Weekly Threat Report, February 01 - 05, 2021

Weekly Threat Report, February 01 – 05, 2021

From the good news:

Apple has patched 57 security vulnerabilities in its latest macOS Big Sur 11.2 release, including a number of serious bugs that could allow an attacker to control a target device.

ValidCC, a dark web marketplace that for more than six years has been selling stolen card data, has been shut by law enforcement in a coordinated operation.

IBM announced $3 million in grants that it will award to six chosen school districts in the US to help schools defend against cyber threats.

Twitter, Instagram, TikTok, and other platforms are slowly reclaiming accounts stolen by hackers affiliated with OGUsers, the online marketplace selling short social media and gaming handles.

From the bad news:

Scammers demand ransom from organizer of Miss England beauty contest

The Miss England beauty pageant, a popular beauty contest in the UK, was targeted in an online scam. Hackers tricked the contest organizer into handing over Instagram account details. The organizer said she got a message from Instagram asking her to open a link in order to prevent the closure of the pageant’s account. She was then asked for her mobile number and to send a code. With these, hackers were able to change the password and gain control over the account. The organizer contacted Action Fraud, which helped to restore the account.

Crypto scam on Discord

Kaspersky alerted that scammers are sending private messages to Discord users telling them about a new cryptocurrency giveaway. The messages appear to be from new, upcoming cryptocurrency exchanges and promise free Bitcoin or Ethereum. Each message contains a link to register on the fake exchange. After a victim goes through the sign-up process, scammers require a small top-up in BTC, ETH, or USD “to process the gift.” The money, of course, is gone for good.

New Kabalos virus targets high-profile organizations running on Linux

ESET’s researchers have detected a malware backdoor named Kobalos that has been attacking Linux supercomputers, as well as several privately held servers in North America, Europe, and Asia. Kobalos is a generic backdoor in the sense that it contains broad commands that don’t reveal the intent of the attackers. In short, Kobalos grants remote access to the file system provides the ability to spawn terminal sessions, and allows proxying connections to other Kobalos-infected servers. Hackers used the malware for stealing credentials. This is achieved in most cases by embedding Kobalos in the OpenSSH server executable (sshd); the backdoor code is triggered when the connection is coming from a specific TCP source port. The level of sophistication of this malware is higher than average, and it’s hard to detect. Organizations are advised to revise their security and proactively take measures against this threat.

Vulnerability in Libgrcrypt Encryption Library 

Organizations using GNU Privacy Guard’s (GnuPG’s) Libgcrypt encryption software, a popular open-source cryptographic repository, are urged to update the platform due to a severe vulnerability that can lead to a remote code execution attack. This will allow an attacker to compromise the system, according to Google’s Project Zero researcher Tavis Ormandy, who discovered the flaw. By simply decrypting some data attackers can exploit a vulnerability related to a heap buffer overflow in version 1.9.0 of Libgrcrypt. 

Hackers attempt to exploit SonicWall zero-day

Cyber criminals continue trying to exploit a zero-day vulnerability in SonicWall’s Secure Mobile Access (SMA) 100 devices first detected last month. NCC Group, a cybersecurity advisory firm, now claims it’s detected attempts to abuse the exploit in the wild. SonicWall has confirmed all SMA 100 devices with 10.x firmware are vulnerable and urged users to download a patch from SonicWall.

VMware ESXi hypervisor flaws abused again

Researchers alert about two VMware ESXi hypervisor flaws that ransomware criminals have used to encrypt the victims’ virtual hard drives. The vulnerabilities, CVE-2019-5544 and CVE-2020-3992, aren’t new. Last year, RansomExx hackers have sent malicious service layer protocol (SLP) requests to an ESXi device and have been able to gain access to corporate devices and compromise other ESMXi VMs.

DDoS attacks on Plex Media Servers

Vulnerabilities in a popular Plex Media Server, a personal media library and steam system, can lead to reflection/amplification DDoS attacks if successfully exploited, according to research by NETSCOUT Arbor. Network operators are advised to analyze their systems and identify vulnerable Pled Media SSDP reflectors/amplifiers on their networks.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.