Blue Team Blog Blue Team Cybersecurity Blog
This Week in Cybersecurity Vol 16

by blueteamblog

Welcome to Volume 16 of "This Week in Cyber Security" Thanks for subscribing, lets get into this weeks news.

A hacker has supposedly breached US data leak monitoring service DataViper. The data includes over 8,200 databases containing the correlated data of billions of breached users.  However, owner of the site Vinny Troia is claiming the hacker infact only breached a test server and is selling their own data. See the full article here.

Hackers have breached Collabera, the US based IT consultancy giant using ransomware. The breach includes a variety of PII details from the business which employees over 16000 people but there is no indication of fraud using these details yet. The breach occurred on the 10th of June (around the time Maze claimed to have hacked them) however there is no indication of the definite perpetrators as of yet. 

SAP has patched a critical vulnerability impacting the LM configuration Wizard component in NetWeaver Application Server Java platform. CVE-2020-6287 and named RECON; allows an unauthenticated attacker to take control of SAP applications. Read full details of the CVSS 10 rated vulnerability which potentially affects 40,000 servers here.

Microsoft will provide Office365 customers with disposable email addresses from Q3 of this year. For example, you could set up test+blueteamblog@test.com for the test@test.com email address. This will allow users to filter emails easier and also understand better which sites are causing spam / malicious attachments to be sent to their mailboxes. 

LiveAuctioneers (the worldwide auction site allowing real-time bidding) has disclosed a data breach effecting 3.4 million users. The data includes email addresses, usernames, MD5 hashed passwords (3 million of which have been decrypted) amongst other information and is being sold for 2.5k. See full details here.

Checkpoint researchers noticed a large spike in the Phorpiex botnet delivering Avaddon Ransomware during July. This has caused it to jump from 15th to 2nd in the top malware listing between May and June - doubling its impact on organisations worldwide. Read the full checkpoint research post here.

A new ransomware named AgeLocker is utilising an encryption tool created by Filippo Valsorda, Go security lead at Google. Age was designed as a replacement for GPG and uses X25519, ChaChar20-Poly1305 and HMAC-SHA256 to encrypt files. This makes it a smart choice for threat actors as files are encrypted very securely. Read the forum discussion here.

Adobe this week released updates to patch 13 security vulnerabilities affecting 5 of its widely used applications. Of these, 4 are rated as critical and 9 are rated as high. Read a full breakdown of the vulnerabilities and patches here.

Checkpoint researchers have found a new highly critical vulnerability affecting Windows Server 2003 - 2019. CVE-2020-1350, named SigRed and given a CVSS score of 10; it allows an unauthenticated remote attacker to gain domain admin privileges. See the detailed report with patches and mitigation advice here.

On top of this vulnerability, Microsoft patch Tuesday also revealed another 17 critical vulnerabilities and 105 classed as Important. These include critical vulnerabilities in Edge and VBScript Engine - read full details here.

Details of 142 million MGM Resorts guests are being sold on a dark web marketplace for $2.9k. This is far more than the 10.6 million that were reported back in February (with the original breach occurring a year ago). To even further complicate things, reports on Russian forums suggest details of over 200 million guests are actually available in total, including lots of PII data.

Cisco has released security updates to address various vulnerabilities in their router and firewall devices, along with a vulnerability in Cisco Prime License Manager. They are all critical with a cumulative score of CVSS 9.8 See all latest vulnerabilities here.

130 high profile twitter accounts were hacked on Wednesday and used to spread a bitcoin scam. Accounts would tweet promising to double bitcoin payments sent to them - obviously a scam. The users responsible managed to make off with over in bitcoin. It has also now been reported that some data was siphoned from accounts during this however it is unclear which accounts were targeted and which data was stolen. In total during the hack, over $100,000 was stolen.

The APT29 threat group (also known as Cozy Bear, The Dukes and Yttrium) are targetting organisations involved in the research and development of a coronavirus vaccine. The UK NCSC has released an advisory detailing these attacks occuring against Canada, the US and the UK. Read the full advisory here.

Threatfabric researchers have discovered a new strain of the BlackRock Android malware. The updated version uses a new targeted list which targets social, networking, communication and dating apps. This is on top of its usual feature of stealing financial details. Read the full report here.

IBM X-Force researchers have discovered five hours of training material from the state sponsored threat group named ITG18 (Also known as Charming Kitten, Phosphrous and APT35). The 40GB of data was discovered on an exposed, misconfigured; VPC Server. Read the full report here. 

On the 15th of July, the Nefilim ransomware operators announced they had breached Orange's Business Services division. The division is responsible for remote support, virtual workstations, systems security and cloud services. Orange have now advised the breached occured between the 4th and 5th of July with 20 customers affected. Read the original article here.

Emotet has sprung back to life this week with its botnet sending reply-chain, shipping, payment and invoice spam, which is delivered via malicious word spreadsheets. The last activity seen from the Botnet was back on the 7th of February. To keep updated with activity, check out https://twitter.com/Cryptolaemus1

The All in One SEO plugin which is installed on over 2 million WordPress sites was vulnerable to malicious script injection from users with contributor or above level access. Read the full report and details from WordFence here.

1.2 Tb of user logs have been found on an unsecured Elasticsearch cluster. Initially thought to only affect UFO VPN, it turns out another 6 related "No Log" VPN providers actually stored their users data (and then didn't secure it properly) Read the reports from comapritech and vpnmentor here.

Thanks for reading this weeks newsletter, I hope you enjoyed it. Do you have anything to comment on what I said or did I miss anything? Contact me at https://twitter.com/blueteamblog

Modify your subscription    |    View online