Cyware Daily Threat Intelligence April 25, 2018

Operation GhostSecret
A global malware campaign has been discovered by security researchers at McAfee, targeting various industries--including critical infrastructure, finance, entertainment, Healthcare, and telecommunications. The campaign uses various implants, tools, and malware variants which are related to Hidden Cobra group.

Calculator app downloads Cryptominer
A trojanized calculator app was found distributing a cryptominer targeting Bitvote, a new cryptocurrency. Systems in India, Indonesia, Vietnam and several other countries have been impacted so far. The app also allows users to activate different versions of Microsoft Office and Windows without owning a valid license.

New Crossrider variant
A variant of the Crossrider adware was found with a new functionality that allows the adware to install a configuration profile that forces browsers--Safari and Chrome--to open the page chumsearch[dot]com. It is impossible for the user to change this via the browser settings. Vulnerable Hyperoptic router
Critical vulnerabilities have been found in the Hyperoptic broadband home router, H298N, manufactured by the Chinese company, ZTE. The flaw allows hackers to change passwords, watch what the user was browsing and weaken the security firewalls. A firmware patch has been issued to fix the flaw. The firm also added new individual root passwords for every router.

PackageKit authentication bypass flaw
An authentication bypass flaw has been found in PackageKit versions before 1.10. Dubbed as CVE-2018-1106, this flaw allows users without administrator privileges to install signed packages. Exploiting this vulnerability can allow hackers to install vulnerable packages to further escalate privileges.

Kernel security updates
New kernel security updates for Ubuntu 17.10 (Artful Aardvark) and Ubuntu 16.04 LTS (Xenial Xerus) operating system series, have been released addressing several recently discovered security vulnerabilities. To stay safe, Ubuntu 17.10 users need to update to linux-image-4.13.0-39.44 on 64-bit or 32-bit installations. Webstresser website shut down
Following a recent UK and Netherlands-led operation, the website webstresser[.]org has been taken down. This website allows criminals to buy attacks on businesses, and has been linked to more than 4 million cyber-attacks worldwide. The operation was supported by Europol and Police Scotland, as well as law enforcement in 11 countries.

Canada’s PEI government website attacked
The Prince Edward Island government website of Canada was recently hit by a ransomware attack and held for a ransom demand. The page was shut down by the government as soon as the breach was noticed as the safety of the data was the primary concern. The website was down for several hours, but managed to resume back to normal terms without having to pay a ransom.

Google Public DNS Hijacked
MyEtherWallet, a popular cryptocurrency wallet experienced a DNS attack where users of the service lost around $152,000 worth of Ether. Hackers could hijack DNS entries after executing a BGP route hijack that redirected entire swaths of Internet traffic meant for Amazon servers.