In advance of this week’s Patch Tuesday for Microsoft users, details leaked online regarding a new vulnerability inherent in Windows 10 that can be exploited as a “wormable” bug, meaning it can travel easily from victim to victim. Microsoft, however, did not issue a fix for the flaw in its weekly update nor was a fix scheduled for any of the Patch Tuesdays this month, reported ZDNet. But Avast Security Evangelist Luis Corrons has faith one will be developed soon. “Given the seriousness of this vulnerability,” he commented, “we are sure Microsoft will release a patch as soon as possible instead of waiting for next month's regular update.”

It is still unknown how details of the bug were leaked, but some experts believe the information was included on an initial list of vulnerabilities to be patched which was shared with Microsoft partners and later amended with the vulnerability omitted. The problematic protocol is the Microsoft Server Message Block, also known as SMB. Researchers have begun calling the vulnerability “SMBGhost” in deference to its known presence but unseen execution. SMB is the same function that the notorious WannaCry and NotPetya ransomware strains exploited. “What ALL companies have to do right now is to ensure that SMB connections from the internet are not allowed to connect to their business network,” advised Corrons. As a stopgap measure before the patch is developed, Microsoft has published guidance on how users can disable the vulnerable protocol. 

Malicious coronavirus map website

Continuing to find new ways to take advantage of the coronavirus panic, cybercriminals have set up a world map online that SC Magazine called “very polished and convincing” even though it is weaponized with information-stealing malware. The map allegedly shows where outbreaks of the virus have occured, listing total infections, total recoveries, and total deaths. The malicious website claims its data comes from Johns Hopkins University. The malware infects all visitors to the site, collecting their personal information such as login credentials and payment card numbers. The U.S. Cybersecurity and Infrastructure Security Agency published 5 tips to help defend against Covid-19 scams. 

This week’s stat

Security researchers have identified 14 malicious websites that take advantage of users who want to learn about the coronavirus. See the full list at Forbes. 

Phishing scam poses as HIV test results

A new phishing scam is pretending to be HIV test results from “Vanderbit” University. While some users may recognize it as a scam due to the misspelling of “Vanderbilt,” those who miss the typo and open the email are fraudulently invited to view their HIV test results by opening an Excel attachment. Clicking the attachment opens a blank spreadsheet and the user is urged to “enable content” by allowing macros. Doing that step, however, installs malware on the system, granting the attacker full access to the computer. You can find more details about this scam on Bleeping Computer.

FBI arrests cybercrime kingpin

The FBI took Kirill Victorovich Firsov into custody at JFK airport in New York last week on charges of operating illicit online services. Firsov is accused of running Deer.io, an online marketplace that allegedly hosts tens of thousands of criminal enterprises. Cyberscoop reported that before the arrest, undercover FBI agents were able to purchase thousands of names, addresses, and social security numbers from the marketplace as well as hundreds of hacked video game accounts that divulged users’ payment information. The FBI alleges Firsov promoted Deer.io on cybercriminal forums and throughout hacking communities. The case is filed in the U.S. Southern District of California.

This week’s quote

“The problems witnessed in Iowa and LA are strictly our own fault, the result of a perfect storm of different computing errors.” - IT writer David Strom, on the voting mishaps plaguing this U.S. election season. Read his breakdown on what happened and how to solve the problem.

India uses facial recognition tech to identify over 1,100 rioters

To identify individuals who took part in a violent riot in northeast Delhi last month, Indian law enforcement deployed facial recognition tech. India Today reported that Minister of Home Affairs Amit Shah announced to Parliament that the software identified 1,100 rioters responsible for the insurgence that lasted several days and left 52 people dead and 526 others injured. Shah said that 40 teams of police have been dispatched to locate the 1,100 individuals. TechCrunch reported that opponents of the facial recognition tech question its accuracy and claim it infringes upon privacy rights. 

Attackers offer naked pix of your friend’s girlfriend

In a twist on the classic sextortion scam where attackers threaten to release video captured with your own webcam, a new phishing tactic is to inform victims that their friend has refused to pay a sextortion fee and, as punishment, naked photos of his girlfriend have been sent to everyone on his contact list. Recipients of the scam email are told they’ve received a copy because they were in the contact list, and they are encouraged to click an attachment to see the photo in question. Once they do, they see a blurry photo and are instructed to “enable content” to see it clearly, but enabling the content in fact downloads Racoon malware which steals data from the victim’s apps, browsers, and email clients. More details at BBC News. 

This week’s ‘must-read’ on The Avast Blog

Transitioning to work from home? Read up on tips for smart hygiene to keep yourself digitally and physically clean. 

Avast is a global leader in cybersecurity, protecting hundreds of millions of users around the world. Protect all your devices with our award-winning free antivirus. Safeguard your privacy and encrypt your online connection with SecureLine VPN. Get advertisers off your back and disguise your online identity for greater privacy with Avast AntiTrack.