Cyware Monthly Cyber Threat Intelligence February 2019

The Good

As we gear up to a new month of the year, let’s quickly glance through all that happened over the past month. Before we get into the cybersecurity incidents and the new threats, let’s first acknowledge all the positive events that happened over the past month. Google has released a Chrome extension named ‘Password Checkup’ to protect accounts from data breaches. Google and FIDO Alliance has announced that the Android operating system is now FIDO2 certified. Meanwhile, Sectigo has released Zero-Touch deployment email encryption and digital signing solution to increase compliance with government regulations and reduce cybersecurity risks.

  • Google has released a Chrome extension named ‘Password Checkup’ on the Safer Internet Day (February 5, 2019). This extension checks if usernames and passwords combinations entered in login pages are one of over 4 billion credentials that Google knows to have been previously compromised in data breaches.
  • Google has developed a new Chrome feature that fights against DOM-based XSS attacks. This new feature is a browser API called ‘Trusted Types’ that helps Chrome fight against certain cross-site scripting XSS vulnerabilities. The feature adds another level of protection at the browser level to protect users from cross-site scripting vulnerabilities such as DOM-based XSS.
  • SK Telecom has announced to launch its Quantum Security Gateway solution to prevent hacking in self-driving cars. The solution is an integrated security device that will be installed inside cars and protects various electronic units and networks in the cars. The gateway solution once installed inside cars, monitors various devices for Vehicle-2-Everything (V2X), Bluetooth, radar, smart keys, and driver assistance systems.
  • Google and FIDO Alliance has announced that the Android operating system is now FIDO2 certified which indicates that password authentication could be eradicated from the mobile ecosystem. Now that Android is FIDO2 certified, this enables over a billion Android devices to implement passwordless authentication standards.
  • SSL Certificate Authority Sectigo has released Zero-Touch deployment email encryption and digital signing solution to increase compliance with government regulations and reduce cybersecurity risks. This enables email gateways to scan encrypted traffic in order to detect malware as well as sign an email on behalf of the sender.
  • Google is working to advance the cyber-security model known as ‘confidential computing’ with the Asylo project to protect the integrity of workloads. The confidential computing approach provides an additional layer of protection against malicious insiders, vulnerabilities and compromised operating systems.
  • Mitsubishi Electric has developed a sensor-security technology that detects inconsistencies in sensor measurements when drones, vehicles, or robots are under attack. Mitsubishi plans to commercialize the product next year by offering the technology to manufacturers of cars, drones, etc.
  • Google has made new updates to its Google Play Protect to protect Android users from potentially harmful applications (PHA). Now, Google Play Protect comes as a default built-in feature of every Android device, instead of users manually enabling the feature


The Bad

February witnessed several data breaches and cyber attacks that saw the exposure of millions of people's personal information across the globe. South Africa’s electricity provider Eskom was hit with a double security breach. The Australian Federal Parliament’s computer network has been hacked. In the meantime, Cybercriminals have put up two new databases that contain a total of 69,186 Pakistani banks’ cards for sale on the Joker’s Stash underground forum.


  • South Africa’s primary electricity provider Eskom was hit by not just one, but two security breaches. One was due to an unsecured database that leaked customer data online. The second breach came along with AZORult malware infection disguised as a downloader for The Sims 4 game.
  • The Australian Federal Parliament’s computer network has been hacked. Parliament’s presiding officers, Speaker of the House of Representatives MP Tony Smith and President of the Senate MP Scott Ryan confirmed that there is no evidence that any data has been accessed at this point of time. However, Australian security agencies are suspecting China to be behind this attack.
  • British MPs were targeted by an attempt to access their contacts list and send texts and emails to all their private contacts. Deputy Chief Whip Christopher Pincher warned MPs to be aware of the text messages and emails asking them to provide overseas contact details or to download a secure message app.
  • Almost 620 million account credentials stolen from 16 companies were put up for sale on the Dark Web by a seller named ‘gnosticplayers’. The stolen accounts belonged to 16 websites including Dubsmash, MyFitnessPal, MyHeritage, Animoto, 8fit, 500px, Armor Games, CoffeeMeetsBagel and Artsy. The highest number of account credentials were stolen from Dubsmash, recording a total of 162 million.
  • Followed by the first batch of 620 million accounts stolen from 16 companies, a second batch containing 127 million stolen accounts was made available for sale on the Dark Web by ‘gnosticplayers’ who quoted $14,500 in bitcoin for the collection. The stolen accounts belonged to 8 companies including Ixigo, Houzz, YouNow, Coinmama, Petflow, Ge.tt, Roll20.net, and StrongHoldKingdoms.
  • The seller ‘gnosticplayers’ was back again with a collection of 93 million stolen account credentials from 8 companies. This is the third batch made available for sale by gnosticplayers in the Dream Market marketplace which is worth 2.6249 bitcoin amounting to $9,400.
  • Attackers compromised North Country Business Products (NCBP) IT systems and planted malware on its clients’ Point-of-Sale (POS) systems. The attack has impacted nearly 140 food chains such as coffee shops, restaurants, bars, standalone hotels, and various food chain franchises. The impacted food chains included Dunn Brothers Coffee, Someburros, Zipps Sports Grill, and more.
  • A storage server containing real-time call recordings made to the 1177 Swedish Healthcare Guide helpline for health care information was found publicly available without any password protection. The unprotected server which was left open without a password exposed almost 2.7 million health-related call recordings that dated back to 2013.
  • Researchers observed a new Ad fraud campaign dubbed ‘DrainerBot’ which plays invisible ad videos in Android devices via infected apps. The DrainerBot ad fraud scheme uses malicious codes in Android apps to deliver ad videos to mobile devices that have installed the infected apps. The ad fraud scheme has been distributed via infected Android applications that have almost 10 million downloads.
  • A new phishing attack dubbed ‘NoRelationship’ was observed recently that bypasses Microsoft’s Exchange Online Protection (EOP) URL filters which scans Microsoft Office documents such as Word (.docx), Excel (.xlsx), and PowerPoint (.pptx). The attackers behind the ‘NoRelationship’ phishing campaign deleted external links from a relationship (xml.rels) file which is a legitimate file that lists all links included in an attachment. This lead to Microsoft’s Exchange Online Protection filters not detecting the malicious URL.
  • Dow Jones Watchlist’s database was publicly available without any password protection thereby exposing almost 2.4 million records. Upon learning the incident, Dow Jones immediately disabled the leaky Elasticsearch database.
  • Cybercriminals have put up two new databases that contain a total of 69,186 Pakistani banks’ cards for sale on the Joker’s Stash underground forum which is estimated to be approximately $3.5 million. Researchers noted that the price of a single card detail ranged between $10 and $40, and the cards with PIN codes were priced at $50.


New Threats

Several new malware, ransomware, vulnerabilities, and threat groups emerged over the past month. Researchers spotted a new backdoor trojan dubbed ‘Speakup’ that infects Linux and MacOS systems. A Monero cryptocurrency-mining malware variant has been found using a combination of RADMIN and MIMIKATZ exploit tools to spread across networks. Last but not least, New vulnerabilities dubbed ‘Zombie POODLE’ and ‘GOLDENDOODLE’ were spotted affecting the HTTPS.

  • A new malware campaign distributing the Orcus Remote Access Trojan (RAT) has been discovered recently. A threat actor group named PUSIKURAC is found to be behind this campaign. The campaign distributed the Orcus RAT by injecting the malware in a Ramadan-themed Coca-Cola video.
  • Researchers observed a Geodo spam campaign targeting employees of a US government agency. This campaign was spotted dropping the Qakbot malware onto unsuspecting systems.  The phishing campaign delivered a malicious Office document containing hostile macros. Once the macro is executed, it downloads a PowerShell-based Qakbot payload.
  • New vulnerabilities dubbed ‘Zombie POODLE’ and ‘GOLDENDOODLE’ were spotted affecting the HTTPS. Researchers noted that these vulnerabilities arise from the continued use of cryptographic modes which should already have been deprecated.
  • A quickly evolving botnet called Cayosin has been observed recently by researchers. The botnet has a unique property of combining the most dangerous features of multiple previous botnets and makes them available to a broad audience at a reasonable price. The botnet is actually a custom piece of malware with characteristics similar to QBot, Mirai and a few other pieces of software.
  • A security vulnerability in Ubiquiti Networks impacted nearly 485,000 devices. Jim Troutman, Consultant, and Director of NNENIX, disclosed on Twitter that attackers are remotely exploiting Ubiquity networking devices exposed via a UDP port 10001. A majority of the exposed Ubiquity devices are NanoStation (172,000), AirGrid (131,000), LiteBeam (43,000), PowerBeam (40,000), and NanoBeam (21,000) products.
  • The Outlaw threat actor group was spotted conducting a malware campaign targeting Linux systems in cryptocurrency mining attacks. The campaign used a new version of Shellbot trojan which bridges a tunnel between an infected system and a C&C server operated by the attackers.
  • Researchers spotted a new malware campaign distributing a backdoor trojan named ‘SpeakUp’ which exploits known vulnerabilities in six different Linux software. This malware campaign targets servers in East Asia and Latin America, including AWS hosted machines. Researchers noted that this campaign also manages to evade all antivirus solutions.
  • A team of academics has found a new variant of the infamous Bleichenbacher's attack affecting the latest version of the TLS protocol, TLS1.3. The new variant of Bleichenbacher's attack could allow attackers to intercept the TLS traffic and steal data. The new variant of Bleichenbacher's attack also affects Google’s new QUIC encryption protocol.
  • A security researcher recently discovered a vulnerability affecting the Ubuntu operating system. The researcher named the vulnerability as ‘Dirty Sock’ and noted that this bug is a local privilege escalation vulnerability which could allow attackers to gain root level access to the system.
  • A new variant of Emotet trojan has been observed in the wild. This new variant obfuscates the initial infection VBA macro code to avoid detection by anti-virus software. Researchers noted that the new variant is delivered in two different ways: First, via a URL that is hosted on attacker-controlled infrastructure and second, as an email attachment.
  • A Monero cryptocurrency-mining malware variant has been found using a combination of RADMIN and MIMIKATZ exploit tools to spread across the local area networks. The attack campaign primarily targets companies in China, Taiwan, Italy, and Hong Kong.
  • Researchers from Avast detected a new malware strain dubbed Rietspoof, which is distributed via instant messaging clients such as Facebook Messenger and Skype. Rietspoof is a multi-stage malware that utilizes several stages to drop a more versatile malware. The actual Rietspoof malware is dropped in the third stage with capabilities such as downloading or uploading files, starting processes, or initiating a self-destruct function.
  • A new malware dubbed Muncy has been spotted targeting victims worldwide. Muncy malware is distributed via a phishing campaign that impersonates the logistics giant DHL to trick users. Apart from spoofing the emails, the attackers behind Muncy are also leveraging poorly configured SMTP servers to distribute the malware.
  • Researchers uncovered a new ATM malware dubbed WinPot that uses a slot machine interface to steal funds by compromising ATMs. WinPot, also known as ATMPot, is designed to compromise the ATMs and force these machines to empty their cassettes of all funds. A seller of the malware has recently offered WinPot v.3 which includes a revamped interface and a currently unidentified program called ‘ShowMeMoney’.
  • Researchers uncovered new ransomware dubbed B0r0nt0K that encrypts victim's websites and demands a ransom payment of 20 bitcoin, which is worth $75,000. Researchers noted that B0r0nt0K ransomware currently infects Linux servers, but may also have the ability to encrypt Windows OS.
  • A new vulnerability dubbed ‘Thunderclap’ was detected in the Thunderbolt hardware interface. This ‘Thunderclap’ vulnerability impacts Windows, Mac, Linux, and FreeBSD systems.
  • Researchers identified a new malware dubbed Farseer that frequently-targets the Microsoft Windows operating system. Farseer has connections to other malware, such as HenBox, Poison Ivy, Zupdax, and PKPLUG. The malware leverages a technique known as ‘DLL sideloading’ to drop legitimate, signed binaries to the host.
  • A new vulnerability dubbed ‘Cloudborne’ has been detected recently. This vulnerability could allow attackers to implant backdoor in the firmware or BMC of bare metal servers causing a variety of attack situations such as performing a PDoS attack, stealing data from the application running on the cloud service, and executing a ransomware attack by disabling the application.
  • A research team from Greece outlined a new browser-based attack dubbed ‘MarioNet’ that could allow attackers to run malicious code inside users’ browsers even after the web page is closed. MarioNet attack enables attackers to assemble giant botnets from users’ browsers and later use them to conduct various malicious activities.
  • Researchers observed a spear phishing campaign containing a new malware dubbed ‘BabyShark’. The spear-phishing campaign targets national security think tanks and research institutions in the US. BabyShark malware shares similarities with the KimJongRaT.





  • Share this blog:
Previous
Next
Cyware Monthly Cyber Threat Intelligence January 2019
To enhance your experience on our website, we use cookies to help us understand how you interact with our website. By continuing navigating through Cyware’s website and its products, you are accepting the placement and use of cookies. You can also choose to disable your web browser’s ability to accept cookies and how they are set. For more information, please see our Privacy Policy.