Cyware Monthly Threat Intelligence, April 2019

See All
The Good

As April comes to an end, let’s quickly brush up all that happened in the cybersecurity world this month. The past month witnessed several cybersecurity advancements, new laws and policies, security incidents, as well as the emergence of new threats. To begin with, let’s first glance through all the good that has happened in the cyberspace. USA.gov, the official online portal of the U.S federal government, has launched an artificial intelligence (AI) powered chatbot named ‘Sam’ that is capable of answering users’ questions on scams and frauds. The General Services Administration (GSA) has expanded its cybersecurity service offerings to help federal agencies and state governments to protect their valuable data. Meanwhile, the EU Parliament has voted to create a gigantic biometrics database that aggregates both identity records and biometrics of over 3.5 million EU and non-EU citizens.

  • Department of Homeland Security (DHS) is planning to roll out its new risk scoring algorithm ‘Agency-Wide Adaptive Risk Enumeration’ (AWARE) in October 2019. AWARE will help agencies prioritize mitigation activities and improve their basic cybersecurity hygiene.
  • Singapore has introduced a bill ‘Protection From Online Falsehoods and Manipulation Bill’ that aims at preventing the spread of fake news in online platforms. The bill promises to punish disseminators of fake news, with fines of up to S$100,000 or imprisonment of up to 10 years, or both.
  • The General Services Administration (GSA) has expanded its cybersecurity service offerings to help federal agencies and state governments to protect their valuable data. This will help agencies secure high-value assets on mission-critical systems.
  • USA.gov, the official online portal of the U.S federal government, has launched an artificial intelligence (AI) powered chatbot named ‘Sam’ that is capable of answering users’ questions on scams and frauds. In just over a month, Sam interacted with over 4,000 users, with 78% users having successfully asked their questions and received an answer.
  • US senators have introduced a bipartisan bill named ‘Cyber Resiliency Act’ that would require DHS to provide grants to support state and local governments in enhancing cyber defenses and addressing cybersecurity threats.
  • NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) organized the Locked Shields 2019 event. This is considered as the largest live-fire cyber exercise in the world.
  • Another two US senators have introduced a new bipartisan legislation to ban social networking platforms from using ‘dark patterns’ to trick users into providing their private data. Social media platforms have long abused dark patterns and have gained access to users’ private data such as geolocation, contacts, call logs, friend lists, and more.
  • The Washington state legislators have unanimously passed a bill ‘HB 1071’ that expands consumer data breach notification requirements to include more types of consumer information such as full birth dates, health insurance ID numbers, medical histories, student ID numbers, military ID numbers, passport ID numbers, username-password combinations, or biometric data.
  • The EU Parliament has voted to create a gigantic biometrics database that aggregates both identity records and biometrics of over 3.5 million EU and non-EU citizens. The identity records and biometrics include names, dates of birth, passport numbers, fingerprints, facial scans, and other identification details.

The Bad
 
April witnessed numerous data breaches and cyber attacks that saw the exposure of millions of people's personal information across the globe. Researchers have uncovered two misconfigured Amazon cloud servers belonging to third-party companies  ‘Cultura Colectiva’ and ‘At the Pool game’ that contained over 540 million Facebook user records. An unprotected database belonging to Justdial exposed the personal information of almost 100 million users. Last but not least, more than 500 million iOS users have been targeted by eGobbler hacker group through massive malvertising campaigns.
 
  • Researchers have uncovered two misconfigured Amazon cloud servers belonging to third-party companies  ‘Cultura Colectiva’ and ‘At the Pool game’ that contained over 540 million Facebook user records. The exposed user records include account names, Facebook IDs, comments, likes, list of Facebook friends, photos, groups, check-ins, and user preferences like movies, music, books, and interests.
  • Several HR companies in China have exposed over 590 million resumes in the past 3 months due to unprotected databases. While some of these misconfigured databases have been secured, there are few that are still leaking data on the internet.
  • An unprotected database belonging to JustDial exposed the personal information of almost 100 million users. The exposed data includes Justdial users’ names, email addresses, mobile numbers, location addresses, genders, dates of birth, photos, designations, company names, and more.
  • After two weeks of first exposure, JustDial has again exposed personal information. This time, it exposed the database of individuals who posted reviews on the platform. The information made public includes the reviewer’s name, mobile number, and location.
  • More than 500 million iOS users have been targeted by eGobbler hacker group through massive malvertising campaigns. These campaigns were conducted for almost a week starting from April 6, 2019. The group had used ‘8 individual campaigns and over 30 fake creatives’ to perform the attacks.
  • Bithumb cryptocurrency exchange platform suffered a cyber attack compromising 3 million EOS worth $13.4 million and 20 million Ripple coins (XRP) worth $6 million. An internal inspection revealed that the incident is an ‘accident involving insiders’.
  • A security researcher detected an unprotected database belonging to the Department of Medical, Health and Family Welfare of a state in northern India that exposed medical records of almost 12.5 million pregnant women who underwent an ultrasound scan, genetic testing, or sex determination testing of their unborn child.
  • Medical billing service provider ‘Doctors’ Management Service’ suffered a GandCrab ransomware attack compromising patients’ data from almost 38 clients including Beverly Surgical Associates, Today’s Wellness PLLC, Neuro Institute of New England, and more. The compromised data includes patients’ personal information such as names, addresses, dates of birth, Social Security numbers, driver’s license numbers, insurance, Medicare/Medicaid information and numbers, and medical information.
  • Magecart group has compromised the online store of Atlanta Hawks, a basketball team in Atlanta, Georgia. The attack has impacted all those who have shopped from the online store on or after April 20, 2019. Shoppers’ data such as names, addresses, and credit card details have been potentially stolen by the Magecart group through skimmers injected on hawksshop.com.
  • Manufacturing giant Aebi Schmidt has been hit with a major ransomware attack, forcing the company to shut down its systems across the company’s international network, including its U.S. subsidiaries. The attack has primarily impacted its European base leaving a number of systems non-operational.
  • ‘Gnosticplayers’ hacker has been back with the fifth round of stolen data. This time, he has put up over 65 million user accounts on sale on the dark web forum. The latest batch includes user records that belonged to six new companies. The hacked data is being sold for 0.8463 Bitcoin ($4,350) on the DreamMarket forum.
  • Eight misconfigured databases have been found leaking approximately 60 million records of LinkedIn user information. The total size of databases is estimated to be 229 GB, with each database ranging between 25 GB and 32 GB. Security researcher Sanyam Jain who discovered these misconfigured databases told that the data had been removed every day and loaded on different IPs.
  • In another revelation on Thursday, Facebook has disclosed that it stored millions of passwords of Instagram users in plaintext. The social networking company mentioned this incident in an update to the earlier blog written on passwords kept in plaintext in its storage systems. However, Facebook has emphasized that these unencrypted passwords were not being abused or accessed by its employees.
  • Researchers have detected around 74 Facebook groups with nearly 385,000 members that were used to carry out illicit trading of stolen credentials, email addresses, private data, credit card information, and phishing kits. Facebook’s security team has removed all the 74 groups from the site.
  • Hackers breached Toyota’s IT systems and gained unauthorized access to servers that contained sales information of almost 3.1 million customers. The data belonged to several sales subsidiaries such as Toyota Tokyo Sales Holdings, Tokyo Motor, Tokyo Toyopet, Toyota Tokyo Corolla, Netz Toyota Tokyo, Lexus Koishikawa Sales, Jamil Shoji (Lexus Nerima), and Toyota West Tokyo Corolla.
  • Kaspersky Lab researchers have revealed the existence of a new cybercrime marketplace named ‘Genesis’ where cybercriminals are selling full digital fingerprints for over 60,000 users. Genesis market sells digital fingerprints, digital identity, cookies, credit card information, sensitive documents, browser user-agent details, WebGL signatures, website user logins, and passwords.

New Threats
 
Several new malware, ransomware, vulnerabilities, and threat groups emerged over the past month. Researchers have uncovered over a dozen servers that are hosting ten different malware families. The Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) have released a security alert about a new malware strain named HOPLIGHT. Meanwhile, the Nokia 9 PureView smartphone has apparently become vulnerable to an easy trick to bypass the fingerprint lock after a recent system update.
 
  • Researchers have uncovered over a dozen servers that are hosting ten different malware families. The malware families are distributed via phishing campaigns potentially tied to the Necurs botnet. The ten malware families include Dridex, Gootkit, IcedID, Nymaim, Trickbot, Gandcrab, Hermes, Fareit, Neutrino, and Azorult.
  • Researchers have discovered a new variant of Emotet trojan that distributes a malware downloader dubbed ‘Nymaim’. This malware downloader, in turn, downloads the Nozelesn ransomware. This Emotet variant has been found targeting the hospitality sector.
  • A fraudulent ad-clicking campaign has been observed infecting 90 million Android mobiles across the world. In this campaign, six fake apps claiming to boost the performance of smartphones have been used to distribute adware named ‘PreAmo’.
  • Android device owners complained about a bug in Skype that automatically answer incoming calls. Some users reported that calls are being answered automatically when their Android device is paired with a smartwatch. However, Microsoft has fixed the issue.
  • A security researcher has created a malware dubbed ‘SMBdoor’ with the help of two leaked NSA exploit kits. The malware has been created with a purpose to help academicians in their research. The malware’s characteristics are similar to that of DoublePulsar and DarkPulsar.
  • After a recent operating system update, the Nokia 9 PureView smartphone has apparently become vulnerable to an easy trick to bypass the fingerprint lock. The flawed update allows anyone to bypass the phone's fingerprint lock.
  • Researchers have discovered a new variant of the GoBrut malware that targets Unix-based machines. This malware was also spotted exploiting WordPress-based websites. GoBrut uses a malicious Executable and Linkable Format (ELF) file for this purpose.
  • A new variant of Mirai botnet that targets processors has been discovered recently. The new variant has been evolved to include a modified version of XOR encryption algorithm and a type of DDoS attack method. This Mirai variant targets Altera Nios II, OpenRISC, Tensilica Xtensa, and Xilinx MicroBlaze processors.
  • The Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) have released a security alert about a new malware strain named HOPLIGHT. The backdoor trojan has been linked to HIDDEN COBRA, the North Korea-based hacking group.
  • Researchers have discovered a sophisticated APT framework dubbed ‘TajMahal’. Researchers noted that the recent activity related to TajMahal indicated that it contained two different packages named Tokyo and Yokohama. Tokyo was used to deploy Yokohama on victims’ machines, while Yokohama was used to steal sensitive data belonging to the victims.
  • A privilege escalation vulnerability in the Yellow Pencil Visual Theme Customizer plugin has exposed several WordPress sites to various attacks. The plugin is estimated to be installed on over 30,000 websites. The vulnerability can allow remote attackers to update arbitrary code and take control of WordPress-based websites.
  • Another ransomware called RobbinHood has been found targeting computers within an entire network. The ransomware renames encrypted files and drops ransom notes with four different names at the same time. The ransom notes contain information regarding the victim’s files, the ransom amount and links to the TOR sites.
  • A new variant of Hawkeye dubbed ‘Reborn v9’ has emerged. Reborn v9 is currently marketed as an ‘Advance Monitoring Solution’ and is being sold using a licensing model. It has been modified from earlier versions and has been heavily obfuscated to make analysis complex and difficult. It is capable of stealing system information and credentials from browsers, Filezilla, Beyluxe Messenger, CoreFTP and the video game ‘Minecraft’.
  • Researchers have discovered four new versions of Bashlite botnet. They are named as Backdoor.Linux.BASHLITE.AMF, Troj.ELF.TRX.XXELFC1DFF002, and Trojan.SH.BASHDLOD.AMF. One of these versions is used to target devices with the WeMo Universal Plug and Play (UPnP) API.
  • A new ransomware family called ‘NamPoHyu Virus’ ransomware has been found targeting vulnerable Samba servers. Instead of running executables on a victim’s computer, the attackers directly launched the malware on vulnerable Samba servers by brute forcing passwords. The ransomware was first detected in March 2019 after users complained that their NAS storage devices were suddenly encrypted by new ransomware called MegaLocker virus.




  • Share this blog:
Previous
Next
Cyware Monthly Threat Intelligence, March 2019
To enhance your experience on our website, we use cookies to help us understand how you interact with our website. By continuing navigating through Cyware’s website and its products, you are accepting the placement and use of cookies. You can also choose to disable your web browser’s ability to accept cookies and how they are set. For more information, please see our Privacy Policy.