Cyware Daily Threat Intelligence February 26, 2019

The University of Connecticut (UConn) Health Center is notifying its patient about a potential data breach that occurred in December, 2018. The incident occurred after hackers gained unauthorized access to a limited number of employee email accounts. The information compromised in the breach includes individuals' names, dates of birth, addresses and limited medical data such as billing and appointment information.

Israel military's cyber defense division has blocked the Iranian hackers after knowing their intent in 2017. According to media reports, Iranian threat actor groups have been launching attacks against Israeli organizations on a daily basis. The most recent attack was launched in November, 2018 against Israel's telecommunications infrastructure.

The University of Madras was recently targeted in a ransomware attack. The ransomware was distributed via phishing emails. Once installed, the malware encrypted the data in the data server and demanded a ransom of Rs 18 lakh to restore it. However, the University escaped the attack as it had stored the back-up data. 

Security researchers have discovered new ransomware that targets both Linux and Windows servers. Dubbed as B0r0nt0K, the ransomware encrypts all files using base64 encoding scheme and later appends them with .rontok extension. Once it finishes its infection process, the ransomware leaves behind a note, demanding the victims to pay a ransom of $75,000 in Bitcoin. A Vietnamese threat actor is believed to be behind the new B0r0nt0K ransomware.

Cybercriminals are targeting Apex Legends fans in different phishing campaigns. The attackers are leveraging multiple channels on YouTube and fake domains to distribute a fake Apex Legends app. The campaign redirects. Once the fake app is installed, it opens doors for other malware such as trojans, backdoors and adware. 

A Southeast Asian threat actor group named Bitter has been found leveraging three variants of AstraDownloader to inject the infamous BitterRAT malware. The campaign is launched against organizations in Pakistan and Saudi Arabia. It starts with a spear-phishing attack. 

Security researchers have uncovered a new browser-based attack named MarioNet. The attack consists of two parts: an in-browser component and a remote command & control system. It leverages the power provided by Service Workers API in modern browsers to initiate its infection process. The worst part of the attack is that it can be launched silently on a browser without any user interaction.

Unpatched routers 

According to a report from cybersecurity firm Avast, it has been found that 59.7% of routers have weak credentials or some vulnerabilities. Furthermore, it is also discovered that 59.1% of users worldwide have never logged into their router or have never updated its firmware. Cybercriminals can leverage these vulnerable routers to take control of other devices such as phones, computers and Internet-connected home appliances.

Debian has released a security update to address a heap-based buffer overflow vulnerability in Sound eXchange (SoX). The flaw impacts all the versions prior to 14.4.1 of SoX. Tracked as CVE-2014-8145, the bug can allow attackers to have an unspecified impact on start_read or AdpcmReadBlock function. Users are urged to upgrade Debian 8 'Jessie' to 14.4.1-5+deb8u1 version. 

Microsoft has recently fixed a flaw in its Internet Information Server (IIS) webserver software. The flaw could allow attackers to launch DDoS attacks. Microsoft fixed the issue by adding an option to limit the number of SETTINGS frames in an HTTP/2 request.

Instagram users are being notified about a new scam that promises users with a high return. The scam dubbed as 'Get Rich Quick' asks individuals for an initial investment of £600 and promises them to credit the profit within 24 hours. Action Fraud said people aged between 20 and 30 are the most likely to fall victim to this type of scam. In order to stay safe, users are urged not to respond to any request that asks you to send money for a high-return, unless it is from a trusted source. Always check the credentials of a financial company on the Financial Conduct Authority’s (FCA) website before making any advance payment.