Thousands of MongoDB databases ransacked, held for ransom

The cybercriminal behind the ransom raids on almost 23,000 databases threatens to leak the data and alert GDPR regulators

An unknown cybercriminal has infiltrated 22,900 unsecured MongoDB databases, wiping their contents and leaving behind a ransom note demanding bitcoin in return for the data. If the ransom isn’t paid within two days, they threatened to notify authorities in charge of enforcing the European Union’s General Data Protection Regulation (GDPR).

According to ZDNet, which broke the story, the hacker is using automated scripts to scour the internet for MongoDB installations that face the internet with no password protection, deleting their contents, and asking for 0.015 bitcoins (some US$140) to return the data.

The cybercriminal was even “thoughtful” enough to provide a guide on how to purchase bitcoins. It seems that the bad actor is using multiple bitcoin wallets and email addresses, but the wording of the threat remains consistent. If the conditions aren’t met, they threaten to leak the data and contact GDPR regulators.

Victor Gevers, a security researcher at the GDI Foundation, pointed out that the first few attacks lacked the data-wiping feature. Once the miscreant realized the mistake in their script, they amended it and started wiping the MongoDB databases. Instances of attacks using this particular ransom note have been recorded all the way back to April of this year.

The researcher, whose responsibilities include reporting exposed servers, stated that he noticed the wiped systems while checking on MongoDB databases he was supposed to report so they could be secured. “Today, I could only report one data leak. Normally, I can do at least between 5 or 10,” he added for ZDNet.

While the demanded ransom may seem like a paltry sum, multiply it by the number of unsecured databases and it turns out that the malicious actor is trying to extort almost US$3.2 million in total. Although it’s safe to say that far from each affected entity will give in to the demands, the threat of GDPR fines may convince some to pay, since the ransom pales in comparison to the enormous fines that can be handed down by regulatory authorities.

Unsecured and misconfigured databases can hardly be considered an uncommon occurrence. In one notable example, ethical hackers left “friendly warnings” in exposed Amazon S3 cloud storage databases.

Attacks that involve infiltrating and holding cloud databases for ransom have been around since at least 2016. If you’re a MongoDB database administrator who’d rather avoid dealing with such extortion attempts, you might want to check out this MongoDB security manual or thumb through our five general tips for keeping your databases secure.

2 Jul 2020 – 04:43PM

Microsoft releases emergency update to fix two serious Windows flaws

The out-of-band update plugs two remote code execution bugs in the Windows Codecs library, including one rated as critical

Microsoft on Tuesday released emergency security patches to plug a pair of serious vulnerabilities in its Windows Codecs library that impact several Windows 10 and Windows Server versions. Indexed as CVE-2020-1425 and CVE-2020-1457, the two remote-code execution (RCE) flaws are rated as ‘critical’ and ‘important’ in severity, respectively.

Both security loopholes have to do with how Microsoft Windows Codecs Library handles objects in memory. An attacker who can exploit CVE-2020-1425 “could obtain information to further compromise the user’s system”, said Microsoft. Successful exploitation of the second flaw, meanwhile, could enable attackers to execute arbitrary code on the targeted machine. Each flaw was given the “exploitation less likely” rating on Microsoft’s Exploitability Index.

Details are very sparse and there’s no word on specific attack vectors, but Microsoft said that exploitation of either vulnerability “requires that a program process a specially crafted image file”. This could, for example, involve luring the target into downloading and opening a malicious image file shared via email or a compromised website.

RELATED READING: Vulnerabilities, exploits and patches

The updates are being deployed automatically via Microsoft Store, rather than through the far more usual Windows Update process. “Affected customers will be automatically updated by Microsoft Store. Customers do not need to take any action to receive the update,” said Microsoft.

In order to check if the updates have been implemented or to expedite the process, Microsoft provides this guidance. The company is not aware of any mitigations or workarounds for the two vulnerabilities.

1 Jul 2020 – 02:06PM

COVID‑19 contact tracing – technology panacea or privacy nightmare?

Can a technological intervention stem the pandemic while avoiding the privacy pitfalls of location tracking?

The UK Government recently announced that it was ceasing development of its current contact-tracing app; on the same day, the Canadian Government stated that it was developing one. All this in the same week that the Norwegian health authority had to delete all data gathered via its contact-tracing app and suspended further use due to a ruling by the Norwegian Data Protection Authority. And if these examples are not enough to demonstrate the utter confusion, the Australian app is reported to have a bug that stops iPhones from reporting possible close contacts.

It’s clear that there is no single or quick solution that is going to resolve the individual needs of the world’s health and government agencies that are attempting to use technology to assist in reducing the infection rates of COVID-19.

According to Wikipedia, more than 30 countries have, or are planning to release, apps designed to contact trace or geo fence their users, for the purposes of limiting and managing the spread of COVID-19. The development cycle and distribution of these time-sensitive solutions is itself unprecedented. Ask the members of any app development team if they could develop an app and the infrastructure to support 100 million or more users in under three months and they would say no – and that’s after they stop laughing at the suggestion.

Coming to a phone near you

The concept of contact tracing is to inform people that they may have come into contact with another person who has contracted or is showing symptoms of an infectious ailment, in this case COVID-19. The recipient of the notification can then take precautionary measures, such as self-isolation. This has proven a successful tool to assist in eradicating other diseases such as smallpox and has been used to control others such as tuberculosis, measles and HIV. With large portions of the world population now carrying a smartphone, technology should be able to play an important role, which is why we are seeing a surge in the development of contact-tracing apps.

The majority of apps available are government sponsored and use a variety of different methods to fulfill their purpose, such as Bluetooth vs. GPS, centralized vs. decentralized, and not all are sensitive to maintaining the privacy of the user.

There are two main methods being used to glean the physical proximity of users. The first is the global positioning system (GPS): this uses satellite-based radio-navigation to approximate the individual’s location and the location of other app users. The second, more prominent, solution uses Bluetooth and signal strength to identify other app users’ proximity, allowing the devices to exchange handshakes rather than track actual location. There are some solutions that use a mix of both Bluetooth and GPS and some even use network-based location tracking, but these methods have significant location-tracking privacy issues and are fortunately limited to only a few developments. The primary technology in use by COVID-19 contact-tracing apps is Bluetooth, as it provides a higher level of privacy protection.

RELATED READING: Public health vs. personal privacy: Choose only one?

There is an underlying issue though: Bluetooth discovery is not enabled while a phone is locked and the app requesting it is not primary. Until now there has been no reason for this to be enabled. Early versions of apps such as BlueTrace, the Singapore government’s solution, relied on its users keeping their phones unlocked. The UK NHS beta app had a unique solution to this, at least for Android, but it would appear the limits implemented by Apple in iOS have meant that this was unachievable and has required developers to work with the official Apple and Google Exposure Notifications API.

The joint Google and Apple solution, Exposure Notifications API, preserves privacy and provides a method of using Bluetooth Low Energy and cryptography to provide a contact-tracing infrastructure. Use of the API is limited to public health authorities and access is only granted when specific criteria around privacy, security and data are met. However, this API is only part of a solution that an app needs to deliver the functionality needed. If an app requests personal information, either directly or by other methods, it could render this privacy-friendly solution questionable. The perception of a potential user of a contact-tracing app using this solution may be that the app, due the Google and Apple solution, has been developed to preserve the privacy of the individual; this could give a false sense of security.

There is also speculation that the use of the Exposure Notification API and Bluetooth for proximity and distance measuring in iOS may not be accurate; this was alluded to by the UK Government when  announcing the cessation of the development of its own solution. Some of the potential issues are detailed in an article published by MIT Technology Review: it claims that if a phone is standing up in your pocket in portrait rather than landscape, then this alone can adjust the received power and make it look like someone is across the room as opposed to being next to you. The research also mentions the issue of signals passing through bodies – for example, if two people are standing back to back, the signal may appear weak, and thus record an incorrect distance. The UK Government claims to have developed algorithms that alleviate some of these issues; let’s hope the tech giants at Apple are willing to at least explore the potential solution the NHS team claims to have.

Google and Apple’s solution joins eight other frameworks that have been created since the beginning of the pandemic. The frameworks have been created in parallel by a mix of technology companies, privacy organizations, academia and governments. If the world adopted one framework there would of course be standardization, but this also adds a single point of failure if the framework is compromised or fails to deliver the expected results. As frameworks have evolved,

Remote access at risk: Pandemic pulls more cyber‑crooks into the brute‑forcing game

Poorly secured remote access attracts mostly ransomware gangs, but can provide access to coin miners and backdoors too

The COVID-19 pandemic has radically changed the nature of everyday work, forcing employees to do large parts of their jobs via remote access. Cybercriminals – especially ransomware operators – are aware of the shift and attempt to exploit the new opportunities and increase their illicit earnings. ESET telemetry confirms this trend in an uptick in the number of unique clients who reported brute-force attack attempts blocked via ESET’s network attack detection technology.

Before the lockdown, most employees worked from the office and used infrastructure monitored and controlled by their IT department. But the coronavirus pandemic has brought a major shift to the status quo. Today, a huge proportion of “office” work occurs via home devices with workers accessing sensitive company systems through Windows’ Remote Desktop Protocol (RDP) – a proprietary solution created by Microsoft to allow connecting to the corporate network from remote computers.

Despite the increasing importance of RDP (as well as other remote access services), organizations often neglect its settings and protection. Employees use easy-to-guess passwords and with no additional layers of authentication or protection, there is little that can stop cybercriminals from compromising an organization’s systems.

That is probably also the reason why RDP has become such a popular attack vector in the past few years, especially among ransomware gangs. These cybercriminals typically brute-force their way into a poorly secured network, elevate their rights to admin level, disable or uninstall security solutions and then run ransomware to encrypt crucial company data.

The growing number of unique clients who have reported an RDP attack attempt is visible in data gathered by ESET telemetry (see Figure 1).

Figure 1. Trend of RDP attack attempts against unique clients (per day), detected by ESET technologies

Brute-force attack protection

To address the growing risks posed by increasing RDP use, ESET researchers have devised a new detection layer that is hidden under the hood of ESET Network Attack Protection and is designed to block incoming brute-force attacks from external IP addresses, covering RDP as well as SMB protocols.

Called ESET Brute-Force Attack Protection, this new layer detects groups of failed login attempts from external environments, which hint at an incoming brute-force attack, and then blocks further attempts. Subsequently, the biggest offenders among these IP addresses are added to a blacklist, which protects millions of devices from future attacks.

The new technology has proven to be effective against both random and targeted attacks. For it to work properly, the RDP option Network Level Authentication (NLA) on server must be enabled.

According to ESET telemetry, most of the blocked IPs in January–May 2020 were seen in the United States, China, Russia, Germany and France (see Figure 2).

Figure 2. Countries with the largest number of all blocked IP addresses (between Jan 1 and May 31, 2020).

Countries that had the largest proportion of targeted IPs were Russia, Germany, Japan, Brazil and Hungary (see Figure 3).

Figure 3. Countries with the most brute-force attacks reported by ESET telemetry (between Jan 1 and May 31, 2020).

How to configure remote access correctly

Yet, even with protective measures such as ESET Brute-Force Attack Protection, organizations need to keep their remote access properly configured:

  • Disable internet-facing RDP. If that is not possible, minimize the number of users allowed to connect directly to the organization’s servers over the internet.
  • Require strong and complex passwords for all accounts that can be logged into via RDP.
  • Use an additional layer of authentication (MFA/2FA).
  • Install a virtual private network (VPN) gateway to broker all RDP connections from outside your local network.
  • At the perimeter firewall, disallow external connections to local machines on port 3389 (TCP/UDP) or any other RDP port.
  • Protect your endpoint security software from tampering or uninstallation by password-protecting its settings.
  • Isolate any insecure or outdated computers that need to be accessed from the internet using RDP and replace them as soon as possible.
  • For a detailed description of how to set up your RDP connection correctly, please refer to this article by ESET Distinguished Researcher Aryeh Goretsky.
  • Most of these best practices apply to FTP, SMB, SSH, SQL, TeamViewer, VNC and other services as well.

Ransomware, coin miners and backdoors

Encryption of data and subsequent extortion is in no way the only scenario that could follow an RDP compromise. Frequently the attackers try to install coin-mining malware or create a backdoor, which can be used in case their unauthorized RDP access has been identified and closed.

Other common scenarios following an RDP compromise can include:

  • clearing of log files, thus removing the evidence of previous malicious activity,
  • downloading and running the attacker’s choice of tools and malware on the compromised system,
  • disabling of scheduled backups and shadow copies or completely erasing them, or
  • exfiltrating data from the server.

Black hats have been trying to exploit RDP for years, as documented by our blogpost from 2013. Steadily growing numbers of RDP attacks over the past few years have become the subject of numerous governmental advisories including the FBI, the UK’s NCSC and Australia’s ACSC.

This only demonstrates how crucial the security of remote access has become, potentially making or breaking a company’s future. And even if the damage to an organization’s reputation can be managed, there are financial losses, stalled operations and expensive recovery efforts that need to be accounted for. This doesn’t consider the additional costs of potential penalties that can be issued by authorities under data-protective legislation such as GDPR (EU), CCPA (California) or NDB (Australia).

Whether or not there’s a pandemic, businesses should manage the risks posed by wide usage of RDP or other similar services by reinforcing their passwords and by adding other protective layers, including multi-factor authentication and a security solution that defends against attacks based on RDP and similar protocols.

29 Jun 2020 – 11:30AM

Week in security with Tony Anscombe

Android ransomware posing as a COVID-19 tracing app – Ill-trained and ill-equipped newly-minted remote workers – How Bitcoin giveaway scams misuse Elon Musk’s name

This week, ESET researchers published their findings about Android ransomware spreading under the guise of an official COVID-19 contact-tracing app developed by Health Canada. A study by IBM shows that many newly-minted remote employees use their personal laptops for work and lack security training or tools to properly secure the devices. Scammers now include the name of Tesla and SpaceX CEO Elon Musk in Bitcoin addresses in order to give their schemes extra credibility. For more information, go to

What is a password manager and why is it useful?

A password manager can make your digital life both simpler and more secure. Are there any downsides to relying on software to create and store your passwords?

Recently we commemorated World Password Day with an article that dealt with five common mistakes to avoid when it comes to passwords. And although password protection can be considered a cornerstone of our digital existence, we rarely give it deep thought. Nothing drives that point home more than the annually compiled lists of the most-used passwords, which have ranked 12345 and password among the most-common choices year after year.

Our preference for flimsy passwords can be partly attributed to our use of a gazillion different services, which – unless you connect everything to your Google or Facebook account – often implies creating a new account. On the other hand, if you do have multiple complex passwords, they may prove difficult to remember. So, you opt to recycle the same simple password, since you’re thinking: where is the harm? Well, if a hacker breaks a recycled password, then your accounts may become an all-you-can-eat breakfast buffet for the attackers.

This is what a password manager – an application specifically designed to store your login details in an encrypted vault and to generate complex passwords for you – can help you avoid. By making it supremely easy to create, save and autofill a unique and strong password for each of your online accounts, this ‘digital safe’ can be an effective solution to your conundrum. All you need to remember is a single password called ‘master password’ .

Types of password managers

Most popular password vaults function as cloud applications that can be accessed through a browser. Regardless of your password manager of choice, you’ll have to create one strong master password that will protect all your stored credentials used to access the different services you use; so be very careful about your choice. In the case of a cloud-based manager, this is part of creating an account.

The manager will then take it from here. You can add all your existing accounts to it and when you sign up for new services, you can either use your own passphrases or it will use a built-in generator to create randomized, long, and secure passwords. Once you want to sign into any of the services that you use, the password manager automatically fills in your credentials and you’re all set.

If you have an issue with trusting cloud-based applications with your passwords, you can opt for a locally hosted vault, which will store everything on your device. In fact, you can choose from a number of open-source options, which provide a lot of the functionality of their cloud competitors, albeit often in a more modest design package. But what these apps may lack in aesthetics, they make up for in features.

Another option that you can go for besides cloud-based and open-source solutions are the managers that are included in reputable endpoint security suites and represent a suitable option to help you manage and secure your login credentials.

The pros and cons of using a password manager

There are various types of password managers to choose from, with cloud-based options being among the most popular. The added benefit of them using the cloud is having access to your passwords from anywhere. Most of the popular brands (1Password, Dashlane, LastPass, etc.) offer apps for your smartphone, so if you use multiple devices (which most of us do), then cloud-based services will sync all your passwords across all devices. Some even have desktop options and browser plug-ins, so they have all of the bases covered.

When it comes to subscriptions, the basic set of options is offered for free. If you find those lacking, you can always pay for one of the more premium tiers, which usually include more settings and added security features.

As convenient as all of this sounds, it comes with one caveat. You’re putting all your eggs in one basket, as it were; and some online password managers have faced their share of problems in the past. A few months ago  for example, researchers found security flaws in a number of popular password managers: some Android versions of their apps were found to be susceptible to phishing attacks, while others allowed endless attempts at entering the master PIN.

It is important to keep in mind that since your data is stored on a server, in case of a breach or a successful hack, cybercriminals can download the information in bulk and your account may end up in that data trove. Should this happen, you are dependent on the operators of your chosen service having properly implemented strong encryption and on the strength of your master password; keep in mind that it guards the gate to most of your digital life.

RELATED READING: How to spot if your password was stolen in a security breach

As with any service, do your due diligence and read through the cybersecurity blogs and reviews from reputable independent testing organizations to see if the password manager of your choice has had any reported vulnerabilities recently. You should also thoroughly read through and understand and act upon all the security measures that the service has put in place to secure your passwords and accounts.

When it comes to the locally installed open-source applications, some are able to generate passwords that cater to the specific requirements a site has for their creation. KeePass, for example, also has the nifty option of running straight from a USB. With open-source applications such as KeePass, you can also search for professional security audits of the core encryption and security function code.

Some things that might seem like drawbacks in password managers that store everything locally may actually add security. Since the codes are stored on a specific device, you may not have the option to sync them across all your other devices, but for a cybercriminal to gain access to them, they would

Facial recognition technology banned in another US city

In a move lauded by privacy advocates, Boston joins the ranks of cities that have voted down the municipal use of the technology

Boston has become the second-largest city in the world after San Francisco to ban the use of facial recognition technology by police and city agencies. The ordinance was passed unanimously on Wednesday and bars city officials from using the technology and from procuring facial surveillance from a third party. The measure earned a veto-proof majority and was been passed to the office of Mayor Martin J. Walsh, which will review it.

One of the bill’s sponsors, Councilor Ricardo Arroyo, pointed out that the technology is inaccurate when it comes to people of color, a statement supported by a 2018 MIT study that found an error rate of almost 35% for dark-skinned women compared to the 0.8% for light-skinned men. Another study, conducted by conducted by NIST, also saw higher rates of false positives for Asian and African-American faces relative to image of Caucasians in one-to-one matching scenarios.

“It has an obvious racial bias and that’s dangerous,” said Arroyo in a statement obtained by the National Public Radio (NPR). However, that is only one of his concerns; he fears that the adoption of such technologies would infringe on civil liberties, free speech, and activism.

The ban was passed even though city officials say that the Boston Police Department (BPD) hasn’t used the technology yet. However, the upgraded version of BriefCam, the video analysis software that is currently being used by the department, does have facial recognition capabilities. But in a recent working session, the BPD said that it would opt out of a software update that would enable it.

In a hearing that took place earlier this month, Boston Police Commissioner William Gross also echoed concerns about the reliability of the current technology, reiterating that the BPD wasn’t using it. “Until this technology is 100%, I’m not interested in it,” he added.

The police commissioner’s concerns are understandable, especially in the light of the wrongful arrest of a black man in Detroit, due to a false face recognition match. The American Civil Liberties Union (ACLU), which informed about the incident, has lodged a complaint against the Detroit police for the arrest.

The ACLU has been a vocal opponent of facial recognition for quite some time, voicing its fears about the technology being abused and used as a surveillance tool. In 2018, for example, we wrote about the ACLU’s statement urging Amazon not to sell its Amazon Rekognition tool to law enforcement agencies. Late last year, the organization followed it up with a lawsuit against multiple government agencies that took aim at government contracts involving the use of both Rekognition and Microsoft’s Face API software. Just days ago, Amazon, Microsoft and IBM halted the sale of facial recognition to the police.

The technology has its advocates and detractors, with the question of privacy versus security often coming to the fore whenever a city contemplates allowing or banning the use of the technology by its agencies. ESET’s Chief Security Evangelist Tony Anscombe reflected on different aspects of facial recognition when San Francisco became the first US city to ban it.  Since then a number of US cities, including Oakland, Cambridge and Berkeley, have followed suit. You can see what approach cities across the US have taken on this map.

25 Jun 2020 – 05:35PM

New ransomware posing as COVID‑19 tracing app targets Canada; ESET offers decryptor

ESET researchers dissect an Android app that masquerades as an official COVID-19 contact-tracing app and encrypts files on the victim’s device

New ransomware CryCryptor has been targeting Android users in Canada, distributed via two websites under the guise of an official COVID-19 tracing app provided by Health Canada. ESET researchers analyzed the ransomware and created a decryption tool for the victims.

CryCryptor surfaced just a few days after the Canadian government officially announced its intention to back the development of a nation-wide, voluntary tracing app called COVID Alert. The official app is due to be rolled out for testing in the province of Ontario as soon as next month.

ESET informed the Canadian Centre for Cyber Security about this threat as soon as it was identified.

Figure 1. One of the malicious distribution websites; the other one has identical design and differs only in its domain, covid19tracer[.]ca.

Once the user falls victim to CryCryptor, the ransomware encrypts the files on the device – all the most common types of files – but instead of locking the device, it leaves a “readme” file with the attacker’s email in every directory with encrypted files.

Fortunately, we were able to create a decryption tool for those who fall victim to this ransomware.

After we spotted the tweet that brought this ransomware to our radar (the researcher who discovered it mistakenly labeled the malware as a banking trojan), we analyzed the app. We discovered a bug of the type “Improper Export of Android Components” that MITRE labels as CWE-926.

Due to this bug, any app that is installed on the affected device can launch any exported service provided by the ransomware. This allowed us to create the decryption tool – an app that launches the decrypting functionality built into the ransomware app by its creators.


After launch, the ransomware requests to access files on the device. After obtaining that permission, it encrypts files on external media with certain extensions, which are shown in Figure 2.

Figure 2. File extensions to be encrypted

Selected files are encrypted using AES with a randomly generated 16-character key. After CryCryptor encrypts a file, three new files are created, and the original file is removed. The encrypted file has the file extension “.enc” appended,  and the algorithm generates a salt unique for every encrypted file, stored with the extension “.enc.salt”; and an initialization vector, “.enc.iv”

Figure 3. Files after encryption

After all the target files are encrypted, CryCryptor displays a notification “Personal files encrypted, see readme_now.txt”. The readme_now.txt file is placed in every directory with encrypted files.

Figure 4. File encryption notification (left) and contents of the readme_now.txt file (right)


The service responsible for file decryption in CryCryptor has the encryption key stored in shared preferences, meaning it doesn’t have to contact any C&C to retrieve it. Importantly, the service is exported without any restriction in the Android Manifest (security weakness CWE-926), which means it is possible to launch it externally.

Based on this, we created an Android decryption app for those affected with the CryCryptor ransomware. Naturally, the decryption app works only on this version of CryCryptor.

A new ransomware family

The CryCryptor ransomware is based on open source code on GitHub. We discovered it there using a simple search based on the app’s package name and a few strings that looked unique.

The developers of the open source ransomware, who named it CryDroid, must have known the code would be used for malicious purposes. In an attempt to disguise the project as research, they claim they uploaded the code to the VirusTotal service. While it’s unclear who uploaded the sample, it indeed appeared on VirusTotal the same day the code was published on GitHub.

Figure 5. The open source ransomware

We dismiss the claim that the project has research purposes – no responsible researcher would publicly release a tool that is easy to misuse for malicious purposes.

We notified GitHub about the nature of this code.

ESET products provide protection against the CryCryptor ransomware, detecting it as Trojan.Android/CryCryptor.A. On top of using a quality mobile security solution, we advise Android users to install apps only from reputable sources such as the Google Play store.

Timeline: Jun 11, 2020: source code published– CryDroid v1.1 Jun 11, 2020: code uploaded to VirusTotal Jun 12, 2020: first malicious domain that distributed this sample was registered Jun 18, 2020: malicious app (this Android ransomware) was compiled (based on its certificate) Jun 21, 2020: second malicious domain that distributed this sample was registered Jun 23, 2020: ESET informs Canadian Center for Cyber Security Jun 23, 2020: the two domains stopped responding

We have prepared a video that that shows the process of encryption and decryption, along with our explanation.

Indicators of Compromise (IoCs) Package name Hash ESET detection name com.crydroid 322AAB72228B1A9C179696E600C1AF335B376655 Trojan.Android/CryCryptor.A Distribution links


MITRE ATT&CK techniques Tactic ID Name Description Initial Access T1476 Deliver Malicious App via Other Means The malware is downloaded from fake website Initial Access T1444 Masquerade as Legitimate Application It impersonates COVID-19 tracking app Persistence T1402 App Auto-Start at Device Boot It listens for the BOOT_COMPLETED broadcast, ensuring that the app’s functionality will be activated every time the device starts Impact T1471 Data Encrypted for Impact Encrypts files with particular file extensions found on external media 24 Jun 2020 – 12:36AM

Majority of new remote employees use their personal laptops for work

And many of them didn’t receive any new security training or tools from their employer to properly secure the devices, a study finds

With the COVID-19 pandemic surging around the world, many companies have had to switch to a work-from-home policy to keep their employees safe. The rush to remote work didn’t come without risks; an IBM survey found that newly-minted remote workers actually present a significant cybersecurity risk – however, they may not be to blame.

Surveying more than 2,000 United States-based employees newly working from home, IBM found that even though eight in ten respondents were confident in their company’s ability to handle cyberthreats stemming from remote work, nearly half didn’t receive any additional cybersecurity training since going remote.

That’s a worrying state of affairs, since underestimating proper cybersecurity training for employees can eventually backfire. ESET Chief Security Evangelist Tony Anscombe described the problem succinctly in his article on the COVID-19-powered shift to remote work: “Don’t assume that all employees can switch to remote working effectively and with little assistance or guidance. Home is not the office and they may need significant assistance to adapt.”

The switch has also impacted the way companies go about conducting their daily activities, including meetings. “The rapid shift to working from home has also changed the ways many organizations do business from moving face-to-face meetings to video conferencing calls to adding new collaboration tools—yet the survey showed many employees are lacking guidance, direction, and policies,” said IBM in a press release.

Over half of the respondents said they participate in one to five videoconference calls per week, with an additional 20% saying that they participate in six to ten such meetings per week. Yet over half of them said that their employer did not introduce or were unsure of new cybersecurity policies around videoconferencing.

While conducting meetings over videoconference calls adheres to social distancing rules and keeps everyone safe, from the virus at least, there should be policies and rules in place to keep the calls safe as well. Topics discussed over conference calls may vary and can include a whole range of confidential information and may even necessitate file transfers, so you want to avoid intruders from getting unauthorized access. Therefore, there are several things you should consider before hopping on a conference call, including making sure that no sensitive information visible on camera and that your call is secured by a password and, ideally, end-to-end encrypted. You can read up on all our recommendations on secure videoconferencing while working from home.

Since we’ve already mentioned encryption, we’d be remiss in omitting another important step towards keeping your work data secure – a virtual private network (VPN). It allows you to encrypt your internet traffic and provides you with access to data you would be only able to access on your company’s network. Most companies usually set up the connection between the main office and your remote workspace through their IT department, however if your company doesn’t have an IT department, you can do it yourself and it is worth the added sense of security.

Although IBM’s survey may call into question the approach companies take to working-from-home cybersecurity practices, it is worth noting that everything had to be done on the fly, since nobody could have planned for the pandemic. Although that is no excuse, companies can patch up the holes in their security by arranging for proper security training for their employees, providing secure remote access, as well as adding an extra layer of security using multi-factor authentication.

ESET has been here for you for over 30 years. We want to assure you that we will be here in order to protect your online activities during these uncertain times, too.
Protect yourself from threats to your security online with an extended trial of our award-winning software.
Try our extended 90-day trial for free. 23 Jun 2020 – 09:04PM

Scam uses Elon Musk’s name to trick people out of US$2 million in bitcoin

The giveaway scheme uses the tech titan’s name as part of Bitcoin addresses for extra credibility

Cryptocurrency giveaway scams – including those impersonating Tesla and SpaceX boss Elon Musk – have been making the rounds for quite a few years now. The newest trick up the fraudsters’ sleeves involves name-dropping Musk into the Bitcoin address itself, which has helped them fleece victims out of more than US$2 million worth of bitcoin over the past two months.

In order to make their ruse seem more trustworthy, con artists use Bitcoin vanity addresses that incorporate a custom element or word into the address itself. In this case, it’s the name of the South African-born tech titan: “1MuskSEYstWetqTFn5Au4m4GFg7xJaNVN2” or “1ELonMUskSEYstWetqTFn5Au4m4GFg7xJaNVN2

The crooks then ask people to send digital cash to a bitcoin address under the promise of doubling the sum as part of a giveaway. However, as you might’ve guessed, the victim won’t see any of their cryptocurrency ever again.

Justin Lister, CEO of cyber-security firm Adaptiv, who has been tracking the bitcoin addresses misusing Musk’s name over the past month, said he was able to track down 66 such addresses. Speaking to ZDNet, he said he was able to identify the addresses with the aid of BitcoinAbuse, a public database of bitcoin addresses used by scammers, hackers, and various other cybercriminals. According to Lister, the 66 addresses have received over 201 Bitcoin since their creation in April 2020.

ZDNet was able to identify an additional 67th address, which has received another 13.9 Bitcoin, bringing the total to some 215 Bitcoin. Based on today’s exchange rate, this is equivalent to US$2.03 million.

One of the ways these giveaway scams are organized is through hijacked YouTube accounts with a large number of followers. These accounts are then rebranded to take the guise of a celebrity or brand to bolster their credibility and a giveaway live stream is launched citing an important milestone as a reason for the event. One such event occurred recently, when SpaceX became the first private company to launch astronauts into orbit.

Although YouTube is one of the more popular channels through which these scams are organized, it is by far not the only one. Cybercriminals have been known to utilize other social media to spread their scams, including Twitter, which they use to amplify the reach of their scams using bot networks.

Giveaway scams abusing Elon Musk’s name or companies, as well as other well-known figures such as Bill Gates, are nothing new. They have even provoked the ire of Musk himself, who took to Twitter to share his feelings about the issue earlier this year.

The crypto scam level on Twitter is reaching new levels. This is not cool.

— Elon Musk (@elonmusk) February 1, 2020

ESET cybersecurity specialist Jake Moore recommends doing your due diligence if you are considering in participating: “I suggest all users do background checks as far as they can including reviews and then further research into the account itself before parting with any money. This isn’t a case of ‘if it’s too good to be true, it probably is’, it’s a case of merely don’t be too quick to click.”

22 Jun 2020 – 05:37PM