Cyber Victor – a leading blog on cyber security

US-based business travel company CWT said last week that it paid cyber criminals $4.5 million as ransomware.

The attackers initially demanded $10 million, claiming that 30,000 CWT computers were infected, and 2 terabytes of files were encrypted. In reality, the number of the infected computers was smaller.

CWT negotiated with the attackers, and agreed to pay $4.5 million in Bitcoins (414 Bitcoins). After paying, it was able to access the encrypted files.

CWT posted revenues of $1.5 billion last year and says it represents more than a third of companies on the S&P 500 U.S. stock index.

Read more about it here.

Popular video conferencing platform Zoom disclosed this week that it fixed a bug, which allowed attackers to crack private meeting numeric passcodes.

By default, Zoom meetings are protected by a six-digit numeric password. However, according to Tom Anthony, VP Product at SearchPilot who identified the issue, the lack of rate limiting password attempts enabled “an attacker to attempt all 1 million passwords in a matter of minutes and gain access to other people’s private (password protected) Zoom meetings.”

Upon reporting the issue to Zoom on April 1, 2020, the tech company took the web client offline and fix the problem by April 9. Zoom mitigated the issue by both requiring a user logs in to join meetings in the web client, and updating default meeting passwords to be non-numeric and longer.

Read more about it here.

On July 15, 2020, some of the world’s richest and most influential politicians, celebrities, tech moguls and companies were the subject of a massive Twitter hack. The Twitter accounts of Elon Musk, Joe Biden, Barak Obama, Jeff Bezos, Michael Bloomberg, Kim Kardashian West and Bill Gates, as well as the corporate accounts of Apple and Uber, were hacked. The tweets were asking followers to send money to a Bitcoin address, which the celebrity would have matched with their own money. There have been at least 363 transactions since the tweets were posted, and that Bitcoin address accumulated over $118,000.

Shortly after the incident, many verified users reported they could no longer tweet, including media companies. Twitter acknowledged the issue.

It is still unknown how these accounts have been hacked.

This is the first time Twitter accounts have been hacked. In July 2018, cybercriminals impersonated the Twitter account of Elon Musk. In August 2020, Cybercriminals hacked Twitter CEO Jack Dorsey’s account. And on Jan. 1, 2020, Mariah Carey’s Twitter account has been hacked.

Read more about it here.

The Cybersecurity and Infrastructure Security Agency (CISA), with contributions from the the Federal Bureau of Investigation (FBI), issued an advisory on cyberattacks from the Tor network, and recommendations for mitigation.

Tor (a.k.a. The Onion Router) is a software that allows users to browse the web anonymously by encrypting and routing requests through multiple relay layers or nodes. Threat actors are leveraging Tor to conceal their identity and point of origin when engaging in “malicious cyber activity impacting the confidentiality, integrity, and availability of an organization’s information systems and data.” Examples of this activity include performing reconnaissance, penetrating systems, exfiltrating and manipulating data, and taking services offline through denial-of-service attacks and delivery of ransomware payloads.

Organizations can implement mitigations of varying complexity and restrictiveness to reduce the risk of cyberattacks from the Tor network:

• Most restrictive approach: Block all web traffic to and from public Tor entry and exit nodes.
• Less restrictive approach: Tailor monitoring, analysis, and blocking of web traffic to and from public Tor entry and exit nodes.
• Blended approach: Block all Tor traffic to some resources, allow and monitor for others.

Read more about it here.

Akamai is global content delivery network (CDN), cybersecurity, and cloud service company.

“On June 21, 2020, Akamai mitigated the largest packet per second (PPS) distributed denial-of-service (DDoS) attack ever recorded on the Akamai platform. The attack generated 809 million packets per second (Mpps), targeting a large European bank.” reads a post published by Akamai.

Akami did not disclose the name of the bank.

This latest attack was clearly optimized to overwhelm DDoS mitigation systems via high PPS load. The packets sent carried a meager 1 byte payload (for a total packet size of 29 with IPv4 headers).

Read more about it here.

Researchers at Awake Security told Reuters that hundreds of Chrome browser extensions were found to be malicious. Most of the free extensions purported to warn users about questionable websites, or to convert files from one format to another. Instead, these Chrome extensions sucked up browsing history and data that provided credentials for access to internal business tools.

Based on the number of downloads, it was the most far-reaching malicious Chrome store campaign to date.

Google removed over 100 Chrome browser extensions from the official Web Store.

Read more about it here.

Researchers from Cisco Talos disclosed two critical flaws in the Zoom software, that could allow a remote attacker to write files to the targeted user’s system and possibly achieve arbitrary code execution.

The first vulnerability, CVE-2020-6109, is related to the way Zoom stores GIF image files. Zoom did not check the GIF source, allowing attackers to embed GIFs from a third-party server under the control of the attackers. The software further fails to sanitize the GIF filename, potentially allowing to achieve directory traversal, allowing to potentially store malicious files disguised as GIFs to any location on the target system.

The second vulnerability, CVE-2020-6110, is related to the way Zoom Client version 4.6.10 processes messages including shared code snippets. A specially crafted chat message can cause an arbitrary binary planting. which could be abused to achieve arbitrary code execution.

Newer versions of the video conferencing app patch the flaws.

Read more about it here.

Crooks who hacked online shops in several countries are offering for sale more than two dozen SQL databases.

The crooks demand that victims pay BTC 0.06 (about $550) within 10 days, or they leak the database content.

The crooks hack into insecure servers that are reachable over the public web, copy the databases, and leave a note asking for a ransom in return for the stolen data.

The databases contain over 1.5 million rows. Exposed records include email addresses, names, hashed passwords , mailing addresses, gender, and dates of birth.

Read more about it here.

Samsung is patching this month a critical security issue affecting all its Android smartphones sold since 2014, beginning with Android 4.4.4 KitKat. A “zero-click” vulnerability, this newly discovered flaw could let a hacker wreak havoc on someone’s phone by simply sending a specific type of image, exploiting the device without any user action.

The vulnerability was discovered by Mateusz Jurczyk, a security researcher with Google’s Project Zero bug-hunting team, who discovered a way to exploit how Skia (the Android graphics library) handles Qmage image files (.qmg) sent to a device.

Jurczyk said the attack usually needs between 50 and 300 MMS messages to probe and bypass Android’s ASLR (Address Space Layout Randomization), which usually takes around 100 minutes, on average.

This flaw was patched in Samsung’s May 2020 Security Update for Android, so if you own a Samsung device from 2014 or later, make sure to install the update when you get it.

Read more about it here.

Microsoft warns of a spike in malware spreading via pirate streaming services and movie piracy sites during the COVID-19 pandemic.

Cybercriminals are attempting to take advantage of the COVID-19 pandemic, spreading malware via pirate streaming services and movie piracy sites during the COVID-19 outbreak, Microsoft warns.

With lockdown still in place in many parts of the world, attackers are paying attention to the increase in use of pirate streaming services and torrent downloads. We saw an active coin miner campaign that inserts a malicious VBScript into ZIP files posing as movie downloads.

— Microsoft Security Intelligence (@MsftSecIntel) April 28, 2020

“We saw an active coin miner campaign that inserts a malicious VBScript into ZIP files posing as movie downloads,” the company’s security intelligence team says in a tweet.

“The campaign, primarily observed in Spain but has also shown up in some South American countries, aims to launch a coin-mining shellcode directly in memory. We’re seeing the campaign affecting a wide range of customers, from home users to enterprises.”

The movies concerned include John Wick: Chapter 3 – Parabellum, along with Spanish-language titles including Punales Por La Espalda, La Hija de un Ladrón and Lo Dejo Cuando Quiera – as well as Contagio, the Spanish-dubbed version of Contagion.

Read more about it here.