Cybersecurity Weekly: RDP vulnerability, RATicate malware, Android 2FA bypass

May 18, 2020 by Sam Fay

An improper Microsoft patch leaves third-party RDP clients vulnerable to reverse RDP. RATicate drops info-stealing malware and RATs on industrial targets. A new Android banking trojan is able to bypass two-factor authentication. All this, and more, in this week’s edition of Cybersecurity Weekly.


1. Improper Microsoft patch leaves third-party RDP clients vulnerable

Though Microsoft patched the infamous reverse RDP vulnerability in July 2019, researchers were able to bypass the patch just by replacing the backward slashes in paths with forward slashes. Microsoft acknowledged the improper fix and re-patched the flaw in its February 2020 Patch Tuesday update.
Read more »


2. RATicate drops info-stealing malware and RATs on industrial targets

Security researchers identified a hacking group that abused NSIS installers to deploy remote access tools and information-stealing malware in attacks targeting industrial companies. To infect the targets’ systems, the attackers used two infection chains, both of them involving the delivery of payloads via phishing emails.
Read more »


3. New Android banking trojan is able to bypass two-factor authentication

A new mobile-based trojan is able to compromise Android’s accessibility features in order to steal user data from banking applications and read user’s SMS messages, allowing the malware to bypass two-factor authentication. Named Eventbot, the trojan was discovered by a group of cybersecurity experts who found it targeting over 200 financial banking applications.
Read more »


4. Researcher spots new malware tailored for air-gapped networks

A security researcher published an analysis of a new piece of malware, a sample of which was spotted on the Virustotal malware scanning engine. They believe the hacker behind it is likely interested in some high-value computers protected behind air‑gapped networks. Dubbed Ramsay, the malware is still under development with two more variants spotted in the wild.
Read more »


5. Ransomware recruits affiliates with huge payouts, automated leaks

The Netwalker ransomware operation is recruiting potential affiliates with the possibility of million-dollar payouts and an auto-publishing data leak blog to help drive successful ransom payments. Started as Mailto, the ransomware operators rebranded as Netwalker in March 2020 when they began to recruit potential affiliates to distribute their ransomware.
Read more »


6. Expert found 1,236 websites infected with MageCart e-skimmer

A security researcher is warning of a new wave of MageCart attackers, he has found over 1,000 domains infected with e-skimmers. Millions of MageCart instances were detected over time, security experts discovered tens of software skimming scripts. The list of victims includes several major platforms, such as British Airways, Newegg and Ticketmaster.
Read more »


7. Innovative spy trojan aimed at European diplomatic targets

A fresh malware trojan has emerged, built from the same code base as the stealthy COMPFun remote access trojan. The malware is using spoofed Visa applications to hit diplomatic targets in Europe and may be the work of the Turla APT. According to researchers, the fake Visa application harbors code that acts as a first-stage dropper.

Read more »


8. Ransomware hit ATM giant Diebold Nixdorf

Diebold Nixdorf, a major provider of ATMs and payment technology to banks and retailers, recently suffered a ransomware attack that disrupted some operations. The company says the hackers never touched its ATMs or customer networks, and that the intrusion only affected its corporate network.
Read more »


9. Microsoft open-sources COVID-19 threat intelligence

Last week, Microsoft announced that it made some of its COVID-19 threat intelligence available to the public. By publishing these indicators, which included file hashes and known malicious email attachments, Microsoft aims to raise awareness of the shift in attackers’ techniques and help detect them.
Read more »


10. 22 million emails found in mystery open database

An open Elasticsearch database containing millions of records became a mystery as cybersecurity researchers cannot figure out the database’s origins. Troy Hunt of Have I Been Pwned was informed in February about an open database containing 90GB of data containing 22.8 million emails.
Read more »

Posted: May 18, 2020
Sam Fay
View Profile