At a glance.
- Fake Chrome update installs information-stealing malware.
- GE's HR data incident.
- Oski info-stealer delivered in last stage of a DNS-hijacking campaign.
Bogus "Google Chrome Update" installs a backdoor.
Doctor Web reports that bad actors are using redirection from compromised WordPress sites to drive traffic to phishing sites where visitors are offered a "Google Chrome Update." The update is bogus. What the visitors in fact wind up installing is a backdoor. The campaign is geographically targeted, looking for victims in the US, Canada, Australia, Great Britain, Israel and Turkey. The file the compromised sites serves has a valid digital signature that Doctor Web says is identical to the signature of a fake NordVPN installer the same criminal group distributed earlier. Three of the payloads delivered through the backdoor are the keylogger X-Key, Predator The Thief (an information stealer), and a Trojan that establishes remote control over the RDP protocol.
Google has suspended Chrome updates for, essentially, the duration of the COVID-19 pandemic, which ought to put people on their guard. But in fairness to everyone gulled by a "Google Chrome Update," that sort of announcement tends to be the kind of IT inside baseball easily overlooked by most ordinary users.
More on the third-party exposure of GE employees' personal data.
Threatpost has a follow-up account of the human-resources data breach General Electric partner Canon Business Process Services sustained. In addition to the usual sorts of PII (driver’s licenses, passports, tax withholding forms, names, addresses, Social Security numbers, bank-account numbers, dates of birth, etc.) the files lost covered such matters as divorces, certificates of death and marriage certificates, benefits information (this included beneficiary designation forms, applications for retirement, severance, and death benefits), medical child-support orders, and direct-deposit forms. Canon has now secured its systems, GE said in its disclosure statement, but how the attack was accomplished is still unclear, and remains under investigation.
Info-stealing campaign uses DNS hijacking to redirect victims to phishbait.
Bitdefender yesterday reported discovering an attack campaign that’s changing DNS settings on home routers to redirect traffic to a site that purports to be an alert from the World Health Organization. The bogus WHO note urges those redirected there to download an app that will give them “the latest information and instructions about coronavirus (COVID-19).” Doing so in fact installs the Oski info-stealer. The information-stealing is the privacy angle.
The attack begins by brute-forcing vulnerable routers (mostly Linksys and D-Link devices) to get management credentials. The next step is altering the routers’ DNS IP addresses and redirecting a specific set of pages or domains to the phony WHO site. The malware is stored in Bitbucket, and TinyURL is used to conceal the Bitbucket link. And the final stage is delivery of the malicious payload. ZDNet advises checking your router’s admin panel for 220.127.116.11 and 18.104.22.168. If either should appear, remove them, and then change the administrative password.