Flaw in slack allows workspace members to access files in private channels
Slacks allows users to share files in public or private channels. If a private file is shared in a conversation, anyone who is a part of the conversation can view it. Ideally, when someone leaves the conversation, they would no longer be able to access the private file. In case someone in the private conversation shares the file with a different conversation, members in that conversation can now view the file. Researchers from Polyrize, an Israeli cloud security outfit, who discovered the vulnerability said that this flaw could be verified on the Slack’s user interface as well as by making the associated API calls. An easy way to prevent being a victim because of this flaw would be not to share anything sensitive via Slack unless you trust the people in the conversation not to reshare the file without permission.
New Cryptojacking Malware campaign evades detection using process hollowing
Researchers have spotted a new malware campaign that is mining for the Monero cryptocurrency. The campaign deploys Monero miner on Windows installations. To evade detection, this campaign was seen to be using the process hollowing technique. This process hollowing technique works by covering up a process with a secondary process. Specific arguments are required to trigger the malicious processes. Security experts from Trend Micro observed an increase in Monero mining malware recently. This particular campaign used process hollowing and a dropper component. By itself, the dropped file evaded detection as it did not appear malicious in any way. However, with the right arguments, it would start mining for the Monero cryptocurrency. The campaign was recorded to be active in a number of countries including Kuwait, Pakistan, India, Thailand, Brazil, Bangladesh, and the United Arab Emirates. Its most active period is said to have begun in early November this year. Researchers speculate that this campaign may have emerged at a time when cryptomining activities are on the decline, owing to the lesser number of competitors.
New VegaLocker ransomware variant targets healthcare and IT sectors
Beginning its journey as VegaLocker, the ransomware evolved into a Ransomware-as-a-Service (RaaS) on Russian hacker forums under the name Buran in May 2019. Affiliates who joined the RaaS would earn 75 percent of the ransom payment, while the Buran operators would earn 25 percent. The latest variant of this ransomware family is now Zeppelin. Threats actors are believed to have dropped ransomware through Remote Desktop servers that are publicly exposed to the Internet. Like other Russian-based ransomware, Zeppelin first checks for the users’ nationality for CIS countries such as Russia, Ukraine, Belarus, and Kazakhstan. It either checks the configured language in Windows or default country code set by the users. When confirmed, the ransomware then begins terminating various processes including ones associated with the database, backup, and mail servers. When encrypting files, the ransomware does not add any extension and the file name is kept the same as well. However, it includes a file marker called Zeppelin that may be surrounded by different symbols depending on the hex editor and character format used by the user on the target system. Unfortunately, at the moment, no decryptor is available for recovering the files encrypted by Zeppelin for free. It is therefore suggested that users restore from backups if at all possible.
New Dudell Malware hides behind microsoft excel documents
Security researchers have spotted custom malware dubbed ‘Dudell’ that is being used by the Rancor cyberespionage group. This malware is said to be distributed by Microsoft Excel documents. This threat group is believed to be active since 2017 and has been targeting government institutions. This group has been known for targeted attacks in Southeast Asia in 2017 and 2018. The Rancor threat group was observed to be propagating the Dudell malware using weaponized Microsoft Excel documents. A malicious Macro will be triggered as soon as the victim opens the Excel document. When ‘Enable Content’ is clicked, the Macro begins to run. The Macro then locates and executes specific data under the Company field in the document’s properties. The primary behavior of the malware is taken care of by an export function called ‘DllInstall’. The malware steals victim information including IP address, hostname, and operating system details. Security experts have published the indicators of compromise (IOCs) that you can monitor to stay protected from threats posed by the Dudell malware.
BlueHero botnet found scanning the internet to infect systems with XMRig miner and Gh0st RAT
BlueHero botnet derives its name from the domain bluehero[.]in found in its binary. The botnet leverages a variety of web exploits to intrude into unpatched web servers. It also contains several other exploits to spread across the network. Lately, researchers from ZScaler have uncovered that the botnet is increasingly moving across networks to distribute two payloads - the XMRig miner and Gh0st RAT. To initiate the infection process, the botnet actively scans for IP addresses with ports 80 and 3389. It then uses Mimikatz to dump passwords from infected hosts into a Results.txt file. These dumped passwords are provided to PsExec and WMIC tools to help the malware to spread to other machines on the network and spread the two malicious payloads. As a part of the infection process, the botnet tries to bypass the security measures on the system like firewalls. Researchers note, “The botnet first deletes all the firewall rules and later it adds a few in order to enable access to the NetBIOS and SMB protocol.” Researchers suggest that the BlueHero botnet authors are trying to integrate RDP scanning to exploit the recently discovered Bluekeep vulnerability. The vulnerability affects nearly one million systems across the globe. Hence, users are advised to patch their systems with specific security updates to stay safe from the attacks of BlueHero botnet.
Edited and compiled by cyber security specialist James Aguilan.