A Review of the Best News of the Week on Cyber Threats & Defense

NSA: Russia’s Sandworm Hackers Have Hijacked Mail Servers (Wired, May 28 2020)
In a rare public warning, the US spy agency says the notorious arm of Russian military intelligence is targeting a known vulnerability in Exim.

Malware opens RDP backdoor into Windows systems (Help Net Security, May 26 2020)
A new version of the Sarwent malware can open the Remote Desktop Protocol (RDP) port on target Windows computers to make sure that crooks can find their way back into the system through the backdoor. Whether that access is used later by the same crooks or sold to ransomware gangs or cyber espionage groups is unknown, but affected users should know that removing the malware does not close that particular “backdoor”.

GitHub Supply Chain Attack Uses Octopus Scanner Malware (Dark Reading, May 28 2020)
Octopus Scanner is a new malware used to compromise 26 open source projects in a massive GitHub supply chain attack.

Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~14,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

Inside a ransomware gang’s attack toolbox (Naked Security – Sophos, May 28 2020)
Ransomware’s changed a lot over the years – here’s a peek into a criminal gang’s current toolbox…

Hackers breached six Cisco servers through SaltStack Salt vulnerabilities (Help Net Security, May 29 2020)
Earlier this month, when F-Secure publicly revealed the existence of two vulnerabilities affecting SaltStack Salt and attackers started actively exploiting them, Cisco was among the victims. The revelation was made on Thursday, when Cisco published an advisory saying that, on May 7, 2020, they’ve discovered the compromise of six of their salt-master servers, which are part of the Cisco VIRL-PE (Internet Routing Lab Personal Edition) service infrastructure.

UK Ad Campaign Seeks to Deter Cybercrime (Krebs on Security, May 28 2020)
The United Kingdom’s anti-cybercrime agency is running online ads aimed at young people who search the Web for services that enable computer crimes, specifically trojan horse programs and DDoS-for-hire services. The ad campaign follows a similar initiative launched in late 2017 that academics say measurably dampened demand for such services by explaining that their use to harm others is illegal and can land potential customers in jail.

The Masked SYNger: Investigating a Traffic Phenomenon (Rapid7 Blog, May 29 2020)
At the beginning of 2020, Rapid7 and other researchers began noticing increased scanning activity against a variety of TCP ports.

New Version of Turla Malware Poses Threat to Governments (Infosecurity Magazine, May 26 2020)
ESET reveals details of a new version of Turla’s ComRAT backdoor malware

Content Delivery Networks Adding Checks for Magecart Attacks (Dark Reading, May 26 2020)
Modern web applications make significant use of third-party code to drive innovation, but the software supply chain has also turned into a major source of threat. CDNs aim to change that.

Google may soon add end-to-end encryption for RCS (Naked Security – Sophos, May 27 2020)
The dogfood version of the recently updated app shows multiple references to encryption for RCS, the feature-rich successor to SMS messaging.

Silent Night: A New Malware-as-a-Service Banking Trojan Analyzed (SecurityWeek, May 26 2020)
Silent Night is a new sophisticated and heavily obfuscated Zloader/Zbot, ZeuS-derived banking trojan.

Dangerous SHA-1 crypto function will die in SSH linking millions of computers (Ars Technica, May 28 2020)
Lagging far behind others, SSH developers finally deprecate aging hash function.

Improved Version of Valak Malware Targets Enterprises in US, Germany (SecurityWeek, May 28 2020)
Recent versions of the Valak malware have been used in attacks targeting Microsoft Exchange servers at organizations in the United States and Germany, Cybereason’s Nocturnus researcher team warns.

A Rogues’ Gallery of MacOS Malware (Dark Reading, May 28 2020)
MacOS isn’t immune from malware. Being prepared means understanding the nature of the worst threats a security team is likely to see attacking Macs in the enterprise.

Employees abandoning security when working remotely (Help Net Security, May 29 2020)
48% of employees are less likely to follow safe data practices when working from home, a report from Tessian reveals. The global shift to remote working poses new security challenges for businesses and traditional security solutions are failing to curb the problem of the insider threat and accidental data loss.

Steganography in targeted attacks on industrial enterprises (Kaspersky, May 29 2020)
Kaspersky ICS CERT experts have identified a series of targeted attacks on organizations located in different countries. As of early May 2020, there are known cases of attacks on systems in Japan, …

An advanced and unconventional hack is targeting industrial firms (Ars Technica, May 30 2020)
Steganography? Check? Living off the land? Yep. Triple-encoded payloads? Uh-huh.

The challenge of updating locally cached credentials (Help Net Security, Jun 01 2020)
As organizations work to ensure remote workforce productivity, the issue of cached credentials will inevitably appear, causing a problem for the impacted user, and the IT service desk.

No password required! “Sign in with Apple” account takeover flaw patched (Naked Security – Sophos, Jun 01 2020)
A bug bounty hunter found a way to login using "Sign in with Apple"… but without the part where you have to put in a password.