Cyware Daily Threat Intelligence, February 26, 2020

Share Blog post

The malicious abuse of an authentication process can increase the risk of a device or network’s security. Lately, a new type of impersonation attack that exploits the currently used mutual authentication method on 4G mobile networks has been demonstrated by researchers. Termed as IMP4GT (IMPersonation attacks in 4G NeTworks), the attack can prove to be dangerous if threat actors start establishing arbitrary TCP/IP connections on a target phone by bypassing the firewall mechanism of the LTE network.

In a major discovery, the Reprint Mint photo store has been found to be infected with at least 18 card skimmers since August 2017. The latest skimmer malware was planted on the website on January 23, 2020.

An ongoing campaign that threatens victim organizations with DDoS attacks unless a ransom is paid, was also detected in the past 24 hours. The latest of the targeted victims is the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC).

Top Breaches Reported in the Last 24 Hours

Ordnance Survey hacked
UK mapping agency Ordnance Survey has suffered a security breach leading to the compromise of personal details of 100 employees. It is unclear when the breach happened, but the attacker is thought to have compromised the CFO’s email account via a phishing attack. Following the attack, the Ordnance Survey has taken remedial steps to restore its systems and affected email accounts.

Global DDoS extortion campaign
A threat actor group has been emailing victims with threats to carry out DDoS attacks since October 2019. The latest victim of the campaign is the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC).

Ransomware attack
The Reading Municipal Light Department (RMLD) was targeted last week by cybercriminals hoping to extort money by encrypting data in the station’s computer system. The firm disclosed that there is no evidence of compromise of customers’ financial data. The electricity services were also not interrupted by the attack. 
 
Top Malware Reported in the Last 24 Hours

IMP4GT impersonation attacks
A group of researchers has discovered a new attack on 4G mobile networks that can be used to impersonate users. Called IMP4GT (IMPersonation attacks in 4G NeTworks), the attack leverages the currently used mutual authentication method. The attack can allow an active radio attacker to establish arbitrary TCP/IP connections on a target phone by bypassing the firewall mechanism of the LTE network.

Cloud snooper attack
Researchers have demonstrated a Cloud Snooper attack that uses a unique combination of techniques to allow malware to crawl on servers and to communicate with its C2 server through firewalls. The attack formula has been successfully tested on both Windows and Linux systems. 

Emotet trojan campaigns
Threat actors have been found leveraging the deadly Coronavirus threat to deliver Emotet trojan. The attack campaigns are conducted via phishing emails containing a specific attachment. The email goes under the pretext of ‘CoronavirusSafety Measures_pdf.exe.

Print Store customers affected
At least 18 skimmers that copy credit card info at checkout, have been identified since August 2017 on the Reprint Mint photo store. The first skimmer was observed running on the store for a year and a half, with the latest ones being added on January 23, 2020.

Top Vulnerabilities Reported in the Last 24 Hours

Google releases a patch
Google has released an emergency patch to fix three high-severity vulnerabilities. The fixed vulnerabilities include a zero-day bug that is being actively exploited in the wild. All three vulnerabilities are patched in Chrome version 80.0.3987.122 and the update is available for Windows, Mac, and Linux users.

OpenSMTPD patches RCE flaw
OpenSMTPD has patched a critical RCE flaw tracked as CVE-2020-8794. The vulnerability lets remote attackers run arbitrary shell commands as root and remotely exploit the operating systems that are running with the vulnerable OpenBSD SMTP server.

Unpatched plugins exploited
At least two threat actors are actively attacking unpatched variants of ThemeGrill Demo Importer, Profile Builder, and Duplicator plugins to target websites. The exploited vulnerabilities include authentication bypass flaws in ThemeGrill Demo Importer and Profile Builder free & Pro.

Vulnerable VPN apps
Major vulnerabilities discovered in several free VPN apps for Android can allow attackers to perform dangerous MitM attacks and steal usernames, passwords, photos, videos, messages and more. These vulnerable VPN apps have been downloaded more than 120 million times from Google Play and include the likes of SuperVPN Free VPN Client, TapVPN Free VPN, Best Ultimate VPN, Korea VPN, and VPN Unblocker Free unlimited Best Anonymous Secure.

 Tags

vpn apps
ordnance survey
emotet trojan
reading municipal light department rmld
rce flaw
opensmtpd
imp4gt impersonation attack
cloud snooper attack

Posted on: February 26, 2020

Get the Daily Threat Briefing delivered to your email!


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.


Join Thousands of Other Cyware Followers!