Cyware Monthly Threat Intelligence, August 2020

Share Blog post

The Good
There is a lot going on in the cyber world, but all is not bad. A group of academic researchers discovered a new AI technique to ward off cyberattacks on medical devices whereas, another research group developed an AI-model that identifies cryptocurrency supercomputers to mine cryptocurrencies. In another vein, the National Institute of Standard and Technology (NIST) released the penultimate version of its Zero Trust Architecture for organizations.

  • Researchers at the Ben-Gurion University of the Negev developed a new AI technique to protect medical devices from malicious operating instructions in a cyberattack, as well as other human and system errors. The technology will help analyze the instructions sent from PC to connected devices, detecting the presence of any anomalous code.
  • Researchers at Los Alamos National Laboratory developed a new AI-driven model that can identify malicious codes used to hijack supercomputers to mine for cryptocurrencies, such as Bitcoin and Monero.
  • MITRE released a new Shield framework to help organizations actively detect and counter intruders on their networks. The framework includes different tactics to detect, disrupt, and contain attacks from intruders.
  • The NIST unveiled the final version of its Zero Trust Architecture for cybersecurity leaders, administrators, and managers to provide a better understanding of the Zero Trust environment. This framework has been developed in collaboration with multiple federal agencies.

The Bad
Last month, several cybercriminal groups were observed evolving their TTPs and going on an attacking spree on organizations globally. A series of DDoS attacks on New Zealand’s stock exchange (NZX) disrupted its trading operations for four consecutive days. Meanwhile, ransomware actors rained attacks on Valley Health Systems, LG, Konica Minolta, and Brown-Forman, among other renowned firms. Moreover, the University of Utah had to pay a ransom of over $450,000 to prevent student data from getting leaked.

  • Utah Pathology Services disclosed undergoing a data breach that resulted in the exposure of the personal information of approximately 112,000 patients. The hackers also attempted to redirect funds exploiting an employee’s account.
  • NZX was offline for four days after a group of cybercriminals launched DDoS attacks on its networks. NZX resumed trading later without giving any clarity on the attacker.
  • REvil ransomware operators claimed to have breached and stolen sensitive data from Valley Health Systems, a regional healthcare system that serves nearly 75,000 patients in Southern West Virginia, Southeast Ohio, and Eastern Kentucky.
  • Active since 2018, the Lazarus threat actor group has been found to be associated with an ongoing cyberespionage campaign. The campaign, which is carried out through Linkedin, has targeted businesses in at least 14 countries including the U.K and the U.S.
  • The University of Utah paid a ransom of over $450,000 to prevent the ransomware gang from leaking student data on the internet. The decision was made by the university to protect the integrity of the data even after it was restored from backups.
  • Even the Japanese technology giant, Konica Minolta, and the U.S. wine and spirits company, Brown-Forman, were not spared from the terror of ransomware attacks. While the ransomware behind Konica Minolta is still unknown, the attack on Brown-Forman was conducted using the REvil ransomware, which pilfered around 1TB of data.
  • The South African branch of the consumer credit reporting agency, Experian, disclosed a data breach that impacted the personal details of 24 million South Africans and 793,749 local businesses. The incident occurred after the agency handed over some sensitive data to a fraudster posing as a client.
  • The U.S. chipmaker, Intel, found itself in a soup after 17GB of its data was leaked on the file-sharing site, MEGA. The exposed data consisted of files from the Intel Resource and Design Center, different Intel development and debugging tools, roadmap documents, schematics of various processors, and others.
  • An artificial intelligence company, Cense, leaked 2.5 million records that contained sensitive medical data and PII. The breached data was stored directly on the same IP address as Cense’s website.
  • Nine data leak incidents that compromised the medical data of 200,000 U.S. users came to light after researchers discovered misconfiguration issues in GitHub repositories. The affected entities included Xybion, MedPro Billing, Texas Physician House Calls, VirMedica, MaineCare, Waystar, Shields Health Care Group, and AccQData.
  • Adit, a Houston-based patient management software provider, laid bare personal and sensitive information of 3.1 million patients via an unsecured database for about 10 days. Surprisingly, the database was later, allegedly, deleted by Meow Bot, an automated bot.
  • The Maze ransomware gang published over 70GB data stolen from LG and Xerox on its leaked site following failed ransom negotiations. Summit Medical Associates also disclosed a ransomware attack that affected the personal information of patients and affiliates.
  • A report found that Russian-speaking hackers compromised the VPN authentication data of 38 large Japanese companies in the Pulse Secure VPN breach. A hacker had, reportedly, exposed plaintext usernames and passwords, session cookies, IP addresses, and other details of more than 900 Pulse Secure VPN servers in the first week of August.

New Threats
Attackers are continuously testing enterprise security systems and exploring new ways to get through. In one attack campaign, cybercriminals were seen exploiting Unicode and HTML/CSS to manipulate systems and bypass security checks. In another camp, the U.S. government warned against the BeagleBoyz group that has attempted to swindle $2 billion since 2015. Moreover, security experts red-flagged several new threats, including BLINDINGCAN and FritzFrog, challenging the cyber readiness of organizations.

  • Researchers stumbled across a hacker group using HTML/CSS and Unicode tricks to disguise malicious phishing emails and bypass malware detection tools. Instead of writing phrases such as “change your password,” attackers wrote "c-h-a-n-g-e- -y-o-u-r- -p-a-s-s-w-o-r-d-” to evade malware scanners.
  • In a joint advisory, the FBI, the U.S. Cyber Command, and the CISA warned about a prolific North Korean hacking group known as BeagleBoyz resuming its malicious operation of targeting financial institutions. According to the agencies, the group had attempted to steal $2 billion since at least 2015 and is in the process of targeting banks and other financial services in almost 40 countries.
  • Apple had inadvertently approved a malicious threat, disguised as an Adobe Flash installer, on Macs and the unreleased beta version of macOS, Big Sur. The campaign has been distributing the ubiquitous “Shlayer” adware that intercepts encrypted web traffic and replaces websites and search results with its own ads.
  • In an advisory, Autodesk warned users about hackers using a PhysPluginMfx MAXScript exploit that can corrupt 3ds Max settings, run malicious code, and propagate to other MAX files on a Windows system. These malicious codes are capable of collecting passwords from web browsers such as Firefox, Google Chrome, and Internet Explorer.
  • Researchers reported a pool of 5,000 malicious apps involved in giveaway scams infected around 65,000 devices with a novel ad fraud botnet. Among the free gifts used as lures were boots, sneakers, event tickets, coupons, and expensive dental treatments.
  • The CISA published an alert about a new North Korean malware, dubbed BLINDINGCAN, that was used in attacks on the country’s defense and aerospace sectors. The malware was distributed using fake job offers as a bait.
  • Security experts uncovered a multi-functional Peer-to-Peer (P2P) botnet, called FritzFrog, actively targeting SSH servers since January 2020. To date, the modular botnet has breached more than 500 servers, including many associated with universities in the U.S. and Europe.
  • TeamTNT became the first threat actor group to use a cryptomining malware with functionalities to steal AWS credentials from infected servers. The group’s modus operandi involves scanning the internet for misconfigured Docker systems.
  • A new info-stealing malware, Anubis, is being actively distributed in the wild. The malware draws its code from Loki malware designed to steal system information, credentials, credit card details, and cryptocurrency wallets.
  • SunCrypt ransomware joined the cartel created by the Maze ransomware gang. The cartel, which already includes LockBit and RagnarLocker, has started to share its information and techniques among each other.
  • Agent Tesla information-stealing trojan now includes modules to steal credentials from applications, including popular web browsers, VPN software, as well as FTP and email clients. The malware variant can also be used to steal victims’ clipboard content data and disable anti-malware analysis software.
  • In an extensive study, researchers found a new RedCurl cybercrime group that has targeted at least 14 private companies in 26 attacks since 2018. The attacks were aimed at stealing documents containing commercial secrets and employees’ personal information.
  • The Iranian hacking group, OilRig, became the first publicly known threat actor to incorporate the DNS-over-HTTPS (DoH) protocol in its attacks. To facilitate this, the operators are using a new utility called DNSExfiltrator as part of their intrusions into hacked networks.


 Tags

brown forman
nzx stock exchange
suncrypt ransomware
utah pathology services
blindingcan malware
fritzfrog botnet
redcurl hacking group
beagleboyz

Posted on: September 02, 2020

Get the Monthly Threat Briefing delivered to your email!


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.


Join Thousands of Other Cyware Followers!