October 19, 2020
David Redekop

This Week In Nerd News – October 19, 2020

Your weekly top 5 technical and security issues Nerds should pay attention to:

YouTube video

This new malware uses remote overlay attacks to hijack your bank account.

In case it isn’t obvious, both the Remote Access Trojan and the malicious software installation is prevented 100% with zero trust controls.

Researchers have uncovered a new form of malware using remote overlay attacks to strike Brazilian bank account holders.

 

Read More: This new malware uses remote overlay attacks to hijack your bank account 

 

This high-profile eCrime group operates multiple ransomware families and has recently been observed developing new tools and modified existing ones.

Speaking of the original creators of Trickbot.

WIZARD SPIDER is an established, high-profile and sophisticated eCrime group, originally known for the creation and operation of the TrickBot banking malware. This Russia-based eCrime group originally began deploying TrickBot for the purpose of conducting financial fraud in 2016, but has since evolved into a highly capable group with a diverse and potent arsenal, including Ryuk, Conti and BazarLoader. Their toolset covers the entirety of the kill chain, from delivery to post-exploitation tools and big game hunting (BGH) ransomware, enabling them to conduct a wide range of criminal activities against enterprise environments.

 

Read More: WIZARD SPIDER Update: Resilient, Reactive and Resolute

 

The Ryuk threat actors are actively exploiting ZeroLogon (CVE-2020-1472).

Nice to see such a clean breakdown. $1/mo Patreon gets you the full report. DTTS, stops this attack at every level, just saying.

The Ryuk threat actors went from a phishing email to domain wide ransomware in 5 hours. They escalated privileges using Zerologon (CVE-2020-1472), less than 2 hours after the initial phish. They used tools such as Cobalt Strike, AdFind, WMI, and PowerShell to accomplish their objective.

 

Read More: Ryuk in 5 Hours

 

Shady deals: The destructive relationship between network access sellers and ransomware groups.

In hindsight, we should have seen this coming. The sale of network access really needs to be treated like an insider threat.

Ransomware groups are taking advantage of opportunities to purchase network access on dark web forums to quickly compromise networks across a variety of industries and unleash their disabling malware. Network Access Sellers’ expertise lies in the ability to gain corporate and government network access, which they then sell to other cyber-crime groups for a handsome profit. These cyber-crime groups can use purchased network access to slash the typical difficult requirement of gaining initial access, establishing persistence, and moving laterally across a network.

 

Read More: Shady deals: The destructive relationship between network access sellers and ransomware groups

 

Announcing Global Privacy Control: Making it Easy for Consumers to Exercise Their Privacy Rights.

Steve Gibson does a deep dive on SecurityNow Episode #788. Very cool development for the benefit of everyday people.

Announcing Global Privacy Control: Making it Possible for Consumers to Easily Exercise Their “Do Not Sell” Rights Under CCPA

 

Read More: Announcing Global Privacy Control: Making it Easy for Consumers to Exercise Their Privacy Rights

 

Did you know?

The story I shared last week of going to the police station to review an incident Network Access Seller was of a Nerds On Site Meraki Dashboard.