Cybersecurity Weekly: New COVID domains, Pulse Secure VPN, Nemty goes private

April 20, 2020 by Sam Fay

Thousands of newly-registered Coronavirus-themed domains have appeared since early March. Patched Pulse Secure VPNs could still expose organizations to hackers. Nemty Ransomware shuts down public RaaS operation. All this, and more, in this week’s edition of Cybersecurity Weekly.


1. Thousands of newly-registered Coronavirus-themed domains

The Cyber Threat Coalition recently published data showing the rapid rise in new domains in February, around the same time the CDC began publicly warning that a severe global pandemic was inevitable. By mid-March, the number of COVID-related phishy domains spiked to over 20,000, and has trailed off considerably since then.
Read more »


2. Patched Pulse Secure VPNs could still expose organizations to hackers

The United States Cybersecurity and Infrastructure Security Agency issued a fresh advisory alerting organizations of cyberattacks trying to leverage a known remote code execution (RCE) vulnerability in Pulse Secure VPN servers — even if they have already patched it. This warning comes just three months after a similar CISA alert.
Read more »


3. Nemty Ransomware shuts down public RaaS operation

The Nemty Ransomware is shutting down its public Ransomware-as-a-Service operation and switching to an exclusive private operation where affiliates are hand-selected for their expertise. As part of this arrangement, the ransomware operators receive a 30% cut and an affiliate receives 70% of the ransom payments they brought in.
Read more »


4. Critical Starbleed vulnerability in FPGA chips identified

Attackers can gain complete control over the chips and their functionalities through the Starbleed vulnerability. Since the bug is integrated into the hardware, the security risk can only be removed by replacing the chips. The manufacturer of the FPGAs has been informed by the researchers and has already reacted.
Read more »


5. Over 700 malicious typosquatted libraries found on RubyGems repository

Cybersecurity experts recently caught threat actors distributing over 700 malicious packages through the RubyGems repository. The attackers uploaded intentionally misspelled legitimate packages in hopes that unwitting developers will mistype the name and unintentionally install the malicious library instead.
Read more »


6. 49 new Google Chrome extensions hijacking cryptocurrency wallets

Google ousted 49 Chrome browser extensions from its Web Store that posed as cryptocurrency wallets but contained malicious code to siphon off sensitive information and empty the digital currencies. Although the offending extensions were removed within 24 hours of being reported, analysis showed that they appeared on the Web Store in February 2020.
Read more »


7. Hackers steal Wi-Fi passwords using Agent Tesla malware

Some new variants of the Agent Tesla info-stealer malware now come with a dedicated module for stealing Wi-Fi passwords from infected devices. The new malware samples are heavily obfuscated and are designed by the author to collect wireless profile credentials from compromised computers by issuing a netsh command.
Read more »


8. Zoom to let you report Zoom-bombing attackers crashing meetings

Zoom’s efforts to improve the video conferencing platform’s privacy and security will continue next week with the introduction of a user report feature aimed at helping prevent future zoom-bombing attacks. Zoom’s CEO announced that the company will change its long-term focus on addressing the current security and privacy issues.
Read more »


9. Ransomware’s new normal combines encryption with data theft

Double extortion is the term given to an evolving ransomware tactic: first steal confidential data, then encrypt the victim’s files. If the victim doesn’t pay the ransom, expose the data. First used by the Maze ransomware gang, double extortion has become standard practice in the ransomware community.
Read more »


10. Linksys asks users to reset passwords after hackers hijacked home routers last month

Linksys locked user accounts on its Smart Wi-Fi cloud service and is asking users to reset passwords after hackers hijacked accounts and changing router settings to redirect users to malware sites. Smart Wi-Fi is widely deployed across Linksys’ router fleet, making it an ideal target for hackers who may want to hijack routers at scale.
Read more »

Posted: April 20, 2020
Sam Fay
View Profile