Cyware Daily Threat Intelligence December 19, 2018

NASA has admitted to getting hacked earlier in early 2018. The hack was discovered on October 23, 2018. The personal information of current and former employees including sensitive information like Social Security Number could be possibly leaked in this breach. NASA reported that an intruder gained access to a server containing personal data of employees and the full scope of the breach is not known yet.

Vulnerabilities in Click2Gov payment system leads to exposure of 300,000 users' data in a major breach reported by Gemini Advisory. Sensitive information like credit card data has also been stolen for those who used the system to pay taxes and fines. It is estimated that the criminals earned at least $1.7 million by selling the leaked data on the Dark Web.

Britain's biggest charity has been hit by an email data breach which led to the compromise of its staffs' email accounts.

Email accounts of top fours people were compromised between 12 November 2017 to 13 August 2018 before the discovery of the attack in August 2018.

Researchers have identified multiple threat actor groups unlike a single threat actor initially believed to be responsible for recent illicit cryptomining campaigns which operated with similar TTPs. Similar TTPs used include malicious shell scripts masquerading as JPEG files that install cron jobs and download and execute miners. The campaigns also use variants of the open-source miner XMRig intended for botnet mining, with versions dependent on the victim's architecture.T he groups targeted flaws in Apache Struts2, Jenkins, and JBoss servers.

Quasar RAT and its modified variants identified by security researchers recently have been used for in multiple network exploits by several APTs. This open-source RAT uses a client-server architecture which helps an attacker to remotely access multiple clients. This high-level architecture allows creating client binaries and managing client connections. The associated target systems include Windows versions ranging from modern Windows 10 all the way back to Windows XP Service Pack 3.

Security researchers at Positive Research Center identified a medium-severity XXE injection vulnerability in the S3 browser. This XXE injection flaw is found to exist in the HTTP-based S3 protocol. As the server responses are transmitted in XML format, this flaw allows remote attackers to read user files and leverage NTLMv2 hash values.T he users are advised to update their browser to the latest patched version of 7.x or above as the flaw affects version 7.x and other earlier versions.

Security researchers from Trend Micro reported about the security flaws in HolaVPN software which does not use encryption and leaks IP addresses, thus compromising user privacy and security. A user’s machine, once installed with the free HolaVPN, becomes one of Luminati’s exit nodes. If the user’s machine happens to be part of a corporate network, it being an exit node may provide unknown third parties possible entry to company systems. HolaVPN could enable attackers to circumvent corporate firewalls and allow them to explore the internal network of a company for nefarious purposes.