At a glance.
- Password manager vulnerabilities reported.
- Sodinokibi ransomware gang releases stolen personal data.
- Bogus coronavirus appeal distributes Redline Stealer.
- Spoofed WHO communication is a HawkEye info-stealer vector.
- Epidemiology versus privacy?
Popular password managers can be induced to leak their contents.
Researchers at the University of York tested commercial password managers LastPass, Dashlane, Keeper, RoboForm, and 1Password against various known or proof-of-concept threats and found vulnerabilities in all of them. "In general we found all the five vendors quite responsive. However, only a few disclosures resulted in a fix to be rolled out," the researchers write, probably because the vendors didn't assess the risk as being particularly high. "This was due to many of the disclosed issues being classified as low priority."
Sodinokibi ransomware operators release data stolen from an uncooperative victim.
Third-party cyber risk intelligence shop Cyble has told BleepingComputer they've found files apparently stolen by the Sodinokibi ransomware gang for sale and distribution online. The information, which apparently came from a professional services firm that declined to pay the ransom demanded for decryption of its files, included user names, passwords, credit card statements, what appears to be tax information, and more data. Much of the data stolen in this case appears to be personal. The incident offers further evidence, if any more were needed, that ransomware attacks should now routinely be treated as data breaches. It also affords confirmation that there's a ready black market for such data.
The Redline information-stealer is being distributed by a spoofed appeal for Folding@home.
Russian-speaking criminals are distributing appeals to download Folding@home, a legitimate app that lets participants donate CPU and GPU cycles to various drug discovery projects. The appeal, say researchers at Proofpoint, is coronavirus-themed, inviting the marks to help research toward treatments for COVID-19. The app offered isn't, however, Folding@home, but rather the Redline information-stealer. Once installed, Redline will collect and report the victim's credentials, autocomplete data, credit cards, geolocation, hardware configuration, and security software installed. Recent versions of Redline being hawked in dark web souks claim it now has the ability to loot alt-coin wallets.
Redline Stealer is very much commodity malware. For $150 you can have the "lite" version, $200 will get you the "pro" version. It can be had as either a one-time purchase or a monthly subscription. The phishing appeal is relatively unconvincing, bearing typos (like "Folding@Thome") and a customary uncertainty about capitalization and articles, but it will no doubt find its marks.
HawkEye spyware gets a World Health Organization vector.
IBM has found that hoaxed communiques pretending to be from the World Health Organization are vectors for HawkEye malware. HawkEye includes a keylogger, and it also has screenshot and credential-stealing functionality.
Government data collection on COVID-19 continues to raise privacy concerns.
Governments continue to look for ways of tracking COVID-19 infections and exposure. The Telegraph reports that the British Government is in talks with mobile provider O2 over a project that would use geolocation data to inform models of disease transmission. In the US, NBC News describes a similar US Government effort to use anonymized, aggregated user data to monitor the coronavirus' spread. Privacy advocates are uncomfortable with such programs, fearing that anonymous and aggregated data could become disaggregated and de-anonymized. Google, the Hill says, has announced that it doesn't intend to share such data with the Government.