TrickBot’s Anchor malware platform has been ported to infect Linux devices and compromise further high-impact and high-value targets using covert channels.
TrickBot is a multi-purpose Windows malware platform that uses different modules to perform various malicious activities, including information stealing, password stealing, Windows domain infiltration, and malware delivery.
TrickBot is rented by threat actors who use it to infiltrate a network and harvest anything of value. It is then used to deploy ransomware such as Ryuk and Conti to encrypt the network’s devices as a final attack.
At the end of 2019, both SentinelOne and NTT reported a new TrickBot framework called Anchor that utilizes DNS to communicate with its command and control servers.
Named Anchor_DNS, the malware is used on high-value, high-impact targets with valuable financial information.
In addition to the ransomware deployments via Anchor infections, the TrickBot Anchor actors also use it as a backdoor in APT-like campaigns that target point-of-sale and financial systems.
TrickBot’s Anchor backdoor malware is ported to Linux
Historically, Anchor has been a Windows malware. Recently a new sample has been discovered by Stage 2 Security researcher Waylon Grange that shows that Anchor_DNS has been ported to a new Linux backdoor version called ‘Anchor_Linux.’
Advanced Intel’s Vitali Kremez analyzed a sample of the new Anchor_Linux malware found by Intezer Labs.
Kremez told BleepingComputer that, when installed, Anchor_Linux will configure itself to run every minute using the crontab entry.
Microsoft has set the official retirement date for the insecure Transport Layer Security (TLS) 1.0 and 1.1 protocols in Office 365 starting with October 15, 2020, after temporarily halting deprecation enforcement for commercial customers due to COVID-19.
Google will update its Google Ads Enabling Dishonest Behavior policy to globally ban advertising for spyware and surveillance technology known as stalkerware starting with August 11, 2020.
Stalkerware tech allows third-parties to monitor one’s mobile device without the user’s knowledge, as well as to collect sensitive user information related to the user’s location and online activity later to be used for blackmail or various other malicious purposes.
The U.S. Federal Communications Commission (FCC) today formally designated the Huawei Technologies Company (Huawei) and ZTE Corporation (ZTE) as national security threats to the integrity of U.S. communications networks or the communications supply chain.
FCC’s Public Safety and Homeland Security Bureau also says that the two Chinese companies’ parents, affiliates, and subsidiaries are also considered as security threats.
The orders designating the two companies as national security threats are available in-full for both Huawei and ZTE.
Hackers are always evolving their tactics to stay one step ahead of security companies. A perfect example of this is the hiding of malicious credit card stealing scripts in the EXIF data of a favicon image to evade detection.
These stolen credit cards are then sent back to a server under the control of the threat actors where they are collected and used for fraudulent purchases or to sell on dark web criminal markets.
These types of attacks are called Magecart and have been used on websites for well-known companies such as Claire’s, Tupperware, Smith & Wesson, Macy’s, and British Airways.
A Thanos ransomware campaign targeting mid-level employees of multiple organizations from Austria, Switzerland, and Germany was met by the victims’ refusal to pay the ransoms demanded to have their data decrypted.
Thanos ransomware is a Ransomware-as-a-Service (RaaS) operation advertised on Russian-speaking hacker forums that allows affiliates to customize their own ransomware through a builder offered by the developer.
Some Thanos ransomware samples have previously been tagged as the ransomware strain dubbed Hakbit due to different encryption extensions used by affiliates, Recorded Future’s Insikt Group says that they’re the same malware.
Based on code similarity, string reuse, and core functionality, Insikt Group assesses with high confidence that ransomware samples tracked as Hakbit are built using the Thanos ransomware builder developed by Nosophoros, Insikt Group said in early June.
Zoom’s CEO Eric S. Yuan today announced that end-to-end encryption (E2EE) will be provided to all users (paid and free) after verifying their accounts by providing additional identification info such as their phone number.
We are also pleased to share that we have identified a path forward that balances the legitimate right of all users to privacy and the safety of users on our platform
Plex has patched and mitigated three vulnerabilities affecting Plex Media Server for Windows that could enable attackers to take full control of the underlying system when chained together.
Plex Media Server is a desktop app and the backend server for the Plex media streaming service, designed for streaming movies, TV shows, music, and photo collections to over the Internet and on local area networks.
The three vulnerabilities tracked CVE-2020-5740, CVE-2020-5741, and CVE-2020-5742 were found by Tenable security researcher Chris Lyne and reported to Plex on May 31st.
If attackers chain together exploits for all these security flaws, they could remotely execute code as SYSTEM, fully taking over the operating system, gain access to all files, deploy backdoors, or move laterally to other devices on the same network.
The Plex Security Team rolled out patches for CVE-2020-5740 on April 24 and for CVE-2020-5741 on May 7, and mitigated CVE-2020-5742 via server-side changes.
VideoLan has released VLC Media Player 3.0.11, and it is now available for Windows, Mac, and Linux. In addition to bug fixes and improvements, this release also fixes a security vulnerability that could allow attackers to remotely execute commands or crash VLC on a vulnerable computer.
This vulnerability is tracked as CVE-2020-13428 and is a “buffer overflow in VLC’s H26X packetizer” that would allow attackers to execute commands under the same security level as the user if properly exploited.
According to VideoLan’s security bulletin, this vulnerability can be exploited by creating a specially crafted file and tricking a user into opening it with VLC.
While VideoLan states that this vulnerability will most likely crash the player, they warn that it could be used by an attacker to execute commands under the security level of the user remotely.