Cyware Daily Threat Intelligence February 20, 2019

Microsoft revealed that Fancy Bear threat actor group - which is linked to Russian military intelligence - has targeted European offices of The Aspen Institute and The German Marshall Fund of the United States. The German Council on Foreign Relations was also targeted in this attack. The attack occurred between September and December, 2018 and was conducted using spoofed emails. The attacks against these organizations targeted 104 accounts belonging to organization employees located in Belgium, France, Germany, Poland, Romania, and Serbia. The targeted think tanks work on issues related to election security, nuclear policy, and foreign relations.

Researchers have spotted a new phishing campaign targeting the United Nations staff. The campaign leverages the spoofed login page for the United Nations Unite Unity to trick its victims. When visitors try to login into the fraudulent page, they are redirected to a film viewing invitation page dating back to September 2018. The campaign is being used to steal login credentials of the staff. 

A vulnerability in the NolijWeb system at Stanford University exposed the personal records of some 81 students. The records included a wide range of data such as students' Social Security numbers, ethnicity, legacy status, home address, citizenship status, criminal status, standardized test scores, personal essays and official standardized test scores. Currently, the system is patched and the affected students have been notified about the issue. 

Indane, India's popular state-owned gas company, has reportedly exposed millions of Aadhaar numbers on its own website and app. The leak occurred due to the security lapse of the company. It is found that Indane had left a part of its website exposed to dealers and distributors. This part of the site was indexed in Google, allowing anyone to bypass the login page and access the dealer database.

Kaspersky Labs researchers have discovered that attackers are using a newly evolved WinPot ATM malware, to compromise ATM machines and empty their cassettes of all funds. The malware was first discovered in underground forums in March 2018. Lately, the hackers have enhanced the capabilities of the malware and developed the UI to look like a slot machine. 

A new phishing campaign that is used to distribute Shade ransomware, has been discovered by security researchers. The malware is distributed via phishing emails that appear to come from legitimate Russian Oil & Gas organizations. The phishing email contains a .zip file named ‘slavneft.zakaz.zip’. If a user opens the file, then it downloads and executes the Shade ransomware. 

Microsoft has removed eight malicious Windows 10 apps from the official Microsoft Store. These apps were found to be engaged in illegal mining of cryptocurrencies. The names of the eight apps are Fast-search Lite, Battery Optimizer (Tutorials), VPN Browsers+, Downloader for YouTube Videos, Clean Master+ (Tutorials), FastTube, Findoo Browser 2019, and Findoo Mobile & Desktop Search.

In the past, creating and changing Linux files from Windows resulted in losing files or corrupting data. However, this issue has been resolved with the introduction of a new feature named Windows Subsystem for Linux (WSL). The WSL in Windows 10 version 1903 will enable anyone to open and access Linux files from Windows. The best way to use the feature is to open the Linux files in File Explorer. 

A privilege escalation vulnerability has been discovered in the laptops of the LG Device Manager application. The flaw can allow attackers to gain root privileges on systems and write arbitrary physical memory via specially crafted IOCTL requests. The flaw is tracked as CVE-2019-8372. The LHA.sys drivers before 1.1.1811.2101 in LG Device Manager are exposed to this vulnerability. The firm has been notified about the issue and a patch is slated to be released soon.