Last week in security news, the world learned of new WhatsApp vulnerabilities that allowed a threat actor to intercept and manipulate messages exchanged in private chats and group conversations. Researchers also spotted a new version of a fast-growing ransomware family along with a wiper sample that masqueraded as crypto-ransomware. Lastly, plenty of new malware campaigns and techniques emerged throughout the week.
Top Story of the Week: WhatsApp Vulnerabilities
Check Point Research revealed that it had notified WhatsApp of three vulnerabilities near the end of 2018. The team found that digital attackers could abuse the flaws to intercept and manipulate users’ messages in 1 of 3 ways:
- Use the “quote” feature to change the identity of a sender
- Alter the text of someone’s response
- Send a public message disguised as a private conversation so the recipient’s response would be visible to other users.
WhatsApp fixed the third issue after Check Point Research informed the encrypted messaging service of its findings. However, the team found that the first and second exploitation channels were still available as of early August 2019.
Also in Security News
- Industrial Control Systems Under Attack From HEXANE: Dragos observed a new threat group called HEXANE targeting oil and gas companies located in the Middle East using general IT themes and novel detection evasion schemes. The firm also observed the group targeting telecommunications providers in the Middle East, Central Asia and Africa, presumably in an attempt to lay the groundwork for future network-based attacks.
- New Version of MegaCortex Ransomware Released: In early August, Accenture spotted a new version of MegaCortex ransomware that uses anti-analysis features to evade detection. The threat also came with a hardcoded password, a technique that enables its handlers to target a larger number of users.
- Trickbot Delivered via Obfuscated JS File: Researchers at Trend Micro detected a Trickbot campaign that used spam emails to deliver a malicious Microsoft Word document. This file, in turn, used a heavily obfuscated JS file to download a Trickbot payload.
- New GermanWiper Malware Masquerades as Ransomware: On July 30, Bleeping Computer learned of a new malware family called GermanWiper after users began posting about it on its forums. The malware demanded a ransom from its victims, but they couldn’t recover their information even if they paid, since the threat overwrote their files’ data with ones and zeros.
- Attackers Using SystemBC to Mask C&C Traffic: In the beginning of June, Proofpoint observed both the Fallout and RIG exploit kits delivering a new proxy malware family called SystemBC. This malware used a SOCKS5 proxy to mask traffic pertaining to command-and-control (C&C) infrastructure that used HTTP connections for banking Trojans like Danabot.
- Lokibot Variant Comes With New Tricks: In summer 2019, Trend Micro found a new Lokibot variant when it notified a Southeast Asian company of a potential threat. This version used an autostart registry that pointed to a VBS file as a persistence mechanism, and also came with the ability to use steganography so that it could reference information during its unpacking routine.
- Phishers Targeting U.S. Utility Organizations: At the end of July, Proofpoint detected a phishing campaign in which digital attackers masqueraded as the National Council of Examiners for Engineering and Surveying (NCEES). They used this disguise to download LookBack malware on victims’ devices.
Security Tip of the Week: Take Data Protection to the Next Level
The rise of destructive malware such as GermanWiper and MegaCortex v2 highlights the need for organizations to protect their data against digital threats. Security professionals can help their employers do this by creating an accurate inventory of data sources and monitoring those assets that contain personal information for suspicious activity. Security teams should couple these processes with an ongoing security awareness training program that educates employees of phishing attacks and other social engineering threats.