Cyware Daily Threat Intelligence December 14, 2018

Top Breaches Reported in the Last 24 Hours

Quebec City cyberattack
Hackers hit the adapted transportation system (STAC) of Quebec City. The attack impacted over 10,000 passengers who were unable to use STAC's services to move around the city. The cyber-attack was an automated program that was able to spot a weak link in the system. Full service should be restored by early next week, as specialists manually re-enter the lost data.

Boomoji leak
Boomoji has exposed the personal data of its entire user base (iOS and Android users) after it failed to put passwords on two of its internet-facing databases. The app has more than 5Mn users across the world. Threat actors who know where to look for databases could have gained access, edited, or deleted the database using their web browser. The incident also exposed the precise geolocation of more than 375,000 users.

Charming Kitten
Iranian-backed Charming Kitten targeted the personal email accounts of U.S. Treasury officials around the time President Trump reimposed sanctions on the country. Hackers designed specific plans for each target based on the level of targets’ cyber knowledge, their contacts, activities, working time, and their geographic situation.

Top Malware Reported in the Last 24 Hours

Cannon and Zebrocy
The Kremlin-linked Fancy Bear group launched attacks against global governments using the Cannon and Zebrocy malware variants. The campaign was carried out from mid-October through mid-November. A multitude of organizations around the world, including a foreign affairs organization in North America, foreign affairs organizations in Europe, and government entities in former USSR states. The malicious documents used a remote template function in Word to retrieve a malicious macro from the first stage command and control (C&C) server and to load and execute an initial payload.

Android.BankBot.495.origin
A new Android malware dubbed Android.BankBot.495.origin was recently discovered. The Trojan uses Android’s special features to control infected mobile devices and steal the owner’s confidential data. It has been downloaded over 2,000 times by Android users in Brazil. The malware, when launched, attempts to gain access to the sensibility features. This allows the malware to operate in the background, tap buttons, and steal contents of active windows apps. The malware was also used in phishing attacks in apps like Uber, Netflix, and Twitter.

Top Vulnerabilities Reported in the Last 24 Hours

LCG Kit bugs
LCG Kit is a weaponized document builder service, that initially used the Microsoft Equation Editor CVE-2017-11882 exploit. Now it uses Microsoft Word macros to load the shellcode responsible for installing malware payloads. The shellcode of different document samples stores the LCG parameters in different registers, and even the junk code is sometimes nested. The use of junk code results in incorrect disassembly by reverse engineering tools.

Visual Studio flaws
A security vulnerability tracked as CVE-2018-8599 was found affecting Microsoft's Visual Studio Products. The flaw is a privilege escalation bug, which if exploited, could allow attackers to gain elevated privileges. An attacker with unprivileged access to a vulnerable system could exploit this vulnerability. Microsoft has released KB4469516 to address this issue. 

Red Hat bugs
A vulnerability (CVE-2018-16861) has been identified in the Red Hat satellite, which if exploited could allow a  remote authenticated attacker to inject malicious script into a web page which could be executed in a victim's web browser within the security context of the hosting website, once the page is viewed. Patches have been released addressing the flaw. LCG Kit is a weaponized document builder service, that initially used the Microsoft Equation Editor CVE-2017-11882 exploit. Now it uses Microsoft Word macros to load the shellcode responsible for installing malware payloads. The shellcode of different document samples stores the LCG parameters in different registers, and even the junk code is sometimes nested. The use of junk code results in incorrect disassembly by reverse engineering tools.

Top Scams Reported in the Last 24 Hours

Bomb threat scam
A new bomb threat scam is making the rounds in the US. While the email has been sent to numerous locations, searches have been conducted and no devices have been found. The emails were sent from a spoofed email address. The scammers behind the campaign claimed to have planted a small bomb in the recipient’s building and the only way to stop them from setting it off was by making an online payment of US$20,000 in bitcoins. The emails were sent to hundreds of schools, businesses and government buildings across the US. The scam emails resulted in some schools across the country closed early and others evacuated or placed on lockdown.




  • Share this blog:
Previous
Cyware Daily Threat Intelligence December 17, 2018
Next
Cyware Daily Threat Intelligence December 13, 2018
To enhance your experience on our website, we use cookies to help us understand how you interact with our website. By continuing navigating through Cyware’s website and its products, you are accepting the placement and use of cookies. You can also choose to disable your web browser’s ability to accept cookies and how they are set. For more information, please see our Privacy Policy.