Cyber Bites

The Blue Mockingbird malware gang has infected more than 1000 business systems with Monero mining malware since December 2019. The global scale of the hacker group’s operations was revealed by cloud security firm Red Canary on May 26. The report outlined the group’s methodology. The malware attacks servers running ASP.NET applications and exploits a vulnerability to install a web shell on the attacked computer and obtain administrator-level access to modify the server settings. Next, the...

When visiting the eBay.com site, a script will run that performs a local port scan of your computer to detect remote support and remote access applications. Many of these ports are related to remote access/remote support tools such as the Windows Remote Desktop, VNC, TeamViewer, Ammy Admin, and more. As the port scan is only looking for Windows remote access programs, it is most likely being done to check for compromised computers used to make fraudulent eBay purchases....

A team of Chinese academics have found a new way to abuse HTTP packets to amplify web traffic and bring down websites and content delivery networks (CDNs). Named RangeAmp, this new Denial-of-Service (DoS) technique exploits incorrect implementations of the HTTP "Range Requests" attribute. HTTP Range Requests are part of the HTTP standard and allow clients (usually browsers) to request only a specific portion (range) of a file from a server. The feature was created for...

Thousands of enterprise systems are believed to have been infected with a cryptocurrency-mining malware operated by a group tracked under the codename of Blue Mockingbird. Discovered earlier this month by malware analysts from cloud security firm Red Canary, the Blue Mockingbird group is believed to have been active since December 2019. Researchers say Blue Mockingbird attacks public-facing servers running ASP.NET apps that use the Telerik framework for their user interface (UI) component. Hackers exploit the CVE-2019-18935...

More than two dozen SQL databases stolen from online shops in various countries are being offered for sale on a public website. In total, the seller provides over 1.5 million rows of records but the amount of stolen data is much larger. The attacker is hacking into insecure servers that are reachable over the public web, copies the databases, and leaves a note asking for a ransom in return of the stolen data. Victims have...

In just five short years, Discord’s popularity with gamers has soared. Today, Discord has 250 million registered users and around 15 million of them active on any given day... which is why it’s become a popular target for cybercriminals. One persistent threat that has plagued Discord for some time is AnarchyGrabber. It’s a particularly stealthy trojan that can steal users’ credentials and authentication tokens. MalwareHunterteam spotted an updated version of AnarchyGrabber this week. It can now...

Cybercriminals are taking advantage of the Google name and the cloud to convince victims into handing over their login details. A series of phishing campaigns using Google Firebase storage URLs have surfaced, showing that cybercriminals continue to leverage the reputation of Google’s cloud infrastructure to dupe victims and skate by secure email gateways. Google Firebase is a mobile and web application development platform. Firebase Storage meanwhile provides secure file uploads and downloads for Firebase apps....

The social security numbers and home addresses of thousands of unemployment applicants inadvertently were exposed this week in three states that had contracted with Deloitte to build unemployment portals. In Ohio, Illinois and Colorado, thousands who applied for Pandemic Unemployment Assistance, or PUA, a type of unemployment newly available to the self-employed and gig workers, received notice that their personal information, including social security numbers, addresses, names and how much they were receiving in benefits,...

Cisco has fixed a critical remote code-execution flaw in its popular customer interaction management solution. Cisco has hurried out a fix out for a critical remote code-execution flaw in its customer interaction management solution, Cisco Unified Contact Center Express (CCX). Cisco’s Unified CCX software is touted as a “contact center in a box” that allows companies to deploy customer-care applications. The flaw (CVE-2020-3280), which has a CVSS score of 9.8 out of 10, stems from...

UK cyber-security vendor Sophos published today an update on its investigation into a recent series of attacks that tried to exploit a zero-day vulnerability in its XG firewall product. Sophos said that after they learned of the incident and issued a hotfix, the attackers panicked and modified their attack routine to replace their original data-stealing payload and deploy ransomware on corporate networks protected by Sophos firewalls. Sophos said that firewalls which received the hotfix blocked...