17 July 2020 | Asia Cyber Summary


Blackpanda Origin Story:

Blackpanda CEO and Co-founder, Gene Yu, tells Blackpanda’s origin story from its creation in 2015. While our history is grounded in US Special Forces and crisis response roots, Blackpanda has adjusted its security focus over the years from physical to cyber, with human actors remaining at the core of security. Read the full story on Blackpanda origins and evolution here.


In the spotlight this week:

• American Twitter accounts hacked in Bitcoin scam

• Microsoft releases patch to remediate 17-year-old bug

• Firefox on Android: cameras remain active when the phone is locked or users switch apps

JUL 16, 2020 | Major US Twitter Accounts Hacked In Bitcoin Scam

A Twitter insider was responsible for a wave of high-profile account takeovers on Wednesday. High profile accounts including those of Joe Biden, Elon Musk, Bill Gates, Barack Obama, Uber, and Apple tweeted cryptocurrency scams in an apparent hack. According to a source, the hacker “used a rep that literally did all the work for us”. The second source added they paid the Twitter insider. The accounts were taken over using an internal tool at Twitter, according to the sources.


https://www.vice.com/en_us/article/jgxd3d/twitter-insider-access-panel-account-hacks-biden-uber-bezos and https://www.bbc.com/news/technology-53425822

JUL 16, 2020 | SIGRed – Resolving Your Way Into Domain Admin: Exploiting A 17-Year-Old Bug In Windows DNS Servers

On the 14th of July, Microsoft released a patch to remediate a 17-year-old fault with their DNS implementation. The fault has been codenamed SIGRed (CVE-2020-1350) and has the potential to be automated into a worm that could rapidly propagate throughout the internet. Successful exploitation of this fault takes place through a craft DNS response packet and grants the attacker Domain Administrator rights, which put the entire corporate domain at risk.

Source: https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/

JUL 15, 2020 | Firefox On Android: Camera Remains Active When Phone Is Locked Or The User Switches Apps

The bug was first spotted and reported to Mozilla a year ago in July 2019 by an employee of video delivery platform Appear TV. The bug manifests itself when users choose to stream videos from a website loaded in Firefox instead of a native app. "This bug [fix] aims to address this by defaulting to audio-only when the screen is locked," Mozilla said. "[The fix] is scheduled for release at the platform-level this October, and for consumers shortly after."

Source: https://www.zdnet.com/article/firefox-on-android-camera-remains-active-when-phone-is-locked-or-the-user-switches-apps/#ftag=RSSbaffb68

JUL 15, 2020 | Financially Motivated Actors Are Expanding Access Into OT: Analysis Of Kill Lists That Include OT Processes Used With Seven Malware Families

Financially motivated threat actors have been observed adding capabilities targeting operational technology (OT) to their ransomware families. Mandiant identified OT process names within samples from at least six ransomware families (DoppelPaymer, LockerGoga, Maze, MegaCortex, Nefilim, and SNAKEHOSE), all of which have been associated with high-profile incidents impacting industrial organizations over the past two years.

Source: https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html

JUL 15, 2020 | Phone of Top Catalan Politician Targeted by Government-Grade Spyware

Sergi Miquel, a top politician from Catalan was in Belgium when targeted. The targeting of a telephone with NSO's spyware in Belgium—another EU country—clearly indicates the need for an urgent European Union examination of the circumstances of these cases. Cases that were confirmed thus far all used the same technique, leveraging missed video calls from WhatsApp in April-May 2019. WhatsApp blocked the targeting shortly after it was discovered by CitizenLab.




JUL 15, 2020 | PoC Exploits Released For SAP Recon Vulnerabilities

Exploits released on GitHub take advantage of a remote code execution (RCE) vulnerability in SAP’s NetWeaver AS Java component. When exploited, it allows the attacker to gain full and unauthenticated remote access to vulnerable systems. The attacker can then use this platform to launch attacks within the corporate network. Active reconnaissance scans for this vulnerability have been observed. A patch was released on July 13th. Due to the potential impact and ease of use of the exploit, it is recommended that affected clients using SAP implement the patch immediately.

Source: https://www.bleepingcomputer.com/news/security/poc-exploits-released-for-sap-recon-vulnerabilities-patch-now/

Subscribe Here to receive Blackpanda thought leadership, webinar invitations, and cyber intelligence direct to your inbox.