Last week in security news, NordVPN revealed that one of its servers experienced a breach as a result of vulnerabilities affecting a third-party data center. Researchers also observed several notable events in the malware threat landscape: In addition to spotting a new Spelevo exploit campaign, they detected at least two new remote-access Trojan (RAT) variants as well as an entirely new ransomware family.

Top Story of the Week: NordVPN Clarifies Scale, Other Details of Breach

On Oct. 21, NordVPN explained that a security breach affected one of its servers located in Finland back in March 2018. The VPN provider attributed this incident to a misconfiguration involving the third-party data center that stored the server. NordVPN found evidence that the third party deleted the accounts that caused the vulnerabilities, but did not inform them about the incident.

NordVPN terminated its agreement with the third-party provider and launched an audit into its service. This investigation revealed that the incident affected two other VPN providers and exposed some TLS keys, but did not compromise any user credentials or activity logs.

Source: iStock

Also in Security News

• Johnson City, Tennessee, Suffers Ransomware Attack: On Oct. 21, an employee for Johnson City, Tennessee, showed the municipality’s IT director a ransom note left by ransomware attackers. The IT director subsequently launched an investigation into what happened and learned that the ransomware had affected approximately half of the city’s 600 workstations.
• Gustuff Banking Trojan Returns With New Features: Cisco Talos detected a new version of Gustuff that contained hardcoded software packages, thus lowering its static footprint. The variant also arrived with a JavaScript-based scripting engine that allowed its operator to execute scripts while using the malware’s own internal commands.
• Spelevo Abuses Flash Player Flaw to Deliver Maze Ransomware: A security researcher observed the Spelevo exploit kit abusing a use-after-free vulnerability to target users running older versions of Flash Player. After coming across a vulnerable user, Spelevo leveraged arbitrary code execution to run Maze ransomware on the user’s machine.
• MedusaLocker Ransomware Starts Making the Rounds: MalwareHunterTeam was the first to spot a sample of the new MedusaLocker ransomware family at the end of September. In its analysis, Bleeping Computer found that it was still unclear how attackers are distributing the threat, how much they’re demanding from victims and whether they’re actually providing a decryptor to victims who pay.
• Vulnerable Developer Backends Threaten Alexa, Google Home Users: The team at SRLabs found several vulnerabilities that allowed attackers to capitalize on how smart devices like Alexa and Google Home receive and reply to commands. Researchers specifically found that bad actors could induce silence in an app for the purpose of conducting phishing and eavesdropping attacks again device owners.
• New Variant of Remcos RAT on the Loose: Fortinet picked up on a spam campaign that used spoofing and fake payment advisory emails to open a .ZIP archive. Those who complied exposed themselves to a new variant of Remcos, a RAT family known for its data-grabbing capabilities.

Security Tip of the Week: Strengthen Your Organization’s Email Security

Email is one of the most common ways that ransomware and malware make their way into corporate systems. Security personnel can help strengthen their organization’s email security by conducting phishing simulations that evaluate employees’ awareness of these types of attacks.

Security teams should also consider deploying a layered approach to email security that uses artificial intelligence tools to monitor enterprise communication patterns and spot inconsistencies that could be indicative of a successful business email compromise (BEC) attack.