A Review of the Best News of the Week on Cyber Threats & Defense

Emotat Malware Causes Physical Damage (Schneier on Security, Apr 06 2020)
“Microsoft is reporting that an Emotat malware infection shut down a network by causing computers to overheat and then crash. The Emotet payload was delivered and executed on the systems of Fabrikam — a fake name Microsoft gave the victim in their case study — five days after the employee’s user credentials were exfiltrated to the attacker’s command and control (C&C) server.”

When All Behavior Is Abnormal, How Do We Detect Anomalies? (Dark Reading, Apr 10 2020)
Identifying normal behavior baselines is essential to behavior-based authentication. However, with COVID-19 upending all aspects of life, is it possible to build baselines and measure normal patterns when nothing at all seems normal?

Magecart Hackers Continue Improving Skimmers (SecurityWeek, Apr 06 2020)
A Magecart threat actor tracked as “Group 7” has been using a skimmer that creates iframes to steal payment card data, RiskIQ reveals.

Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~13,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

South Korea-Linked Hackers Targeted Chinese Government via VPN Zero-Day (SecurityWeek, Apr 06 2020)
A threat actor linked to South Korea has launched attacks against Chinese government agencies using a zero-day vulnerability affecting a local VPN service, Chinese cybersecurity firm Qihoo 360 reported on Monday.

WordPress WooCommerce sites targeted by credit card skimmers (SC Media, Apr 10 2020)
Credit card swipers are more often than not found inside online and brick and mortar retail point of sale systems, but a newer version has been targeting WordPress sites that use the WooCommerce plugin. WordPress sites using WooCommerce have been attacked before, but not with card swipers.

Using Application Telemetry to Reveal Insider & Evasive Threats (Dark Reading, Apr 07 2020)
Data from application processes and other systems leave a trail of threat crumbs that can be used to detect and shut down attacks.

Why Threat Hunting with XDR Matters (Dark Reading, Apr 08 2020)
Extended detection response technology assumes a breach across all your endpoints, networks, SaaS applications, cloud infrastructure, and any network-addressable resource.

Actively exploited MS Exchange flaw present on 80% of exposed servers (Help Net Security, Apr 08 2020)
Attackers looking to exploit CVE-2020-0688, a critical Microsoft Exchange flaw patched by Microsoft in February 2020, don’t have to look hard to find a server they can attack: according to an internet-wide scan performed by Rapid7 researchers, there are at least 315,000 and possibly as many as 350,000 vulnerable on-premise Exchange servers (out of 433,464 total) out there.

Microsoft: Cyber-Criminals Are Targeting Businesses Through Vulnerable Employees (Infosecurity Magazine, Apr 08 2020)
Microsoft is seeing cyber-criminals target employees during #COVID-19 pandemic

Over 350,000 Exchange Servers Exposed to Serious RCE Bug (Infosecurity Magazine, Apr 08 2020)
CVE-2020-0688 was patched in February and is being actively exploited

Malvertising campaign spoofs Malwarebytes website to deliver Raccoon info-stealer (SC Media, Apr 09 2020)
Malicious actors created a fake webpage that impersonates cybersecurity company Malwarebytes and were using it as a gateway in a malvertising campaign designed to infect victims with the Raccoon information stealer. The malvertisements, which likely appeared on adult websites, automatically redirected site visitors to the fake page without any customer interaction…

Sophos Releases Sandboxie in Open Source (SecurityWeek, Apr 10 2020)
Sophos this week announced that the source code of isolation tool Sandboxie is now publicly available.

New Dell Utility Alerts Security Teams of BIOS Attacks (SecurityWeek, Apr 10 2020)
Dell on Friday announced the launch of Dell SafeBIOS Events & Indicators of Attack, a utility designed to alert IT and security teams about BIOS configuration changes that could be part of a sophisticated attack.