Valak 2.0: Malware loader for stealing personal data
The Valak malware loader is now remodelled to attack in stealth mode and is being used to steal personal data in a more sophisticated way. The creators of this malware are adopting the MaaS (malware as a service) model in collaboration with other threat actors. This new version of Valak 2.0 is known to steal sensitive information from Microsoft Exchange mail systems as well as credentials and domain certificates.
Valak 2.0 is bundled with six plugin components. These enable the bad guys to access the infected hosts and steal user, machine, and network information. It has a ‘PluginHost’ component which connects with the C2 server to download extra plugins for extended capabilities. Additionally, it also has a file-less feature which stores components in the registry while taking screenshots and checking the host’s geolocation.
Preventive measures
- Companies to deploy an email filtering solution
- Enforcement of security best practices which include email safety training and cybersecurity awareness education.
- A reputable endpoint security solution for scanning hosts for any malicious files and safeguard from such attacks.
Trickbot Malware Update: Harder to Detect
Trickbot malware is now updated with a new design of regeneration to avoid detection. This new update which has been in operation since April. The previous module called Mworm which was used to spread Trickbot is now replaced by a new module called Nworm. This nworm infects the domain controller and runs on the RAM memory leaving no traces behind during reboot and shutdown.
It is also encrypted during the transfer on the internet which enables it to hide its malicious self from security tools. During infection, the Trickbot malware will scan a host then proceed to download the necessary modules required to maintain constant persistence on the network and launch its malicious activities.
Preventive measures
- Best security practices such as ensuring Microsoft Windows hosts are running the latest versions and are fully patched.
- Downloading and installing Microsoft Windows security updates immediately they are published.
Amtrak Acknowledges Security Incident Involving Guest Reward Accounts
Amtrak recently began informing customers that their personal data may have been compromised owing to unauthorized access to Guest Reward accounts. A data breach notification published by Amtrak with the authorities states that the incident was discovered on 16th April 2020.
The company disclosed that a group of hackers gained access to some customers’ Guest Reward accounts using compromised usernames and passwords. The bad guys used the simplest user access vulnerability where most users have the same username and password combination.
Amtrak, however, stated that social security numbers, payment card information and other financial data were not part of the compromised data. They also added that its security team restricted the unauthorized access and terminated in a few hours. An external cybersecurity company was consulted to confirm that the breach was actually contained. As a result of this, Amtrak reset all passwords of the compromised accounts and is still in the process of preventing such a breach in future. All affected customers have been offered 1-year free identity protection services from Experian.
Joomla team acknowledges data breach
Joomla’s open source content management system (CMS) team recently reported a security breach in the company. The incident occurred when a team member of the Joomla Resources Directory (JRD), who allegedly might be a grey hat hacker, accidentally left a full backup of the JRD site under URL resources.joomla.org on an AWS S3 bucket belonging to the company. The Joomla team stated the backup file was not encrypted and consisted of personal data of around 2,700 registered users. These users had created accounts on the JRD website portal to advertise their skills in making Joomla sites.
Joomla admins are allegedly still digging into the incident and will release a full statement in due course. It is not yet clear if any of the bad guys have been able to access and download the compromised data from the S3 server. Personal data that could have been exposed include:
- Full name
- Company URL
- Nature of business
- Business phone number
- Business address
- Business email address
- Encrypted password (hashed)
- IP address
- Newsletter subscription preferences
This security breach is considered a low severity incident since most of the above information was already public apart from hashed passwords and IP addresses which should be private. The Joomla team is urging all JRD users to change their passwords on the JRD portal. They also stated that once they were notified of the incident, they conducted a full security audit of JRD Portal. This audit revealed superuser accounts owned by users outside Open Source Matters. After this discovery, the devs revoked access to the superuser accounts and disabled all user accounts that had not logged in after 1st January 2019.
