Cybersecurity Weekly Briefing June 20-26

ElevenPaths    26 June, 2020

Millions of User Records Exposed on an Oracle Server

Security researcher Anurag Sen has found an exposed database containing millions of records belonging to the company BlueKai, owned by Oracle. This is one of the largest web tracking companies that collects third-party data for use in intelligent marketing. The security incident occurred after a server was left open without a password, exposing millions of people’s records. Among the data affected the following can be found: people’s names and surnames, emails, home addresses, detailed web browsing activity, purchases, etc., as BlueKai collects all this raw web browsing data for later sale in an anonymous way. It is worth mentioning that Oracle received the notice from the researcher and have conducted an internal investigation to solve the incident.

Learn more: https://techcrunch.com/2020/06/19/oracle-bluekai-web-tracking/

New Malicious Campaign on COVID-19 Using Trickbot

Trustwave researchers have detected a new COVID-19-related malicious campaign that is infecting victims by means of Trickbot malware. This time, threat agents are using phishing campaigns as attack vector to impersonate a volunteer organization that wants to financially help those in need as a result of the pandemic. In addition, victims are encouraged to open two identical malicious JNLP files attached. Once the victim executes these types of documents, the infection occurs by downloading and running the “map.jar” software, that redirects the victim to an official WHO page with the aim of deceiving the victim. When done, the malware downloads Trickbot banking trojan that, in addition to stealing bank credentials, has other functions such as stealing information or downloading other malware. Trustware indicates that this is the first time that JNLP files are used as a TrickBot infection, and that the use of this file format to infect victims is not common. 

More info: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trickbot-disguised-as-covid-19-map/

AMD Identifies SMM Callout Flaws

AMD has released three high severity vulnerabilities, that the company named SMM Callout. They would affect some of its laptops and embedded processors between 2016 and 2019. These flaws could allow an attacker with physical access to machines with embedded AMD processors or previously infected with malware, to execute arbitrary code without being detected by the operating system. The company released a fix for one of the three bugs on June 8 (CVE-2020-14032). However, AMD has announced that it plans to release the patch to fix the remaining two bugs (CVE-2020-12890 and the third without CVE) by the end of June.

All the details: https://threatpost.com/amd-fixes-for-high-severity-smm-callout-flaws-upcoming/156787/

Sodinokibi/REvil Scanning for PoS Software

Symantec researchers have detected a targeted campaign by Sodinokibi ransonmware, also known as REvil, in which threat actors would be scanning the networks of some victims for credit card or point of sale (PoS) software. The attackers would be using Cobalt Strike malware to deploy ransomware on the victims’ systems. According to the researchers, during this campaign eight organizations were found to have been attacked with the Cobalt Strike malware, and three of them were subsequently infected with Sodinokibi. In addition, the attackers would be leveraging legitimate tools such as the NetSupport remote control software to carry out this campaign. To date, it is unknown whether attackers are targeting POS terminals to encrypt their software or to make a profit by other means.

More info: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/sodinokibi-ransomware-cobalt-strike-pos

VMware Fixes Critical Vulnerabilities

VMware has released security updates that fix bugs in ESXi, Workstation and Fusion products. Among these vulnerabilities there is a critical one (classified as CVE-2020-3962 and with a CVSSv3 of 9.3) that affects the SVGA device and could allow a threat actor to execute arbitrary code in the hypervisor from a virtual machine. To mitigate this threat, users are recommended to upgrade VMware Fusion to version 15.5.5, and VMware ESXi to versions ESXi_7.0.0-1.20.16321839, ESXi670-202004101-SG, or ESXi650-202005401-SG. Since the bug lies in the acceleration of 3D Graphics, this component can also be disabled to solve this flaw if the software cannot be updated immediately, thus preventing potential exploitation. In the other released security updates 9 more vulnerabilities have been fixed with CVSSv3 from 4.0 to 8.1.

More: https://www.vmware.com/security/advisories/VMSA-2020-0015.html

Leave a Reply

Your email address will not be published. Required fields are marked *