Cybersecurity Weekly: Ransomware casualty, Google App Engine phish, SecOps struggling

September 23, 2020 by Sam Fay

The NCSC sees a surge in ransomware attacks on education institutions. Google’s App Engine feature was abused to create phishing pages. SecOps teams wrestle with manual processes and HR gaps. All this, and more, in this week’s edition of Cybersecurity Weekly.


1. NCSC sees surge in ransomware attacks on education institutions

The U.K. National Cyber Security Centre issued an alert about a surge in ransomware attacks against education institutions. The British security agency is urging the institutions in the industry to follow the recommendations to mitigate the risk of exposure to ransomware attacks.
Read more »


2. Google App Engine feature abused to create phishing pages

A newly discovered technique shows how Google’s App Engine domains can be abused to deliver phishing and malware while remaining undetected by leading enterprise security products. What makes Google App Engine infrastructure risky in how the subdomains get generated and paths are routed.
Read more »


3. SecOps teams wrestle with manual processes, HR gaps

Only about half of enterprises are satisfied with their ability to detect cybersecurity threats, according to a survey from Forrester. 79% of enterprises covered in the survey have experienced a breach in the past year, and nearly 50% have been breached in the past six months.
Read more »


4. Patient dies after ransomware attack paralyzes German hospital systems

German authorities last week disclosed that a ransomware attack on the University Hospital of Düsseldorf caused a failure of IT systems, resulting in the death of a woman who had to be sent to another hospital that was 20 miles away. The incident marks the first recorded casualty as a consequence of cyberattacks on critical healthcare facilities.
Read more »


5. Bug could let attackers hijack Firefox for Android via Wi-Fi network

Last week, security researchers published an alert that demonstrates the exploitation of a recently disclosed high-risk remote command execution vulnerability affecting the Firefox app for Android. The vulnerability resides in the SSDP engine of the browser that can be exploited against devices on the same Wi-Fi network as the attacker.
Read more »


6. Maze Ransomware adopts Ragnar Locker virtual machine approach

The operators of the Maze ransomware are now distributing ransomware payloads via virtual machines. It’s a radical approach meant to help the ransomware get around endpoint defense. The attackers bundled a stripped down, 11-year-old copy of the VirtualBox hypervisor inside the malicious file, which runs the VM as a headless device with no user interface.
Read more »


7. Researchers uncover 6-year cyberespionage campaign

New research offers insights into a six-year-long surveillance campaign targeting expats and dissidents with an intention to steal sensitive information. The threat actor orchestrated the campaign with at least two different moving parts — one for Windows and the other for Android.
Read more »


8. U.S. Treasury sanctions international hacking group

The U.S. government imposed sweeping sanctions against an Iranian threat actor backed by the country’s Ministry of Intelligence and Security for carrying out malware campaigns targeting Iranian dissidents, journalists, and international companies in the telecom and travel sectors.
Read more »


9. Mozi Botnet responsible for most of the IoT Traffic

The Mozi botnet accounted for 90% of the IoT network traffic observed between October 2019 and June 2020, according to an IBM report. It is actively targeting Netgear, D-Link and Huawei routers by probing for weak Telnet passwords to compromise them. It implements a custom extended Distributed Hash Table protocol that provides a lookup service similar to a hash table.
Read more »


10. Tutanota encrypted email service suffers DDoS cyberattacks

Tutanota experienced a series of DDoS attacks last week, targeting the Tutanota website and its DNS providers. The outage was further exacerbated by the fact that different DNS servers continued to cache the incorrect entries for the domain. The second iteration of the DDoS attack hit the DNS provider which hosts records for Tutanota.

Read more »

Posted: September 23, 2020
Sam Fay
View Profile