Cyware Monthly Cyber Threat Intelligence June 2018

The Good

• Europol signed two memorandums of understanding in June - one with the World Economic Forum and another with the European Defense Agency, European Union Agency for Network and Information Security and CERT-EU.
• The French Minister of Public Action said they dismantled Black Hand, one of the largest Dark Web forums that saw the trade of illegal goods and services such as weapons, narcotics, stolen data and more. Authorities said the site’s administrator--a 28-year-old mother from Northern France--and several other accomplices were arrested in a string of coordinated police raids across the country.
• The FBI arrested 74 scammers in a massive global business email compromise (BEC) crackdown that involved attempts to steal data and funds from individuals and businesses. Thanks to a six-month long global operation named Operation Wire Wire, 42 scammers were arrested in the US, 29 in Nigeria and 3 in Canada, Poland and Mauritius.
• US carrier Verizon agreed to stop selling customers’ real-time location data to third party data brokers following serious concerns over user privacy and security. Senator Ron Wyden praised Verizon’s initial move before chastising its competitors for not following suit. Eventually, AT&T, T-Mobile and Sprint also announced similar commitments.
• Google is looking to make sure apps downloaded from Play Store and shared offline will be verified as safe. The company will add a small security metadata into APKs to mark the app as “authentic” and originally coming from the Google Play Store.
• VirusTotal introduced a new service to allow software developers to privately check and monitor their programs against antivirus detection engines in a bid to reduce false positives. Developers can use the new VirusTotal Monitor to upload new files, check their code and receive alerts if their program has incorrectly been flagged as malicious.
• Mozilla’s Firefox browser unveiled a new security tool with security researcher Troy Hunt’s data breach service, Have I Been Pwned, baked in to alert users of new data breaches. The website called FireFox Monitor will allow users to enter their email address and find out if their account was part of a known data breach.
• UTSA researchers have developed an authorization framework to protect connected cars against cyberattacks. Using this framework, researchers are looking to create and use security authorization policies in different access control decision points to prevent any unauthorized access to smart car sensors and data, and protecting it against attacks.
• Twitter announced support for physical USB security keys to give accounts an additional layer of protection. Using the physical key, users can securely sign into their accounts as part of the two-factor authentication process, rather than entering a text message sent to their phone.
• The Wi-Fi Alliance announced the new WPA3 Security standard for wireless connections, routers and wireless devices. Replacing the aging WPA2 protocol, the new WPA3 standard will make it harder for threat actors to run common hacking attacks on wireless networks and make passwords much harder to crack.
• California passed the country’s toughest data privacy law on Thursday. The new law, which will take effect on January 1, 2020, will require companies to tell customers upon request what personal data they collect, why and what categories of third party firms have received it as well.
• The US House Homeland Security Committee has approved a bill to expand efforts to secure industrial control systems used to power critical infrastructure and services such as power and water systems, manufacturing and transportation.
• MIT researchers developed a novel “frequency-hopping” transmitter to help protect IoT devices against hackers. The transmitter frequency hops every individual 1 or 0 bit of a data packet that a device sends out to a unique, random frequency. This is done every microsecond, thus preventing attackers from intercepting or manipulating the data.

The Bad

• Coca-Cola said it suffered a data breach in September 2017 after an ex-employee possessed an external hard drive that contained some employees’ personally identifiable information. The company said that about 8000 workers were affected but there is no evidence the data was used to commit identity theft.
• Dixons Carphone disclosed a massive data breach that compromised 5.9 million customer cards and 1.2 million personal records. Although 5.8 million of the cards compromised have chip and pin protection, 105,000 payments from outside the EU do not and were thus compromised.
• Weight Watchers accidentally exposed sensitive data about its IT infrastructure on a Kubernetes server without any password protection. Kromtech researchers found the server contained administrator’s root access, keys for 102 domains, data of users with administrative credentials and more.
• Honda India exposed the personal data of over 50,000 customers in two unsecured Amazon AWS S3 storage buckets. The data of Honda Connect app users included names, passwords, trusted contacts information, VIN, Connect IDs and more.
• Insurance startup AgentRun exposed sensitive personal and medical details of thousands of insurance policy holders in a misconfigured AWS S3 storage bucket. The misconfigured bucket contained insurance policy documents, sensitive health information like individual prescriptions and dosages as well as scans of identification documents like Social Security cards, Medicare cards, voter IDs and more.
• DNA testing site MyHeritage suffered a breach compromising the personal data, email addresses and hashed passwords of over 92 million users. A security researcher notified the firm after discovering a file named “myheritage” on a private server outside of the firm.
• Transamerica said it suffered a breach with hackers stealing around 45,000 customers’ personal and financial data, employment details and Social Security numbers.
• Marketing firm Exactis is said to have exposed a huge database containing nearly 340 million in-depth records of Americans and businesses on a publicly accessible server. The data included a trove of personal information from people’s phone numbers and home addresses to interests, smoking habits and more.
• Popular medical appointment booking website HealthEngine was caught sharing patients’ private data with a third-party law firm as part of a “referral partnership pilot.”
• Ticket-selling giant Ticketmaster said it suffered a breach due to a customer support tool on its website by Inbenta that was exploited to harvest users’ personal and payment data. About 5% of Ticketmaster customers were impacted by the breach with several people already reported being scammed out of money as a result of the incident.
• Hotel-booking software provider FastBooking said hackers managed to exploit a vulnerability in a web application hosted on its server to install malware and steal data. The breach compromised the personal information and credit card data from guests of hundreds of affected hotels around the world.
• ProtonMail was hit with a powerful DDoS attack that affected the email service for several hours with sporadic outages that lasted minutes at a time. The company said it was “unlike the more ‘generic’ DDoS attacks” it usually deals with. A group claiming to have links to Russia, claimed responsibility for the attack.
• Ticketfly was targeted by hackers last week who defaced its website and stole users’ personal data. Several Ticketfly database files were later found posted to a public server containing over 26 million email addresses as well as users’ names, phone numbers, home and billing addresses.
• A popular quiz app on Facebook called “Nametests” was found with a flaw that let anyone access information on more than 120 million people, even after the app was deleted. Security researcher Inti de Cuekelaire reported the issue via Facebook’s Data Abuse Bounty Program launched in April.
• Chinese hackers reportedly swiped about 614GB worth of sensitive undersea warfare data from a US Navy contractor. The Washington Post reported the stolen data included secret plans regarding a US project to build a supersonic anti-ship missile, signals and sensor data, submarine radio room information and more.
• Kenna security researchers found widespread Google Group misconfigurations  exposing organizations’ internal data. As many as 10,000 firms were found publicly exposing some form of sensitive data after many Google Groups visibility were accidentally configured to “public”.
• Atlanta’s police department admitted “years” worth of police dashcam footage were destroyed in the recent SamSam ransomware attack that crippled the city’s municipal services in March. Atlanta Police Chief Erika Shields said the data loss could potentially compromise DUI cases “if the officer’s testimony is not where it needs to be.”
• Researcher Ruben Santamarta managed to successfully hack into in-flight airplane WiFi networks from the ground. The IO/Active researcher said he accessed on-board WiFi networks including passengers’ Internet activity and read the planes’ satcom equipment.
• Ad-blocking service Ghostery suffered an embarrassing gaffe after it sent out notification emails about its GDPR compliance. However, it accidentally exposed recipients’ email addresses in the “Happy GDPR Day” email by sending the emails in batches of 500 users and CCing hundreds of recipients in every email.
• Multiple cryptocurrencies including Bitcoin Gold, Verge and Monacoin suffered nasty 51 percent attacks using overwhelming computing power to gain control of their network and alter transactions on its blockchain to steal millions worth of cryptocurrency.
• Spanish football league La Liga’s app was caught using fans’ smartphone mics and GPS to identify pirate broadcasts of football games. The app could quietly detect the location of users to see if they were in a bar and record audio clips to find out if the establishment had paid for a license to show the match. The league later justified its actions saying illegal streaming costs it millions in losses.

New Threats

• ESET researchers uncovered the BackSwap malware that exploits Windows message loop to identify visited sites related to banking before injecting malicious JavaScript into the web page. Bypassing AV and browser protection mechanisms, the malware then replaces the recipient’s bank account number with a different one to transfer funds over to the attackers instead.
• The notorious VPNFilter malware was discovered to be worse than previously thought. The FBI issued an urgent advisory asking people to reboot their routers to thwart the Russia-linked VPNFilter malware. Cisco Talos researchers initially said the destructive malware has infected more than 500,000 consumer-grade routers worldwide including Linksys, MikroTik, Netgear, TP-Link networking equipment and QNAP network-attached storage (NAS) devices. Researchers later updated this list to include Asus, Huawei, D-Link, ZTE, Ubiquiti and Upvel devices.
• The new RedEye ransomware was found destroying victims’ files if they fail to pay up. The ransomware asks victims to pay 0.1 Bitcoin within four days and gives users four options - decrypting files, getting support or destroying the PC.
• Thousands of Android devices are still being shipped with Android Debug Bridge enabled, potentially leaving them vulnerable to hackers. The flaw leaves the device open to remote connections via the ADB interface that could be used to install malicious software or execute functions.
• ThreatFabric researchers spotted a new Android malware dubbed MysteryBot that comes with banking malware, keylogger and ransomware features. It also features data-stealing abilities to harvest SMS messages, email, contacts and more.
• Deep Instinct researchers discovered Mylobot, a botnet that features a never-before-seen level of complexity and three layers of evasion techniques. It also comes with a delaying mechanism of 14 days before accessing C&C servers and the ability to serve up different payloads from ransomware to keyloggers.
• The destructive Olympic Destroyer that hit networks supporting this year’s Winter Olympics in Pyeongchang, South Korea, has cropped up again. Kaspersky Lab researchers said the new campaign is targeting financial organizations in Russia and biological and chemical threat prevention laboratories in Europe and Ukraine.
• A new, targeted SamSam variant popped up that requires attackers’ input before infecting victims. Malwarebytes researchers said the campaign was difficult to analyze since a password is required to access the malware’s code. Even if someone accidentally downloads the malware, the attacker must enter a special password to run the payload.
• With the 2018 FIFA World Cup underway, fraudsters used football-themed scams via messages and cloned websites advertising tickets and travel deals to dupe fans. Kaspersky Lab researchers observed spikes in spam emails and phishing pages particularly during match ticket sales.
• A new traffic manipulation and cryptomining campaign dubbed Operation Prowli affected over 40,000 devices in 9000 organizations. Guardicore Lab researchers said Prowli targets CMS servers, DSL modems, backup servers and IoT devices using exploits, password brute-force attacks and weak configurations.
• Cisco Talos researchers discovered North Korean hacking outfit Group 123 is using a remote access trojan dubbed NavRAT to attack South Korean targets. Using the US-North Korea summit as a decoy, the trojan is embedded in a malicious Hangul Word Processor document. The malware itself has keylogging capabilities and is capable of downloading, uploading and executing commands on infected systems.
• The US Department of Homeland Security and FBI issued a joint advisory detailing two strains of North Korean malware named Joanap and Brambul. Officials said hackers associated with Pyongyang have used both to target critical infrastructure, aerospace, financial and media organizations worldwide since at least 2009.
• US-CERT also warned of a North Korea-linked malware named TypeFrame that contained descriptions related to Hidden Cobra. Analyzed samples had the capability to download and install malware, install proxy and Remote Access Trojans (RATs), connect to C&C servers for additional instructions and modify the victim’s firewall to allow incoming connections.
• Scammers have been deploying extortion emails that claim the victim’s devices have been infected with WannaCry and all of their files will be encrypted unless they pay up in Bitcoin in advance to “fix” the infection. However, their claims along with the purported infection are all bogus.
• More than 60,000 Android devices were infected by a malicious battery-saving Android app that drops an ad-click malware and steals sensitive data. Although the app actually does reduce battery strain and kills processes that eat up resources, it also performs multiple malicious activities such as harvesting data and modifying system settings.
• The Necurs botnet was found using Internet Query Files (IQY) to evade detection and drop the FlawedAmmyy backdoor as part of a new campaign. Since it first popped up in 2012, cybercriminals have used Necurs to drop various ransomware and banking Trojans such as Locky, Dridex and more.
• The NSA hacking tool DoublePulsar was edited, allowing it to be used to take over Windows IoT systems as well. Since it was released in April last year, the exploit has worked on all major versions of Windows except for Windows 10.
• Academics found nearly every Android device released since 2012 is vulnerable to a new flaw named RAMpage that could allow hackers to gain administrative control and access confidential data stored in the device. The vulnerability is a variation of the Rowhammer attack.
• The AsiaHitGroup Gang struck again, pushing another wave of fraudulent apps into Google Play. McAfee researchers said the new Sonvpay campaign impacted at least 15 apps published on Google Play. In this campaign, the malware listens for incoming push notifications that contain relevant data to perform mobile billing fraud.
• As the wildly popular multiplayer survival shooter Fortnite is set to make its debut on Android this summer, cybercriminals are looking to tap into the hype. Scammers have been spotted uploading fake, malicious Android versions of Fortnite along with YouTube tutorials explaining how to download them.