Coronavirus Themed Phishing Malware Ransomware Rise on Internet

Hello all penguins, The government agencies are experiencing coronavirus themed attacks phishing malware and ransomware scams ramped up as coronavirus becomes a pandemic and Microsoft fixes in SMB flaw all that coming up now on in this article. The first one is all about the HHS. more on that in a bit now with any widespread issue also comes the threat of cyber attacks in coronavirus is no different. The US Health and Human Services department reported on Monday via Bloomberg that an attack on their systems was active over the weekend but it did not do any damage or steal any data reporter suggests that this attack was fully intended to just slow the agency systems by attacking them with a distributed denial-of-service attack.

The US HHS did state that they saw a surge in activity but they are fully operational and that their own preparations for their staff working remotely will defend against malicious activity. A foreign state-sponsored actor is suspected to be the attacker in this case but no confirmation was given publicly regarding.

This possibility now is not the only government-related cybersecurity issue related to the outbreak either. The National Security Council sent out a warning on Sunday. Regarding a tweet stating that any messages talking about a nationwide quarantine are fake and there are no government lockdowns reported related to a text message. That was spreading like wildfire this incident was related to the H. H. S. attack but no other information is currently available regarding the 2 attacks and how they are actually related an investigation into. These attacks are currently underway.

Trojan horse to steal cookies.

There are a lot of scams and phishing campaigns happening right now related to covid19. So it is important to be mindful of any potential for an attack here are just a few of the ways that attackers and criminals are using. The current panic to take advantage of unsuspecting individuals a coronavirus map was acting as a Trojan horse to install malware on end-user machines.

Which could steal passwords usernames and a lot more reasonlab security researcher shy al Fauci analyze malware that malware hunter team found hidden inside a coronavirus map downloadable application. That could still credentials stored on the user’s browser on their client machine.

This map shows the current infections on a world view so obviously, everybody is interested once the map application is downloaded. The malware which is called Ezo rolt is used as this information stealer to siphon off browsing history cookies IDs and passwords cryptocurrency and pretty much whatever else. So it can get its hands on this malware is not new it was first discovered in 2016 and it is commonly found on Russian underground forums. The Ezo rolt comes in a few different variants 1 of which can create an administrative account on the infected machine. Which can allow the attacker to connect via RDP.

The malware is embedded in the corona-virus-map.com.exe download it as a win32 executable file with a small payload of less than 4mb. So if you want to stay aware of current totals don’t download anything just simply pay a visit to Johns Hopkins University online to see a map that is actively being updated and that link is HERE. However, don’t worry this one is safe this and other downloadables maybe send in chain mail inspired emails that insight into emotional response and that’s what you should look out for.

Using emails to affect victims.

In one example in advanced persistent threat, the group is using covid19 to spread malware in a campaign dubbed vicious panda researchers with checkpoint research state. That this attack uses to rich text format or RTF files to target Mongolian public sector workers. It is sent via email and once opened it can screenshot the device and send the attacker. The list of the files and directories and a lot more about those affected machines. The email urges Mongolian workers to inform victims about infections of the pandemic and it appears to be derived from a Chinese hacking group.

Another attack, on the other hand, deriving from the Russian hacking group called Hades was carried out in February using a backdoor. Trojan to spread disinformation and lastly, an app called covid19 tracker is actually being used as ransomware, not as an outbreak map tracker like.

It appears to be this ransomware is used to request $100 and bitcoin within 48hours or everything on your phone will be erased and social media accounts will be leaked publicly whatever That means this one is hosted on a website, not via the Google play store but Android users could download it from the website. If they were directed there it requests access to lock screen and accessibility settings over the lock will lock the screen. So with the ransom note and users since android 7 can’t unlock with the password which appears to bypass the ransomware and keep you safe. This one is avoidable by strictly downloading apps from the Google play store and keeping your OS updated.

These kinds of attacks will likely ramp up in frequencies as more users work from home. So cybercriminal start targeting folks who would usually be on a secure internal company network.

Keep an eye out for suspicious emails or attachments and don’t download them. However, double-check that any charity is a legitimate one before donating money. Lastly, if you do see random Facebook groups or data shared on Twitter make sure that it is legitimate and not a misinformation campaign. It’s important to take strides to protect yourself not only physically out in the world as we all should do but in this connected world.

Microsoft delivers emergency patch to fix wormable Windows 10 flaw

Lastly, for this article some security news not related to the virus. Microsoft issued an advisory on March 10 regarding vulnerability and SMB version 3 stating that a client and server remote code execution vulnerability was CVE 20200796 was affecting.

The server message block 3.1.1 this can allow an attacker to sign code and execute code on a server or client with SMB it is only present in the 32 and 64-bit versions of the windows 10 copies. The clients and servers so those are versions 1903 and 1909 it’s also difficult to explain but this was still deemed critical because of its ability to worm meaning an attack using this vulnerability could spread from machine to machine without user interaction now Microsoft does not believe this flaw is being exploited currently but it could be in the future when it went public due to an accidental leak by a cybersecurity company Microsoft ended up patching the issue 2 days later.

Reference: arstechnica linuxcan.com

Leave a Comment