites can also infect computers. And so you should avoid accessing any unknown coronavirus sites or clicking random links under any circumstances.

Spear phishing emails continue to use the alias of the World Health Organisation (WHO) with “Important Communication” about Coronavirus. Research from Fortinet shows the email actually spreads the prolific LokiBot Trojan which can be acquired for as little as $300 in underground markets.

Uk-covid-19.webredirect.org, Hmrc-cov19.payment.estrodev.com:
The COVID-19 pandemic has caused widespread uncertainty and panic, and we’ve seen a number of phishing sites pop up.
account.logins.origin.secure-account-c0-uk.monster (Argos Imitation):
This domain was mimicking the Argos website, a UK-based catalogue retailer. With the pandemic causing people to panic-buy appliances and other goods, this type of scam could have a large reach.
Gb-supportcentre.info (Revolut Imitation):
Revolut, a financial tech company, recently reported that a small network of scammers had launched a campaign where they posed as Revolut support agents. The important thing to note is that Revolut only provides support via its in-app chat feature.
co.uk-validate.live (Three Imitation):
This domain, posing as the telecoms company, was encountered via a smishing campaign, with the message: “Your contract payment is due but we’re having trouble validating your details,” using the threat of ‘service suspension’ to pressure victims into handing over their details.

Instant bank fraud: Fake message

A message about bank fraud currently being circulated purportedly to be via City of London Police, is fake. Action Fraud reported that hoaxes of this sort often include what we call ‘claims to authority’ to aid credibility. The City of London Police has issued this statement: “City of London Police hasn’t issued any alerts about fake messages from Danske Bank.” So please don’t spread this hoax, you will be adding to the fear and uncertainty among any friends and family who might have received a text message recently.

Newly discovered campaign to infect Microsoft SQL servers

Researchers at Guardicore Labs discovered a crypto-mining botnet, tracked as Vollgar botnet, that has been targeting MSSQL databases since 2018. The botnet is used to launch brute-force attacks against MSSQL databases to take over servers and install Monero and Vollar cryptocurrency miners. The botnet was first spotted in May 2018, when it was targeting Windows machines running MS-SQL servers to deploy a broad range of malware, including RAT and miners.

The botnet targets MS-SQL servers exposed online with weak credentials and, according to the experts, attackers managed to successfully infect nearly 2,000 to 3,000 installs per day over the past few weeks.

100,000 WordPress sites plugin are exposed to hack

Administrators of WordPress sites using the Contact Form 7 Datepicker plugin are recommended to remove or deactivate it to prevent attackers from exploiting a stored cross-site scripting (XSS) vulnerability to create rogue admins or taking over admin sessions.

The Contact Form 7 Datepicker is open-source software that allows adding a date field to the user interface of the Contact Form 7 WordPress plugin, which is a contact form management plugin currently used on over 5 million websites. The plugin was installed on more than 100k WordPress sites. The flaw was discovered by researchers from the Wordfence Threat Intelligence team.

Edited and compiled by QA's Director of Cyber, Richard Beck.

Subscribe to our weekly Cyber Pulse newsletter below.