SIGRed: Wormable Remote Code Execution in Windows DNS Server

Researchers at CheckPoint discovered a 17-year-old wormable, critical vulnerability in the Windows DNS server – named SIGRed – that can be triggered by a malicious DNS response.­­ Microsoft urges Sysadmins to patch servers as quickly as possible.

SIGRed: there is a 17-year-old vulnerability affecting Windows Server versions 2003 to 2019

The new bug scores 10 out of 10 on the CVSS scale. The remote code execution flaw (CVE-2020-1350), dubbed SIGRed, could allow an unauthenticated, remote attacker to gain domain administrator privileges over targeted servers and seize complete control of an organization’s IT infrastructure. Every organization using Microsoft infrastructure is at major security risk if left unpatched. By doing nothing they risk a complete breach of the entire corporate network.

Attackers could exploit SigRed vulnerability by sending crafted malicious DNS queries to a Windows DNS server and achieve arbitrary code execution, enabling the hacker to intercept and manipulate users’ emails and network traffic, make services unavailable, harvest users’ credentials and much more.

The SIGRed flaw is „wormable”. Which means that an attack can spread from one vulnerable computer to another without any human interaction. This way attackers need only one vulnerable machine to spread throughout the whole network.

Microsoft prepared a patch in its July Patch Tuesday pack. The SIGRed patch also includes security updates for 122 other vulnerabilities, with a total of 18 flaws listed as critical. MS team found no evidence which shows that the bug has been actively exploited by attackers. But users are advised to install the patches immediately.

Read more

A targeted attack on most prominent Twitter users. Elon Musk and Bill Gates accounts hijacked to promote crypto scam

The verified accounts for Gates, Musk, Apple and Barack Obama issued tweets promoting a cryptocurrency scam, asking followers to send money to a blockchain address in exchange for a larger pay back.

Image: ZDNet

After detecting the scam Twitter has blocked from tweeting accounts, used to promote the scam. Most of the hacked accounts have now been restored and the scam posts removed. However, the bitcoin address mentioned in most of the tweets racked up more than $100,000 from hundreds of transactions.

How the hack has been carried out? The most popular theory is that hackers have breached the account of a Twitter high-ranking employee and that they’ve ve found a zero-day and are using it to bypass the site’s authentication. What we know for sure? Twitter confirmed that its internal tools were used for the attack that was enabled by social engineering. Scammers targeted few employees with access to internal systems and tools. The investigation is still open – probably there will be more information available soon.

Some of breached accounts identified so far:

Bill Gates, Elon Musk, Jeff Bezos, Joe Biden, Barack Obama, Mike Bloomberg, Warren Buffet, Apple, Kanye West, Wiz Khalifa, Kim Kardashian, Floyd Mayweather, Uber, CoinDesk, Binance, Bitcoin, Gemini.


BlackRock – a new Android banking trojan steals credentials and credit card data from 337 apps

Security experts from ThreatFabric have discovered a new Android banking trojan dubbed BlackRock that steals credentials and credit card data from a list of 337 apps.

It borrows the code from the Xerxes banking malware, which is a strain of the popular LokiBot Android trojan.

Unlike other banking trojans, BlackRock targets several non-financial Android apps, most of them are social, communication, and dating platforms. The malware poses itself as fake Google updates: camouflages itself as Google Update. Upon launching the malware on the mobile device, it will start by hiding its icon from the app drawer, then it asks the victim for the Accessibility Service privileges. 

Once the user grants the requested Accessibility Service privilege, BlackRock starts by granting itself additional permissions. Those additional permissions are required for the bot to fully function without having to interact any further with the victim – says expert from ThreatFabric. 

The malware targets 226 applications to steal account credentials, including Gmail, Google Play services, Uber, Amazon, Netflix and Outlook.

The list of targeted apps includes cryptocurrency wallet applications (i.e. Coinbase, BitPay, and Coinbase), and banks (i.e. Santander, Barclays, Lloyds, ING, and Wells Fargo).

Read more

Microsoft 365 users targeted by a new phishing campaign using fake Zoom notifications

Recently Microsoft Office 365 users are being targeted by a brand new phishing campaign that aims for stealing credentials.

The phishing emails spotted by Abnormal Security’s researchers spoof an official Zoom email address and are designed to impersonate a legitimate automated Zoom notification.

Using a spoofed email address and an email body almost free of any grammar errors or typos (besides an obvious ‘zoom’ instead of ‘Zoom account’) makes these phishing messages even more convincing and potentially a lot more effective.

Image: BleepingComputer

The targets are warned that their Zoom accounts were temporarily suspended and that they will not be able to join any calls and meetings until they re-activate their accounts by clicking on an activation button embedded within the message.

Once they click the “Activate Account” button, the recipients are redirected to a fake Microsoft login page through an intermediary hijacked website where victims are asked to input their Outlook credentials in a form designed to exfiltrate their accounts details to attacker-controlled servers.

If they fall for the attackers’ tricks, the victims’ Microsoft credentials will be used to take full control of their accounts and all their information will be ripe for the picking, later to be used as apart of identity theft and fraud schemes such as Business Email Compromise (BEC) attacks.

So far the phishing campaign impersonating automated Zoom account suspension alerts has landed in over 50,000 mailboxes based on stats provided by researchers as email security company Abnormal Security who spotted these ongoing attacks.

Read more

Do you have thirst for knowledge? There is ten more cybersecurity stories below

1. New Mirai variant includes exploit for a flaw in Comtrend Routers (Security Affairs)
2. TrickBot Malware Warning Victims of Infection by Mistake (The State of Security)
3. Malware campaign attempts to evade analysis with Any.Run sandbox (SecurityAffairs)
4. Critical SAP Recon flaw exposes thousands of customers to attacks (Bleeping Computer)
5. A hacker is selling details of 142 million MGM hotel guests on the dark web (ZDNet)
6. New AgeLocker Ransomware uses Googler’s utility to encrypt files (Bleeping Computer)
7. Chrome 84 released with support for blocking notification popups on spammy sites (ZDNet)
8. WhatsApp is down, users reporting worldwide outage (Bleeping Computer)
9. Adobe Discloses Critical Code-Execution Bugs in July Update (Threat Post)
10. Android chat app uses public code to spy, exposes user data (Bleeping Computer)