Cyware Daily Threat Intelligence December 5, 2018

The National Republican Congressional Committee (NRCC) was hacked and thousands of sensitive emails stolen. Four of NRCC's senior aides' email accounts were surveilled for months by the attackers. GOP House leadership, including House Speaker Paul Ryan and House Majority Leader Kevin McCarthy, were not alerted of the hack until recently. The FBI was alerted of the incident and an internal investigation was launched as well.

The websites of four Montreal regional health boards (CIUSSS) were knocked offline by a cyberattack. The sites of the CIUSSS Centre-Ouest-de-l'Île-de-Montréal, Nord-de-l'Îe-de-Montréal, l'Ouest-de-l'Îe-de-Montréal, and Centre-Sud-de-l'Île-de-Montréal have been offline since November end. Fortunately, the attack did not result in compromising the personal data of patients. 

A Florida-based medical marijuana provider's website accidentally leaked customer data. AltMed, which does business as MüV, discovered the breach thanks to a customer who sounded the alarm. AltMed's was taken down and remains offline as a precaution. The breach was caused by a website flaw.

A new variant of the prolific banking malware Ursnif was recently discovered. The new Ursnif variant was found being distributed via a malspam campaign and targeting victims in Italy. The malware's initial dropper is an obfuscated JavaScript. It creates a batch file and generates a lot of noise by attempting to connect to fake domains. The new Ursnif variant also makes debugging harder by making a new copy of itself. It uses registry keys to remain persistent in the infected system. 

A new unnamed ransomware variant struck thousands of victims in China. The ransomware infected around 20,000 Windows systems. The attackers operating the ransomware demanded $16 in bitcoins and used mainly Chinese apps to deliver the malware. The ransom payments are requested via WeChat payment service which is only available in China and adjoining region. Victims have complained to be infected with the ransomware after installing social media-themed apps. The ransomware also included an information-stealing component that harvested login credentials for several Chinese online services like Alipay, Baidu Cloud, NetEase 163, Tencent QQ, Tmall, and Jingdong. 

Researchers have discovered major design flaws and vulnerable implementations in Message Queuing Telemetry Transport (MQTT) and Constrained Application Protocol (CoAP). The researchers discovered over 200 million MQTT messages and over 19 million CoAP messages being leaked by servers. The flaws provide attackers with millions of exposed records. Researchers also identified a few vulnerabilities tracked as CVE-2017-7653, CVE-2018-11615, and CVE-2018-17614. 

A group of online scammers, called London Blue, has generated a list of 50,000 CFOs, which then they used to launch BEC scams. The list was discovered by the security firm Agari after the scammers targeted the firm with one of its scams. London Blue is primarily targeting mortgage companies. Such scams are believed to focus on stealing real estate purchases or lease payments. The scammers sent out phishing emails but they didn't contain any malware, which made it difficult to detect the malicious emails. London Blue is likely based in Nigeria but has members in the UK and the US as well. The group operates as a modern corporation. Its members carry out specialized functions, including business intelligence, sales management, email marketing, and more.