New Scam Uses Compromised Servers And Bogus Links To Target LinkedIn Users

Scammers are using compromised servers and bogus links to lure LinkedIn users in providing their online credentials and payment card details. Scammers send a message to the target via a LinkedIn account. The message prompts the recipient to open the shared document which is sent via Onedrive. The message includes a fake link that redirects the recipient to a compromised website. Upon clicking the bogus link, a redirection script is used on the hacked server to divert the request to a second compromised server. Finally, the URL redirects to a fake Microsoft Office 365 login phishing page, where the recipient is asked to enter the account credential. A Sophos employee received a similar scam message in his LinkedIn account. Upon suspicion, the Sophos team analyzed the embedded URL, which redirected to the website of a professional entertainer in the UK, whose server had been compromised. “Hi, Hope all is well? I have shared a document with you via Onedrive, please see the shared document,” the message read. The second server was a business site in UK. The team said that the affected site has already spotted this scam and removed the offending content because it led to a 404 error page. All the other subdomains analyzed by the research team redirected to various dating site portals.​

New Cryptojacking Worm ‘Graboid’ Found On Unsecured Docker Hosts

Researchers from Unit 42 have uncovered a new cryptojacking worm dubbed ‘Graboid’ that is spread to over 2000 unsecured Docker hosts. Researchers noted that this is the first cryptojacking worm that is spread using containers in the Docker Engine. Attackers behind Graboid gained an initial foothold through unsecured Docker hosts where a Docker image was first installed. After this, the crypto-jacking worm is deployed to mine for Monero. Meanwhile, the worm periodically checks for new vulnerable hosts from the C& C server and selects the next target at random. Docker image 'pocosow/centos' contains a docker client tool that is used to communicate with other Docker hosts. Additionally, ‘pocosow/centos’ is used to download a set of four shell scripts from the C&C server and execute them. Researchers noted that ‘pocosow/centos’ docker image has been downloaded more than 10,000 times and ‘gakeaws/nginx’ has been downloaded more than 6,500 times. Researchers determined that it takes about 60 minutes for the worm to reach all the 1,400 vulnerable hosts. On average, there are almost 900 active miners at any time. On average, each miner is active 63% of the time and each mining period lasts for 250 seconds.  Researchers recommend organizations to never expose a docker daemon to the internet without any authentication. They suggest organizations to periodically check for any unknown containers or images in the system. It is always best to use Unix socket to communicate with Docker daemon locally or use SSH to connect to a remote docker daemon. It is recommended to use firewall rules to whitelist the incoming traffic to a small set of sources.

 

New Phishing Attack Mimics Performance Appraisal Processes To Target Corporate Employees

A new corporate phishing attack that mimics the performance appraisal processes has been found targeting employees. The purpose of the attack is to steal an employee’s business account credentials. According to Kaspersky Lab, the attack involves employees receiving emails that pretend to be from the human resources department. The email informs the recipients of a performance appraisal process and instructs them to click on a fake ‘HR Portal’ link. This link redirects the recipients to a primitive website asking them to provide their login details. In order to make it look less suspicious, the phishing page includes an ‘I agree to the Privacy Policy’ checkbox. This makes the page look legitimate to the victims. After the recipients fill in the login details on the phishing page, it asks them to wait for an email with additional instructions and select one of three options for a performance appraisal. Once filled, the entered username, email address, and password are sent back to the attackers. The interesting aspect of this appraisal ruse is that it comes to an abrupt end, with the victim never receiving the promised follow-up email. The corporate phishing trick is not new by fraudsters. Back in August 2018, Avanan had spotted bad actors using SharePoint files to host phishing links. This year, bad actors were also observed using Microsoft voicemail notifications to trick recipients in opening HTML attachments that redirected them to phishing pages. In September 2019, a spear-phishing campaign was launched by the Gorgon APT group that used the lure of an invoice to infect European organizations with data-stealing malware.

 

New Click Fraud Scam Uses Fake Checkra1n iOS Jailbreak

Researchers from Cisco Talos have found that scammers are using fake Checkra1n iOS jailbreak in a new click fraud campaign. Checkra1n is a recently developed iOS jailbreak tool that makes use of the Checkm8 jailbreak-enabling iOS bootrom exploit to modify the bootrom and load a jailbroken image onto the iPhone. Scammers are taking advantage of this new jailbreak tool and are hosting fake checkrain[.]com website that claims to give iPhone users the ability to jailbreak their phones. This fake website lures iPhone and iPad users into installing an application that allows them to jailbreak their devices. However, this site urges users to download a malicious “mobileconfig” profile which allows the scammer to conduct click fraud. This click fraud campaign primarily targets users in the US, followed by the UK, France, Nigeria, Iraq, Vietnam, Venezuela, Egypt, Georgia, Australia, Canada, Turkey, Netherlands, and Italy. The checkm8 exploit only impacts iOS devices running on the A5 to A11 chipsets. The fake website used in this scam mentions A13-powered devices which is the first indicator of something dubious going on behind the scene. This shows that this website is not legitimate. Additionally, this fake website claims that the user can install the checkra1n jailbreak without a PC, however, the checkm8 exploit actually requires the iOS device to be in DFU mode and is exploitable via the Apple USB cable. Furthermore, the SSL certificate used on the fake chekra1n website is generated using LetsEncrypt. However, it should be noted that the legitimate checkra1n website does not use an SSL certificate.

 

Glaring Sudo Flaw can Enable Malicious Users to Run Arbitrary Commands on Linux Systems

One of the most widely used Linux commands, the Sudo, has been found to be impacted by a security bypass flaw. Sudo, which stands for ‘superuser do’, is a powerful and commonly used utility that comes installed on almost every UNIX and Linux-based operating system. It allows a user to run applications or commands with the privileges of a different user without switching environments. Discovered by Joe Vennix of Apple Information Security, the sudo security bypass flaw can allow a malicious user or a program to execute random commands as root on a targeted Linux system without providing any password. This works even when the ‘sudoers configuration’ explicitly disallows the root access. The vulnerability is tracked as CVE-2019-14287. The flaw can be exploited just by specifying the user ID "-1" or "4294967295." This exploits a flaw in the conversation function, which essentially treats -1 and 4294967295 as “0”. “Exploiting the bug requires that the user have sudo privileges that allow them to run commands with an arbitrary user ID. Typically, this means that the user's sudoers entry has the special value ALL in the Runas specifier,” reads the alert. The flaw affects the sudo versions prior to 1.8.28. Linux users are urged to update a newer sudo package version 1.8.28 or later to fix the flaw.

 

Edited and compiled by cyber security specialist James Aguilan.