Pardon the Intrusion

Subscribe to this bi-weekly newsletter here!

Welcome to the latest edition of Pardon The Intrusion, TNW’s bi-weekly newsletter in which we explore the wild world of security.

In a short span of just a few weeks, a bunch of major firms including Chubb, Cognizant, Toll, ExecuPharm, Fresenius, and CPC Corp. have all become victims of ransomware attacks.

What’s more, the coronavirus outbreak has proven to be an excellent opportunity for criminals to target hospitals, schools, and local governments using convincing email lures and other means.

“The pandemic has likely raised additional interest for APT actors to gather information related to COVID-19,” the US Cybersecurity and Infrastructure Security Agency (CISA) said in an advisory on Tuesday. “For example, actors may seek to obtain intelligence on national and international healthcare policy, or acquire sensitive data on COVID-19-related research.”

In fact, cybersecurity company Trustwave found that ransomware attacks have become the most common security incident, surpassing payment card and financial data breaches for the first time. According to Coveware, a ransomware incident response firm, the average ransom payment now stands at $111,605.

Although ransomware groups have pledged not to attack healthcare providers during the pandemic, not everyone seems to be making good on that promise. The fact that the stakes are now higher has boosted the chances of a victim paying the ransom.

It’s worth noting that COVID-19 doesn’t appear to have spurred more ransomware attacks than usual. That could change soon though.

“Looking forward, we anticipate encryption plus exfiltration attacks to continue to become more popular,” Brett Callow, a threat analyst at security firm Emsisoft, told me.

“Like other businesses, criminal enterprises adopt strategies that have been proven to work and, given the number of groups that now exfiltrate, it’s safe to assume the strategy is indeed working.”

What’s trending in security?

The author of the infamous Love Bug computer virus was tracked down, Xiaomi was found capturing users’ browsing history even in incognito mode, and Indian telecom giant Jio exposed a database containing coronavirus test resultswithout a password.

• Investigative journalist Geoff White tracked down Onel de Guzman, the man behind the infamous Love Bug computer virus, to a mobile phone repair shop in Manila. De Guzman said he regretted writing the virus, which turned 20 this week. [BBC]
• Smartphone maker Xiaomi was found capturing millions of people’s web and phone use, including web browsing activityin incognito mode, via its Mint Browser for Android. The company has rolled out an update that adds a setting to disable aggregated data collection while in private mode. However, the option is not enabled by default. [TNW]
• The UK, one of the few countries that has decided to adopt a centralized approach for its contact tracing app, explained how its system will work and why it needs access to location data. [The Register]
• In order to make sure people exposed to the coronavirus are obeying lockdown orders, Chinese authorities are installing security cameras aimed directly at residents’ doors — and, sometimes, even inside their homes. [CNN]

• Kaspersky researchers detailed a targeted espionage campaign, called “PhantomLance,” via Play Store spyware apps, aimed at a few hundred users in Vietnam, Bangladesh, Indonesia, and India. PhantomLance’s hackers have been tied to OceanLotus (aka APT32), who are widely believed to be working on behalf of the Vietnamese government. APT32 was also recently involved in a spear phishing campaign targeting members of the Wuhan government and Chinese Ministry of Emergency Management to collect intelligence on the COVID-19 crisis. [WIRED]
• Baddies are taking advantage of a surge in movie piracy to infect potential victims with malware delivered via fake movie torrents, including movies like John Wick 3 and Contagion. [CyberScoop]
• Now, even Android phones are susceptible to ransomware attacks. “Black Rose Lucy” malware encrypts files and displays a ransom note asking for $500 while claiming to be from the FBI, accusing victims of storing porn on the device. [Check Point Research]
• Phone hacking firms such as Cellebrite and NSO Group are pitching spy tools to governments to help trace people who may have come in contact with someone tested positive for the coronavirus. [Reuters]
• Zoom and Microsoft Teams have become lucrative targets for cybercriminals. Not only are stolen Zoom credentials being sold on the dark web, hackers are using fake Zoom installer software to spread malware and phish for credentials via clever social engineering tricks. [IntSights / Abnormal Security]
• An employee of Israeli surveillance vendor NSO Group used the company’s Pegasus spyware to target a love interest. [Motherboard]
• The CISA released handy resources to securely telework from home. [CISA]

• A new Android malware called “EventBot” abuses Android’s accessibility features to steal sensitive data from financial apps, read SMS messages, and even hijack SMS-based two-factor authentication codes. [The Hacker News]
• Nigerian cyber criminals involved in phishing email activities under the name SilverTerrier have launched at least 10 COVID-19 themed malware campaigns, producing over 170 phishing emails to target governments, universities, and medical facilities across the US, the UK, Australia, Canada and Italy. [Unit 42]
• reCAPTCHA, which is typically used to verify human users before allowing access to web content, is being abused by hackers to slip past email security barriers and trick unsuspecting people into sharing their credentials. [Barracuda Networks]
• Microsoft explained how it handles bugs in its software and services using machine learning models. [Microsoft]
• The fortnight in breaches and data leaks: Nintendo, GoDaddy, Tokopedia, CAM4, Unacademy, Lineage OS, Ghost, Australia’s Department of Home Affairs, and Facebook-backed Indian telecom giant Jio, which exposed a database containing coronavirus test results without a password.

Data point

Do you know what triangulation is @SetuAarogya?

— Elliot Alderson (@fs0c131y) May 5, 2020

Because, India’s COVID-19 contact-tracing app (called Aarogya Setu aka Health Bridge) makes use of GPS data that could let hackers pinpoint who reports a positive diagnosis.

That’s it. See you all in two weeks. Stay safe!

Ravie x TNW (ravie[at]cryptofans.ru[dot]com)