Cyware Daily Threat Intelligence January 24, 2019

Alaska officials have sent about 87,000 letters to those possibly affected by a computer security breach at the state Division of Public Assitance last year. The breach occurred after a virus infected one of the division's computers in April 2018. The data compromised in the incident included names, Social Security numbers, health information, benefits information and addresses of users. 

A server running an unsecured ElasticSearch database has exposed over 24 million banking and financial documents belonging to some of the major banks in the US. The leaked data contained sensitive information dating back to at least 2008. The leaky database had loan and mortgage agreements, repayment schedules and other highly sensitive financial and tax documents. Citigroup, HSBC Life Insurance, Wells Fargo and CapitalOne are some of the affected financial organizations.

A massive adware campaign that uses the tricky steganography technique has been found affecting a million Mac users. The victims are presented with ad images - that harbor malware - on trusted Google sites and in memes on Twitter. Once clicked, these malicious ads infect the Mac systems with the Shlayer trojan. The Trojan masquerades as a Flash upgrade and redirects the victim to an adware installer.

The hAnt ransomware has been observed targeting Bitcoin mining rigs in its recent attack in China. Most of the infected mining rigs are Antminer S9 and T9 devices, used for mining Bitcoins. According to reports, once hAnt infects a mining rig, it immediately locks the device and prevents it from mining any currency until a ransom is paid. The ransomware threatens to destroy the infected mining rigs if victims don't infect 1000 other devices or don't pay a ransom of 10 Bitcoins.

Redaman banking trojan

The Redaman banking trojan has increased its activity in the last half of 2018. Recently, it has been found targeting victims that use Russian financial institutions. The malware is distributed via phishing emails that contain a malicious PDF attachment.

A new malspam campaign has been observed distributing GandCrab v5.1 ransomware. Spam emails containing malicious Word documents are leveraged to spread the malware. These spam emails appear to come from Rosie L. Ashton and has a subject of "Up to dat? ?m?rg?n?y ?xit map". If the attachment is opened, the user is shown a document with the text "Emergency exit map" and a prompt to enable the content.

Two security flaws dubbed as 'Fake Stake' Attacks have been found impacting 26 Proof-of-Stake (PoS) cryptocurrencies. These cryptocurrencies draw their basic design code from Bitcoin's codebase. As a result of these flaws, attackers gain control over a currency's entire Blockchain transactions and conduct fraudulent operations. The flaws were first discovered in August 2018. 

A weakness in GoDaddy.Com was exploited by scammers to hijack at least 78 domains that belonged to popular organizations such as Expedia, Mozilla and Yelo. These domains are believed to have been used in two disruptive spam email campaigns that were launched in 2018. The two spam campaigns are a bomb threat hoax and a sextortion email campaign. 

A critical vulnerability, dubbed as CVE-2019-6260, has been found impacting multiple Baseboard Management Controller (BMC) firmware stacks and hardware. Systems using the ASPEED ast2400 and ast2500 system-on-chips (SoCs) are affected by the bug. It can allow attackers to read and write the BMC's physical address space.

In 2018, scammers earned around $36 million by duping Ether owners. The amount is double when compared to that made by tricksters in 2017. According to a report from Chainalysis, it was found that there were more than 2,000 fraud addresses on Ethereum, the blockchain-based platform on which Ether is distributed. These fraud addresses had managed to collect funds from nearly 40,000 unique users over last year. Furthermore, it was also observed that 333 ETH had earned nearly $3.5 million worth of Ether. 333 ETH is a Russian-language based website. Though it was called out as a scam by the State of the DApps, it is still attracting investors due to the lure of quick returns.