Cyware Monthly Cyber Threat Intelligence March 2018

The Good

• The U.S. Cyber Command is looking forward towards an analytics solution housed in a contract called RAINFIRE. The command issued a request for information to gain insights on joint analytics support capabilities. The analytics solution is poised to serve the Capabilities Development Group and further integrate with different collaborative IT initiatives. The overall purpose is to support the cyber warfighters employed by the Department of Defense.
• Researchers from the leading institutes of MIT and Harvard have come up with a new system that is tasked to improve the privacy in private browsing. The system has been named Veil and provides enhanced protection to the people sharing their computers with other people at different public or private venues like offices, hotels, business centers and even university computer centers. The new system can be integrated with the existing private-browsing systems and anonymity networks.
• Researchers at IBM have remodified the C++ homomorphic encryption technique which is now said to be operating at 75 times faster rate. The technique allows users to operate on encrypted data sans decryption, thus enabling a secure operation. For instance, companies could use the technique to encrypt their cloud-based database and work on them without decoding the text. The first version of HElib C++ library was released by IBM three years ago.
• Academics have come up with a new facial recognition system, named Face Flashing. The design works on two important factors viz. the light patterns that get reflected off a human face and the speed with which the system interprets the reflected light to detect any forgery attempt. The technique works with cameras and in connection with an LCD screen on computers, phones, and authentication panels.
• Last year, prominent Telecommunication companies - AT&T, Verzion, Sprint, and T-Mobile had joined hands to launch Mobile Authentication Task Force. The focus was to create an improved security solution for their devices. The Telecom companies seem to have arrived at the solution that will now undergo further trials in coming weeks and would likely be available for adoption by the year-end.
• Google has unveiled Bristlecone, a new quantum computing chip with 72 quantum bits much above the previous record holder of IBM with a mere 50-qubit processor. As per team Google, although few more tests are required but its expected that the chip will be available this year. Google has pinned high hopes on this chip that would help them achieve “quantum supremacy”, a point at which a quantum computer can do calculations beyond the reach of today’s fastest supercomputers.
• Artificial Intelligence is now being leveraged by banks to provide enhanced security to consumer’s credit card data. Capital One has come out with a virtual credit card number for its customers to make online purchases. The technology behind the card is a browser extension that runs in the background of the cardholder’s computer automatically detecting when the person finishes off the shopping. Once the customer reaches a checkout page a virtual credit card number covering that person’s transactions with that specific retailer is generated and all payment fields on the site are filled. That way, if a retailer were to be hacked, or if the customer identified a fraudulent charge on their bill, Capital One could simply deactivate the compromised credit card alias, instead of replacing the card itself.
• Researchers released a “kill switch” that effectively counters the memcached vulnerability bringing a downfall in the frequency of massive DDoS attacks being carried out by the hackers. The tool suppresses a memcached DDoS attack while leaving the compromised servers online. It makes use of ‘flush_all’ command to defeat the DDoS exploit.
• U.S Army is moving closer to cracking codes with brain-like computers. A new method to leverage upcoming brain-like computer architectures for a well known old number-theoretic problem known as integer factorization has been discovered by scientists at the U.S Army Research Laboratory. The scientists have mimicked brain functions of mammals in computing and subsequently opened up paths to new age solution space that is very different from traditional architectures but nearer to devices that are able to operate within size-, weight-, and power constrained environments. The new technology will dramatically increase computing power in the battlefield and exponentially increase information processing and computational problem-solving capability.
• If there is one thing on which almost everyone would agree, it would be needed for a faster internet. Now, researchers from the Moscow Institute of Physics and Technology are making progress in creating ultra-high-speed quantum internet by using a previously known substance called ‘silicon carbide’. The paper published in npj Quantum Information talks about increasing data transfer rate in unconditionally secure quantum communication lines to more than 1 Gbps bringing it at par with its classical counterpart. Silicon Carbide is a semiconductor that gave birth to the field of optoelectronics. It is the same material in which the phenomenon of electroluminescence was observed for the first time and later used to create the world’s first light-emitting diode (LED).
• Scientists at the University of Texas at San Antonio (UTSA) have developed a new algorithm that may help detect and prevent cyber attacks on GPS-enabled devices in real time. Electrical Grids depend on GPS signals to understand time and location. For example, the US electrical power grid depends on GPS to give timestamps for its measurements at stations across the country. However, hackers can spoof these signals and disrupt the understanding of these signals. As of now, the algorithm has successfully mitigated the effects of spoofed GPS attacks on electrical grids and other GPS-reliant technologies.
• A new tool has been developed that will enable electrical grid operators to better detect not only a physical attack but also raise an alarm for a hacker looking out for vulnerabilities in the critical links of the grid. The motivation for developing this tool came after a rifle attack on an electrical substation near California’s Silicon Valley in April 2013. The tool uses micro phasor measurement units to collect information regarding the physical state of the power distribution grid. When this data is combined with SCADA, it provides real-time insights into system performance and issues alerts for even minor disruptions.
• After 4 years and 28 drafts, Internet Engineering Task Force (IETF) has passed the much needed update to internet security. TLS 1.3, as it is known, will be implemented in various software products ranging from Oracle’s Java to Google Chrome browser. The updates protocol will strive towards thwarting any attempts by state or non-state actors to eavesdrop and intercept HTTPS and other encrypted network traffic. Furthermore, it will also help fasten secure communication owing to its streamline approach.
• DARPA has started working on a new program, Collection and Monitoring via Planning for Active Situational Scenarios (COMPASS), that would use technology to get inside the enemy’s head thereby learning about their intent in the nebulous “gray zone” of conflict. The programme would work towards developing a new software that would monitor the enemy response to stimuli and attempt to discern enemy intentions. If this technology is successfully developed, it will completely change the course of future warfare.

The Bad

• Earlier this week, the US Marine Corps Force Reserve was at the receiving end of a major data breach that lead to the disclosure of sensitive information of over 21,000 Marines, sailors and civilians. The data breach occurred due to accidental exposure in an unencrypted email. The DoD’s Defense Travel System (DTS) sent an email, to a wrong distribution list, that included an attachment containing the sensitive information related to the affected people.
• The famous web-based hosting service GitHub suffered a massive 1.35 Tbps Denial of Service attack this week. GitHub got clogged and went down multiple times this week until the humongous traffic was moved to Akamai, the cloud computing company that was tasked to provide protection from such attacks. As per security analysts, such attacks would become the new normal in coming times.
• The infamous Equifax breach is still throwing up with new revelations. This week, the company discovered that additional 2.4 million U.S consumers that were affected by the cyber attack. As of now the total count of the affected has totaled to 147 million. In the newly discovered breach, the victims were found to have their sensitive details like names and partial driver’s license information stolen. The good news was that the hackers could not get their hands on their Social Security numbers.
• Security researchers have discovered a massive trove of data that was exposed due to an unprotected Amazon Web Services S3 bucket. The breach affects the company named Birst, a Cloud Business Intelligence and Analytics firm. The exposed database is 50.4 GB worth of data of one of Birst’s users Capital One, a McLean, Virginia based financial services giant and eighth-largest commercial bank in the United States. The leaked data contained technical information on Birst appliance specially configured for Capital One’s cyberinfrastructure.
• The Memcached-based DDoS attacks have taken the entire security world by surprise. After GitHub, another company was targeted by the hackers. In a blog post, Arbor Networks uncovered a massive 1.7 Tbps DDoS attack targeting customers of a US-based internet service provider. The attack was carried out using the same technique that was used in the 1.35Tbps attack on GitHub. The number of affected victims has not been disclosed yet.
• Danish Telecom company TDC's recently reported about network problem which could potentially affect their customers in Denmark, Sweden, and Norway. Due to the network failure, at least 450,000 of their customers who are predicted to be affected, were unable to make or receive any call. The problem is yet to be identified.
• A security researcher has managed to identify nearly 50,000 websites which have been infected with crypto-jacking scripts. These websites include government and public service agency portals. At least, 7,368 of these compromised sites are powered by WordPress. However, some these sites have already been cleared away with the malware. According to the researcher,  Coinhive continues to be the most widespread crypto-jacking script out there, accounting for close to 40,000 infected websites – a stunning 81 percent of all recorded cases.
• RMH Franchise Holdings disclosed that more than 160 Applebee's restaurants across the US were affected by an anonymous malware that was found on point-of-sale (PoS) systems. The malware was designed to extract details such as names, credit/debit card number, expiration dates and card verification codes, though it did not impact payments made online or using self-pay tabletop devices. In a majority of cases, the malware was present in PoS systems since December 6, 2017, while in some cases the malware has been active since November 23 or December 5, 2017.
• Researchers from a German security firm have revealed that the Chicago based famous jewelry brand Limoges Jewelry owner MBM Company has suffered a data breach impacting over 1.3 million people. As per the report, the company was allegedly handling customer details improperly over an unsecured Amazon S3 storage bucket. The leaked information includes addresses, zip-codes, e-mail addresses, IP addresses and even plain text passwords.
• St. Louis healthcare facility, BJC HealthCare, disclosed that a data storage error had potentially compromised patient records impact 33,420 people. As per the disclosure made, the data was publicly available for nine months due to a misconfigured server that was left without a security protocol in place allowing someone to view scanned documents containing patient's driver's licenses, insurance cards and treatment-related documents from 2003 to 2009.
• Another healthcare facility made an announcement of a breach that might have impacted medical records of about 135,000 patients. St. Peter’s Surgery & Endoscopy Center revealed that it had unearthed a breach that occurred on 8th January 2018 with an unauthorized party gaining access to its servers. As per the healthcare facility, despite no evidence of hackers gaining access to patient data being found, it could not be conclusively ruled out that hackers did not access personal and medical information of patients including their names, date of birth, addresses, diagnosis codes, insurance information, and Medicare details.
• One of the largest social media breaches in the history impacting 50 million people was unearthed when a whistleblower disclosed how Cambridge-Analytica violated privacy policy of Facebook to steal personal information of the users. An app, named My Digital Life, developed by the firm Cambridge Analytica paid 270,000 account holders to take a personality test. However, the data was then used to steal every account holders friend information. The information was later used to send targeted political advertisements. The breach has raised various serious questions and impacted the credibility of Facebook. Many governments across the world are now planning to posture their social media laws to prevent any misuse of data for manipulation of voters.
• The famous fast-moving-games business Camelot has asked millions of National Lottery players to change their passwords following a suspicious activity involving lottery accounts. As per Camelot, the hackers have not been able to access core systems or databases and hence lottery draws or prizes have remained unimpacted. However, it has recommended about 10.5 million registered users to change their login passwords after a number of unauthorized logins were noticed. As per the officials, the account breaches might have been carried out through “credential stuffing” attack.
• Soon after the United States disclosed that Russia had been targeting its energy sector, a new attack on PREPA, an energy utility organization, was reported from Puerto Rico. The company revealed that though hackers had succeeded in hacking it, but no customer data was compromised. The official disclosure further revealed that PREPA’s customer service system was not affected though the attack led to longer wait times at its service center.
• Orbitz, a subsidiary of online travel agency Expedia Inc suffered a data breach impacting 880,000 payment cards. As per the official statement, hackers may have accessed personal information from about 880,000 payment cards. The breach is learned to have occurred somewhere between Jan. 1, 2016 and Dec. 22, 2017, for the partner platform and between Jan. 1, 2016 and June 22, 2016, for the consumer platform. The information that may have been stolen includes phone numbers, names, email and billing addresses. The company assured that social security numbers of its U.S customers were not impacted in the breach.
• City of Atlanta’s computer systems were attacked probably by SamSam ransomware. The incident was confirmed by an official statement that disclosed the incident involving city computer’s experiencing outages on internal and customer-facing applications. While the attack did not impact the services but some applications that customers use to pay bills or access court-related information were severely impacted. As of now, there is no clarity if any personal or financial information or any kind of employee data has been compromised.
• The Russian-linked Fancy Bears hacker group was found targeting Britain’s anti-doping agency attempting to disrupt its systems. However, as per the statement released by the agency, none of the data was compromised  and no core activity including their testing program suffered any kind of impact. While the agency did not point towards any hacker group but given the past cyber incidents in which Fancy Bears targeted WADA and IOC, the experts did not have to brainstorm much to guess the actor involved.
• An Post customers suffered a security incident when the company shared their sensitive details without their knowledge with a subsidiary. The incident impact about 8,000 customers who had asked the company to redirect their mail to a new address. The file containing the data was sent to Dublin-based Precision Marketing Information Limited which trades as Data Ireland. As per the information disclosed, the data breach occurred between April 2016 to September 2017.
• Medical records of at least 42,000 patients were impacted when a Long Island, N.Y., a medical center left exposed a port normally used for remote synchronization. Security researchers found that port 873, used for remote synchronization and moving data between devices, on the server belonging the medical practice was configured open allowing access to anyone who knew the server’s IP address.
• The WannaCry ransomware attack was once again in new when in infected few computers at Boeing’s production facility. After the initial scare that the ransomware might have brought down the production equipment, the company executive dispersed fear-mongering by stating that the attack had been contained with minimal damage. As per the company statement, the infection was limited to a few machines and there was no interruption to the 777 jet program or any other program.

New Threats

• Researchers have discovered a new Remote Access Trojan (RAT) that has been written entirely in Python. The trojan is tasked to perform highly targeted attacks. Dubbed CannibalRAT, the trojan displays the signs of code cannibalization. Two variants of the trojan have been found with both of them having unsophisticated RAT capabilities. One of the versions of the trojan targeted the users of a Brazilian public sector management school.
• There has been a big shift in the threat landscape with hackers preferring crypto miners over ransomware in the late last season. However, new families of ransomware are still being discovered. This week, the security researchers found a new ransomware family dubbed Thanatos. When encrypting files on a computer, the malware appends the .THANATOS extension to them. After completing the encryption, the malware connects to a specific URL to report back, thus allowing attackers to keep track of the number of infected victims.
• The hackers are delivering GandCrab ransomware using a new method. Although, the decryption key for this ransomware has already been released, but hackers are still not willing to yield. Now, they are using EITest to distribute GandCrab ransomware as part of HoeflerText Font Update scam. This social engineering scam scrambles the text of a hacked site when a visitor reaches it through a search engine. The JavaScript then issues an alert stating that the scrambled text was due to a browser font not being found and that a user should download and install a browser Font Pack to fix the problem.
• A new vulnerability in Adobe ReaderDC was found that if exploited could lead to arbitrary code execution. Since Adobe ReaderDC allows embedded Javascript scripts in the PDF, a hacker gains the potential ability to precisely manipulate the memory layout and create an additional attack surface. As per the security researchers “A specific Javascript script embedded in a PDF file can cause the document ID field to be used in an unbounded copy operation leading to stack-based buffer overflow when opening a specially crafted PDF document in Adobe Acrobat Reader DC 2018.009.20044”.
• A new variety of cryptocurrency miner, named “CryptoJack”, that targets other cryptocurrencies and online wallets, has been spotted by security researchers recently. The malware works by replacing clipboard addresses with an attacker-controlled address which sends funds into the attacker’s wallet. This technique relies on victims not checking the destination wallet prior to finalizing a transaction. It includes a 'kill list' feature that disables the processes of other coin miners and infects the targeted computer to mine currency only for itself. In 2017, CryptoShuffler was the first malware to work on the same tactics.  
• Academics from the leading university of Iowa and Purdue University have uncovered new vulnerabilities in the core protocols that power 4G LTE mobile networks across the world. The vulnerabilities affect the attach, detach, and paging procedures that are part of Long-Term Evolution (LTE), a standard for high-speed wireless communication for mobile devices. An attacker could connect to a 4G LTE network using another user's identity, send messages on behalf of another user, intercept messages meant for that user, spoof the location of a mobile device, and even force other devices to disconnect from a mobile network.
• Researchers have unearthed a new version of the GandCrab ransomware. Dubbed GandCrab 2, the version is supposedly more secure with a significant difference from the original one. The new version has been released just after the decryption key for the original version was released by the security researchers. The GandCrab version 2 comes with different hostnames for the C&C servers at the backend. Interestingly, one of the hostnames is politiaromana.bit, names in honor of the Romanian police which was instrumental in recovering decryption keys for the original version.
• Security researchers have discovered a new attack method that allows hackers to bypass Microsoft’s Code Integrity Guard (CIG) and inject a malicious code into protected processes, including Microsoft Edge. CIGslip bypasses CIG's security mechanisms while mimicking natural Windows DLL loading from the disk. The technique abuses a non-CIG enabled process, the most popular form of process on Windows, to inject code into a CIG-protected target process. This serves as an entry point for an attacker to load any kind of code, malicious or benign, into Microsoft Edge.
• An old malware, dubbed Qrypter remote access Trojan (RAT), developed by an underground hacker group called ‘QUA R&D’ has been found targeting hundreds of organizations all across the world in a series of attacks. Also known by the names of Qarallax, Quaverse, QRAT and Qontroller, the malware leveraged TOR-based command and control servers. QRAT is a Java-based RAT that was first detailed in June 2016 after being found attacking individuals applying for a U.S. Visa in Switzerland. The malware is delivered usually via malicious email campaigns that consist of only a few hundred messages each.
• A new malspam campaign that purports itself to be from Craigslist is doing rounds while distributing the Sigma Ransomware. The emails camouflage themselves as responses to short-term job postings on Craigslist called Gigs. The malspam email comes with a password protected Word or RTF document that delivers Sigma Ransomware executable from a remote site and installs in on the target computer. Similar to a previous Sigma malspam campaign that pretended to be resumes, these emails contain malicious password protected Word or RTF documents that supposedly contain the information regarding the respondent.
• Highly critical security flaws, being touted at par with Meltdown and Spectre impacting Intel chips, have been discovered by researchers in AMD chips. The flaws could potentially allow hackers to gain access to sensitive data from highly protected processors from millions of devices. The essential point to be noted is that the vulnerabilities have been found in the most secure part of the processors wherein most sensitive data like passwords and encryption keys are stored.
• Researchers have unveiled a new backdoor being deployed by OceanLotus, a cyber-espionage group from Vietnam. Known as APT32 and APT-C-00, the group has been targeting government organizations and high profile corporate targets in Southeast Asian countries including Vietnam, Laos, the Philippines and Cambodia. As per researchers, the group is believed to have good resources at its disposal. The conclusion has been drawn from the usage of a custom built malware in combination with other techniques deployed by the threat actor.
• A two-year-old Java-based remote access tool named “Qrypter” has been found becoming quite a favorite amongst existing cross-platform backdoors like Adwind as an efficient Malware-as-a-Service (MaaS) platform. The malware attracted attention when it targeted individuals applying for a US Visa in Switzerland in March 2016. The hackers first inject the tool into target systems using phishing emails. Once the target is socially engineered to download the tool, the malware executes two VBS files in the %Temp% folder using random filenames which subsequently collect details of antivirus products or firewall installed on the target system.
• A new ransomware, called ZENIS,  that encrypts files and later purposely deletes the backups has been discovered by researchers. The ransomware uses a customized encryption method and scares the victim by threatening to delete the infected files if the payment is not made. As of now, the distribution method of Zenis is not completely known. The researchers have been able to zero-in at only one means of propagation of this self-proclaimed “mischievous boy” Zenis and that happens through Remote Desktop Services.
• Researchers have discovered a new Android Trojan that uses Telegram Bot API to communicate with the command and control (C&C) server and to exfiltrate data. Dubbed TeleRAT, the malware appears to be originating from and/or to be targeting individuals in Iran. The conclusions were drawn when experts found similarities with another Android malware dubbed IRRAT Trojan, which also leverages Telegram’s bot API for C&C communication communications. The malware is laced with capabilities to receive remote commands allowing it to steal sensitive data like contacts, location, app list or any other copied on the clipboard amongst other features.  
• A new strain of cryptomining malware has been unearthed. Codenamed GhostMiner by researchers, the malware leverages PowerShell code to obtain fileless execution. It is a competitive malware that scans the system to look out for other cryptominers and if found, halts their process. As of now, the financial profitability is not high for GhostMiner but the malware has garnered attention for its technical features. The malware is the first fileless cryptocurrency miner malware detected that allows hackers to run malicious codes directly from memory without leaving any files on disk. As such it makes itself hidden to classic antivirus engines.  
• GoScanSSH, a malware that targets vulnerable Linux-based systems, has been discovered by the security experts. One of the surprising feature of this malware is that it avoids infecting devices on government and military networks. Coded in Go, the malware uses infected hosts to scan for new ones. It also uses the SSH port as the entry point. The malware has been carefully designed with a sophisticated infection process. The way it carefully avoids infecting devices on government or military networks leaves a strong suspicion that the malware is handiwork of an advanced threat actor.
• A new MBR bootlocker called UselessDisk or DiskWrites has been unearthed. The malware overwrites the MBR and then displays a ransom screen on reboot window instead of booting into Windows which is the normal procedure. As per the displayed ransom note, the hackers have been asking for $300 in bitcoins for returning Windows access to the victim. Once the malware executes the infection, it replaces the MBR with its own bootloader which is followed by the computer reboot using “shutdown-r-t 0” command. Thereafter, the normal procedure is disrupted and a ransom note is displayed.
• Security analysts at discovered a new exploit builder kit that targets Microsoft Office and comes with a variety of features including a mechanism to report infection statistics. It was found out that the documents produced by this kit bore similar features to Microsoft Word Intruder. The new kit has been dubbed as ThreatKit and is being used to deliver a variety of malicious payloads including Trickbot banking trojan, Chthonic banking trojan, FormBook RAT and Loki Bot. The threadkit was also found out to be used by threat actors including Carbanak and Cobalt gang.
• Researchers have discovered a new android malware dubbed ANDROIDOS_HIDDENMINER that can clandestinely first infect a mobile device then use its computing power to mine Monero. The self-protection and persistence mechanism of the app include hiding itself from the unwitting user and abusing the Device Administrator feature that was last seen in SLocker Android ransomware. Researchers also found the Monero mining pools and wallets being connected to the malware, an indication of an active campaign that uses infected devices to mine the cryptocurrency.