Cyware Monthly Cyber Threat Intelligence February 2018

The Good

• The Massachusetts Institute of Technology is launching an initiative called MIT Intelligence Quest in an effort to combine multiple disciplines to reverse engineer human intelligence, create new algorithms for machine learning and artificial intelligence and foster collaboration. The biggest takeaway from the structure of MIT IQ is that artificial intelligence needs to be a team sport to develop breakthroughs. MIT IQ is an effort to break down multiple research silos across the institute to rally around human and machine intelligence.
• The Canadian government is helping to test a new airport security and screening system that will allow travelers to digitize and share travel documents and biometric information with authorities in advance. Launched at the World Economic Forum (WEF) meeting in Davos, Switzerland, the “Known Traveller Digital Identity” system aims to exploit an array of emerging technologies including biometrics, the blockchain, and artificial intelligence to boost cross-border security, reduce the threat of cyber-terrorism and streamline international travel.
• Much like the sci-fi movies, new eyeglasses have been invented that could take pictures and recognize faces. According to the Hong Kong Free Press, four police officers in the city of Zhengzhou have already started wearing these glasses. The camera attached above the left eye allows officers to look in the direction of an individual and take their photo. The glasses are also linked to a smartphone-like handheld device that scans the individual’s face and pulls information--such as name, gender, ethnicity, full address, and whether they have been charged with any crimes or have outstanding warrants--about him/her from a central database. Police can also access information about their internet usage.
• The new Insider Preview update released by Microsoft for Windows 10 S users allows them to ditch system passwords. Individuals can now use an Authenticator App, that can be installed on their phones, to unlock the security-focused Windows flavor. Once users set up Windows Hello with the app, they will no longer be asked to use password as a sign-in option. As per reports, Microsoft plans to drop 10 S as a standalone product in order to offer it as a mode to both Home and Pro users.
• The National Cyber Security Centre (NCSC) launched its Active Cyber Defense (ACD) initiative a year ago. Results to the initiative were released. This free technology blocks malicious emails, removes phishing attacks and stops public sector systems veering onto malicious servers. According to a report--named Active Cyber Defense - One Year On, since the inception of the ACD, UK’s share of visible global phishing attacks has dropped from 5.3% (June 2016) to 3.1% (Nov 2017). It also reported that 121,479 phishing sites hosted in the UK have been removed. There was also a drop of scam emails from bogus ‘@gov.uk’ domains, and take down availability times for sites spoofing government brands came down from 42 hours to 10 hours. An average of 4.5 million malicious emails per month have been blocked from reaching users, by deploying more than one million security scans and seven million security tests across public sector websites.
• A new scalable, secure and decentralized digital currency and payment platform, called Algorand, has been founded by Silvio Micali. Silvio is a Turing Award-winning cryptographer and professor of computer science at MIT. Pillar and Union Square Ventures are providing seed funding, of worth $4 million, for the same. Algorand attempts to address the scaling challenges of the blockchain technology through rapid and efficient user consensus, enabling even the smallest transactions, regardless of volume or number of users.
• A new feature, which eliminates the need for passwords, is under testing by Microsoft for Windows 10. The latest Insider preview release (build 17093), relies on the Authenticator app on Android and iOS. The Authenticator app can authorize or block requests to login, thus rendering passwords redundant. The feature is also available in Windows 10 S. However, users are advised to configure Windows Hello and the Authenticator app properly.
• Mastercard announced that all users of its service will not be able to use biometrics--including fingerprint and facial recognition. A deadline of April 2019 has been set for biometric identification for users. Along with PIN numbers and passwords, all banks that accept Mastercard payments will have to support biometric identification mechanisms, for all remote payments. The biometric authentication will be used in conjunction with a mobile device.
• Microsoft has released new features to allow IT professionals better assess if their devices are patched against the Meltdown and Spectre flaws. The feature is available in Windows Analytics, and offers details on the firmware installed on the device and if necessary security patches have been applied to the firmware.
• Researchers at MIT have come up with a new chip that is hardwired to perform public-key encryption. The chip is highly energy efficient as it consumes only 1/400 as much power as software execution of same protocols would require. Furthermore, the chip uses about 1/10 as much memory and executes 500 times faster. The researchers have described the technique used in the chip as ‘elliptic-curve encryption’ that relies on a type of mathematical function called an elliptic curve.
• Quantum physics is gaining much importance in cybersecurity because of stronger security features it can help create. An Australian cyber security company is using quantum physics to create stronger data security tools. The entire concept focuses on the concept of quantum tunneling, an intriguing property in diodes, that paves way for the creation of stronger encryption keys. As per classical mechanics, Quantum tunneling is a phenomenon as per which a particle is able to cross a barrier that technically it should not be able to do. 
• The National Institute of Standards and Technology (NIST) has published the 'Attribute Metadata: a Proposed Schema for Evaluating Federated Attributes' in order to provide the basis for the evolution of a standardized approach to entity attributes. This is an internal report that can be used by public and private organizations. The report will not be imposed on the federal agencies. The purpose is to allow a system that uses federated IAM to better understand and trust different attributes; to apply more granular and effective access authorizations, and to promote the federation of attributes.

The Bad

• Security experts found that a trove of over millions of email credentials, which belongs to employees of Fortune 500 companies, has been leaked to the dark web. Experts analyzed data from over a three-year period, which represented the largest ever trove of stolen credentials – amounting to eight billion. It was found that over 2.7 million of these eight billion stolen credentials have found their way into the dark web.
• The national tax office in the Netherlands said its website briefly went offline on Monday due to a DDoS cyber attack, after the country’s largest banks were targeted. ABN Amro and ING said they were both targeted by hackers, temporarily disrupting online and mobile banking services. The tax office said its website went down for 5-10 minutes after a DDoS attack.
• It appears cryptocurrency startup BeeToken, which promised to disrupt the home sharing industry by putting its service on the blockchain, has been hacked. The attackers are actively targeting its initial coin offering (ICO) with phishing attacks and have already duped gullible investors for over $1 million worth of Ethereum. The company has confirmed the phishing attacks on its official Twitter and Medium accounts, warning that users should treat emails and Telegram messages directly encouraging users to send funds are likely fraudulent.
• A wave of attacks leveraging the popular third-party services Google+, Pastebin, and bit.ly is targeting individuals and organizations within the Palestinian Territories. Dubbed “TopHat” the campaign uses Arabic language decoy documents related to current political events to lure victims into opening the documents and subsequently infecting themselves with malware from the “Scote” family.The ultimate payload is a new malware family that has been dubbed “Scote” based on strings found within the malware samples. Scote provides backdoor access for an attacker and we have observed it collecting command and control (C2) information from Pastebin links as well as Google+ profiles.
• The source code for a core component of the iPhone’s operating system, labeled ‘iBoot’, was found on the GitHub. Who published there is still unknown. This code is responsible for ensuring a trusted boot of the operating system--meaning, once you turn on the device, the code loads and verifies that the kernel is duly signed by the apple and then executes it. Hackers can use this code to find vulnerabilities in iOS and devise new techniques to jailbreak the OS.
• It has been reported that Fancy Bear, the Russian group of hackers have exploited a key vulnerability in the US cyber defenses and almost managed to steal secret documents and advanced defense technology. What documents have been stolen isn’t clear yet. The investigation revealed that hackers were able to breach the systems due to poor email protection and minimal direct notification of victims.
• Business Wire, the corporate news release distributor announced that they have been a victim of DoS (Denial of Service) attacks. As per the company, the DoS attacks were initiated on 31st January. Fortunately, no customer information was compromised. Security researchers are speculating that the attacks were launched due to the company’s dealings with Fortune 500 companies and the sensitive data it might be holding.
• Worblaufen, a Switzerland based firm revealed details of a security incident that occurred in late 2017, which resulted in leakage of sensitive customer data--including names, addresses, telephone numbers and date of birth. However, as per the Swiss laws, the information falls under “non-sensitive” category. According to the company, the data leak occurred due to misappropriation of a sales partner’s access rights.
• Hackers have injected an in-browser Monero miner to 4,275 sites--including government websites such as uscourts.gov, ico.org.uk, & manchester.gov.uk--in order to use the visitors’ CPU to mine for Monero digital currency. These sites utilized the Coinhive in-browser mining (cryptojacking) script.
• BitGrail, an Italian cryptocurrency exchange platform, announced on its website that 7 million Nano (worth around $202.3 million) was found missing. The company claims unauthorized transactions as the reason. Currently, all withdrawals and deposits from the site have been halted. Nano cryptocurrency was worth $11.90 at the time the announcement was made.
• A hacker using the alias NullHumanity managed to find a critical vulnerability in Canadian Freedom Mobile and used the bug to download confidential customer data, and warned the company to establish proper security measures. Customer data--including phone number, address, call history and other information--was reportedly stolen.
• Two different data leaks have taken place due to misconfigured databases exposing the personal details of thousands of people. One of the victims is the Maryland Joint Insurance Association, which left access to a customer file repository, unsecured. The data repository contained customer details such as names, addresses, phone numbers, birth dates, and full Social Security numbers; along with financial data such as check images, full bank account numbers, and insurance policy numbers. Another victim is MDJIA access credentials for ISO ClaimSearch. The exposed database contained millions of reports on individual insurance claims for industry professionals. Both breaches occurred due to NAS server with an open port 9000.
• Several core domains names of Newtek Business Services Corp., were stolen resulting in shut off of emails and stranded websites of several customers. Newtek is a web services conglomerate that operates more than 100,000 business websites and around 40,000 managed technology account. As per sources, three of the core domains were hijacked and replaced by a Vietnamese hacker. The hacker replaced the login page many Newtek customers used to remotely manage their Web sites (webcontrolcenter[dot]com) with a live Web chat service. However, Newtek mentioned in an email that the company was changing domains due to “increased” security.
• Tesla fell victim to the hackers this month when it came to be known that their cloud environment was exploited by hackers to mine cryptocurrencies. Security researchers reported the discovery of an unprotected Kubernetes console that belongs to Tesla. The console is used to automate the deployment, and for scaling and operating application containers and virtualized software among others. The researchers discovered that hackers have deployed mining scripts on Tesla’s unsecured Kubernetes instances to perform cryptojacking.
• Hackers stole away the personal details of at least 685,000 registered forum users of Hardware Zone. As per statistics, this breach is the largest breach in Singapore to date. Although the hacking took place in September 2017, it was discovered when security researchers discovered suspicious posting from a senior moderator’s account that was found to be compromised by an unknown hacker.
• California seems to be on hackers radar. Now in a new breach, the hackers have stolen the personal data of thousands of state employees and contractors from the Department of Fish and Wildlife. However, what is different about this breach is that the data was stolen by an insider (former employee) who downloaded it to an unencrypted personal device and took the data outside the department’s perimeter. As of now, the threat actor has not been named by the department.
• The Russian Central Bank came with an astonishing revelation  when it disclosed that unknown hackers had stolen $6 million from a Russian bank last year. The hackers had compromised SWIFT international payments messaging system. Although the bank did not provide much inside details of the hack but it did mention that the hackers employed a ‘common scheme’ to compromise SWIFT and steal the money.

New Threats

• A global botnet dubbed “Smominru” has been secretly mining Monero on infected machines and making millions of dollars for its owners. The operators have mined about 8,900 Monero valued at up to $3.6 million at a rate of 24 Monero ($8,500) per week. Researchers have watched the Smominru botnet spread since May 2017. Now including over 526,000 infected Windows hosts, Smominru uses EternalBlue, a Windows exploit developed by the NSA and leaked by the hacking group Shadow Brokers.
• South Korean authorities have issued a warning regarding a brand new Flash zero-day deployed in the wild. According to a security alert issued by the South Korean Computer Emergency Response Team (KR-CERT), the zero-day affects Flash Player installs 28.0.0.137 and earlier. Flash 28.0.0.137 is the current Flash version number. An attacker can persuade users to open Microsoft Office documents, web pages, spam emails, etc. that contain Flash files that distribute the malicious [Flash] code. The malicious code is believed to be a Flash SWF file embedded in MS Word documents.
• Fitness wearables and apps are very useful when trying to keep in shape, and members of the U.S. military have embraced the technology wholeheartedly. However, easy access to all that information online may have an unexpected downside. Strava is a social networking app geared toward athletes, where users can upload their fitness data, and it uses GPS tracking data for a variety of website applications. One of the projects of Strava Labs is a “Global Heatmap,” an easily accessible visualization of the network data, that shows popular running and cycling routes. The heatmap boasts data from more than one billion activities all around the globe.
• A new ransomware called GandCrab  has been released that is currently being distributed via exploit kits. GandCrab has some interesting features not seen before in a ransomware, such as being the first to accept the DASH currency and the first to utilize the Namecoin powered .BIT tld. Unfortunately, at this time there is no way to decrypt files encrypted by GandCrab for free.
• Researchers have unearthed a new strain of Gojdue ransomware on the dark web. Named, ShurL0ckr, the ransomware has been found to evade being flagged by two major cloud platforms, Google Drive and Microsoft Office 365, with malware protection features. ShurL0ckr has been classified as a zero-day ransomware-as-a-service that is similar to the infamous Satan ransomware in functionality. 
• South Korean-CERT disclosed an Adobe Flash Player zero-day vulnerability being exploited by the North Korean hackers. Although rare, it was not the first time that North Korean hackers had exploited a zero-day. Given the highly sophisticated campaigns carried out by the Lazarus group in 2016, the flash player exploit came as a surprise for the researchers. Later, it was found out that another threat actor going by the name of ScarCruft, alias Group 123 and Reaper) was behind the flash player exploit.
• The arrival of the GrandCrab ransomware was reported. It is a new malspam campaign that comes disguised as PDF receipts but instead delivers the malicious ransomware code. Now, further research has revealed that the ransomware is installed through PowerShell script. Initially, the victim receives an email with a subject like “Receipt Feb-078122” containing PDF attachments with names like Feb01221812. Users must exercise utmost caution while handling any email with similar subjects and attachments.
• Researchers have identified a new Point of Sale (PoS) malware in a relatively long time. The malware steals data from the magnetic strips on the payment cards. It comes disguised as a service pack for LogMein, a remote connectivity services software. Researchers became suspicious after an unusually large number of unusual domain name system (DNS) requests were generated by the service pack. The malware is believed to target the US consumers instead of European consumers because the in latter, the payment cards mostly enjoy “Chip and Pin” protection.
• There is an increasing evidence that hackers are now shifting from ransomware to crypto mining malware as the latter is generating more profits. Now, security experts have documented the first cryptominer attack on a critical infrastructure project. The attack particularly targeted the SCADA network of the water utility facility. As per the investigation, it was found out that the malicious code deployed was mining Monero currency which has lately found some popularity amongst the hacking community because of its stealth features. The malware could run in stealth mode and even render the security tools on the network devices disabled to operate latently and maximize the mining process.
• Security researchers from Nvidia and Princeton University have developed a new tool to explore how hackers could take advantage of the CPU flaws and discovered a brand new way of exploiting Meltdown and Spectre flaws. The techniques, dubbed MeltdownPrime and SpectrePrime, pit two CPU cores against each other to dupe multi-core systems and get access to their cached data. Thus, hackers can steal sensitive information like passwords.
• Scammers are using a new, macro-less technique to infect users with a credential-stealing malware. This attack technique relies on users opening Word documents, but doesn’t require them to enable Macros. Evidence suggests that presently only one group is actively using this technique.
• Two malware packages--referred to as HARDRAIN and BADCALL--were reportedly released by Hidden Cobra, aka Lazarus Group. Reports about the malware packages were given by the Department of Homeland Security (DHS) and FBI. The malware is capable of installing a remote access tool (RAT) payload on Android devices, and force infected Windows systems to act as a proxy server, disguising their command-and-control communications to appear as if they are encrypted TLS/SSL (HTTPS) sessions.
• Kotlin is an open-source programming language, fully-supported for Android. Starting from Fortune 500 companies (like Twitter, Uber etc), many apps were built using Kotlin. As per Google’s claims, Kotlin reduces the amount of boilerplate code needed to create an app—which makes it much safer. However, first samples of Android malware created using Kotlin were found on Google Play by security researchers.
• The infamous Coldroot Remote Access Trojan is still found to be undetectable by popular antivirus engines. It would be essential to mention that the trojan code was uploaded and made freely available on GitHub for around 2 years. Initially, the trojan was created to target the Mac users and fill in the void of a RAT targeting Macs but since then it has expanded its domain to cover Linux and Windows also.
• Researchers have identified a multi-stage infection attack that deploys malware for stealing passwords from applications installed on the targeted computer. The attack is initiated through spam emails that are delivered via Necurs botnet. The botnet delivers macro-enabled documents including Word, Excel and PowerPoint documents. In the campaign, researchers found out that DOCX attachments containing en embedded OLE objects having external referenced were used.
• The famous peer-to-peer apps BitTorrent and uTorrent have been found vulnerable to hijacking flaws. A security researcher unearthed a number of DNS rebinding exploits in the Windows versions of the software. The bugs allow the hackers to resolve web domains to the user’s computer thereby providing the keys to the kingdom. The hackers are able to execute remote code, download malware to Windows startup folder, take hold of downloaded files and scan your download history. The bug impacts all the unpatched versions of the software.
• Researchers have unearthed new spam campaigns impacting a number of websites including the Bitcoin cryptocurrency. The spam campaign starts with the injection of a malicious script into different Joomla, WordPress and jBoss websites. The purpose is to create a binary file that is achieved by hiding the unwanted script on the embedded site. Once the binary file is created, the hackers misuse the PC’s CPU to access user’s computers to mine Bitcoin.