A Review of the Best News of the Week on Cyber Threats & Defense

What can merchants do to avoid falling victim to large-scale ATO attacks? (Help Net Security, May 21 2020)
The most common approach to prevent ATOs is two-factor authentication for login attempts (62%), which can frustrate legitimate customers and increase cart abandonment.

Many merchants also require complex passwords to increase security, with 73% reporting that account passwords must contain a mix of characters, numbers, symbols and uppercase and lowercase letters.

This can help security, but it also increases friction and does little for customers who reuse passwords, meaning that store accounts are at risk through data breaches on other sites. That’s a real concern, as 47% of customers admit to using the same password for two or more online stores.

The ransomware that attacks you from inside a virtual machine (Naked Security – Sophos, May 22 2020)
In a recent attack, Ragnar Locker ransomware was seen encrypting victim’s files while shielded from security software inside a virtual machine.

Netwalker ransomware actors go fileless to make attacks untraceable (SC Media, May 18 2020)
Malicious actors have been spotted using an especially sneaky fileless malware technique — reflective dynamic-link library (DLL) injection — to infect victims with Netwalker ransomware in hopes of making the attacks untraceable while frustrating security analysts.

Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~14,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

APT Group Planted Backdoors Targeting High Profile Networks in Central Asia (Avast Threat Labs, May 18 2020)
Last fall, APT malware intrusions targeting high-profile companies in Central Asia caught our attention. A few months later, we began working together with fellow malware analysts from ESET to analyze samples used by the group to spy on a telecommunications company, a gas company, and a governmental institution in Central Asia. An APT group, which we believe could possibly be from China, planted backdoors to gain long-term access to corporate networks. Based on our analysis, we suspect the group was also behind attacks active in Mongolia, Russia, and Belarus.

2020 Global Threat Intelligence Report (NTT, May 19 2020)
In such a dynamic environment, and with absolute security as an impossible goal, businesses must be ready for anything.

Hackers infect multiple game developers with advanced malware (Ars Technica, May 21 2020)
Never-before-seen PipeMon hit one developer’s build system, another’s game servers.

Web Giants Scrambled to Head Off a Dangerous DDoS Technique (Wired, May 19 2020)
Firms like Google and Cloudflare raced to prevent an amplification attack that threatened to take down large portions of the internet with just a few hundred devices.

Magecart Plants Card Skimmers via Old Magento Plugin Flaw (Dark Reading, May 19 2020)
The FBI has warned ecommerce sites about attacks targeting a more than three-year-old flaw in the Magmi mass importer.

WordPress Malware Targets WooCommerce Stores (SecurityWeek, May 20 2020)
Researchers have spotted a piece of WordPress malware that allows cybercriminals to collect information from WooCommerce stores and helps them set up compromised websites for future skimming attacks.

Bluetooth flaw exposes countless devices to BIAS attacks (WeLiveSecurity, May 19 2020)
As many as 30 smartphones, laptops and other devices were tested – and all were found to be vulnerable

XSS, Open Redirect Vulnerabilities Patched in Drupal (SecurityWeek, May 21 2020)
The latest Drupal updates patch cross-site scripting (XSS) and open redirect vulnerabilities, but they have only been assigned “moderately critical” severity ratings.

ShinyHunters Is a Hacking Group on a Data Breach Spree (Wired, May 21 2020)
In the first two weeks of May, they’ve hit the dark web, hawking 200 million stolen records from over a dozen companies.

Hackers Attempted to Deploy Ransomware in Attacks Targeting Sophos Firewalls (SecurityWeek, May 22 2020)
Malicious actors targeting a zero-day vulnerability in Sophos XG Firewall appliances last month attempted to deploy ransomware after Sophos started taking measures to neutralize the attack.

Tools Used in GhostDNS Router Hijack Campaigns Dissected (SecurityWeek, May 21 2020)
The source code of the GhostDNS exploit kit (EK) has been obtained and analyzed by researchers. GhostDNS is used to compromise a wide range of routers to facilitate phishing — perhaps more accurately, pharming — for banking credentials. Target routers are mostly, but not solely, located in Latin America.

Phishing campaigns leverage Google Firebase storage (SC Media, May 22 2020)
New phishing campaigns tracked by Trustware deploy schemes that harvest credentials by taking advantage of “the reputation and services” of the Google Cloud’s Firebase mobile and web application development platform. The bogus emails cut across industries and tap Firebase’s data storage API in a Google Cloud Storage bucket, while hiding malicious URLs in phishing emails