The Good, the Bad and the Ugly in Cybersecurity – Week 12

The Good

Europol has been busy this week rounding up 26 fraudsters belonging to two separate SIM swapping gangs in Spain and Romania in ‘Operation Quinientos Dusim’ and ‘Operation Smart Cash’. SIM swapping involves socially engineering the staff of major phone carriers using personal data obtained in breaches, through phishing and by using OSINT techniques. SIM swappers impersonate their intended victim and convince the phone carrier to transfer the target’s cell services to a SIM card belonging to the attackers. Famously, Twitter CEO Jack Dorsey was caught in a SIM swap attack last year. Typically, fraudsters use the stolen services to gain access to the victim’s online banking and to bypass 2FA and one-time password controls on online accounts. The gangs caught in this week’s report are believed to have snatched funds from over 100 victims’ bank accounts before being nabbed by Europol with the help of the Spanish and Romanian police.

image of advice how to protect against sim swapping

If you’re an Adobe user, and let’s face it most of us are, then you’ll be pleased to hear that Adobe fixed 41 security flaws this week. In a massive security update across both Windows and macOS versions, Adobe plugged vulnerabilities in six major products, including ubiquitous favorites Adobe Acrobat, Adobe Reader and Photoshop. If you haven’t already, update those apps before the hackers reverse and exploit the multiple arbitrary code execution vulnerabilities just fixed.

The Bad

We’re all only too aware of what the big, bad news is this week and likely to be for many weeks ahead: the COVID-19/Coronavirus outbreak that’s wreaking havoc on people’s health, livelihoods and lifestyles across the globe. SentinelOne, like a number of other vendors, is offering free platform access to help secure enterprises and remote workers during this unprecedented crisis. Meanwhile, the bad guys are, of course, taking every opportunity they can to milk the FUD for all it’s worth with malware campaigns, phishing kits and good old fashioned snake oil frauds becoming almost too numerous to count. 

In a sign of the upside-down times that we’re living in, our bad news this week comes with an oddly welcome twist. For the time being anyway, some ransomware operators, namely DoppelPaymer and Maze, have claimed they will avoid deliberately targeting medical services and even offer free decryptors to those that do get hit. Of course, criminals like anyone else may need access to healthcare services before we see the back of the COVID-19 crisis, so we don’t think they’ll be winning any “service to the community” awards just yet.

image of Maze ransomware press release

On a different note, in other bad news this week, it seems TrickBot developers have been busy retooling in order to target US and Hong Kong-based telecoms organizations through a brute-force RDP attack leveraging a malicious DLL file called rdpScanDll. Researchers say very specific IPs have been targeted and that the purpose appears to be espionage. We already know that TrickBot is being leveraged by some APTs, and this looks like it could well be more of the same. More intel on this as soon as we have it.

The Ugly

Data breaches are always ugly, and data breaches by security companies are even uglier still. This week potentially sees one of the worst ever (it’s shaping up to be that kind of year, isn’t it?) as one security vendor may have leaked over 5 billion records that they’d been stockpiling since at least 2012. The vendor, UK-based Keepnet Labs, appears to have amassed data from other previously known sources and compiled it into a well-structured database with hash types, leak data, email, password and other information.

image of tweet about KeepNet Labs data breach

Such a massive and organized collection would undoubtedly be a prize asset for fraudsters to get their hands on. It’s not immediately clear whether the database contained other, previously undisclosed breach data or whether it had been accessed by bad actors. What is known is that security researchers were able to access the unsecured Elasticsearch instance without Keepnet Labs’ awareness. The researchers informed the cybersecurity vendor, who promptly secured the data within the hour. As bad actors routinely probe for such insecure databases in the same way as the researchers who found this one, it’s anyone’s guess at this point whether the treasure trove is already in the hands of spammers, fraudsters and criminals intent on phishing attacks.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *