Cyware Monthly Threat Intelligence, December 2020

Share Blog Post

The Good

The necessity of creating a resilient cybersecurity framework for organizations of all sizes is now more crucial than ever. In this light, Google publicized Atheris—a tool to assist developers in identifying vulnerabilities—last month. The tech giant also rolled out a new feature that warns Chrome users of compromised passwords, along with other security measures. Further, cyber experts at NIST laid out security protocols for IoT devices used within the federal information systems.

  • Google security experts open-sourced a fuzzing tool, named Atheris, to help developers find security vulnerabilities and patch them before attackers abuse them. The tool supports Python 2.7, 3.3+, and native extensions created with CPython.
  • Last month, Google reportedly worked on Chrome’s Safety check feature that would alert users if their passwords were discovered in data breaches. This feature comes as a warning against weak passwords.
  • The NIST drafted a set of guidelines for federal agencies on improving security for IoT devices. The four new documents are drafted with the goal of integrating IoT devices into the security and privacy controls of federal information systems.
  • Apple, Cloudflare, and Fastly codesigned a new DNS benchmark to deal with privacy issues faced by DNS. The new standard would separate IP addresses from queries to mask requests and make it harder for attackers to track users online.
  • CISA’s Cloud Forensics team released a PowerShell-based tool, dubbed Sparrow, that is capable of detecting potentially compromised applications and accounts in Azure/Microsoft 365 environments.

The Bad

All’s well that ends well. However, it cannot be said in this case as hackers breached the Texas monitoring service company SolarWinds. The supply chain attack impacted several top federal agencies and Fortune 500 companies. Moreover, researchers uncovered a cyberespionage campaign compromising tens of iPhone devices of Al Jazeera employees allegedly by an Israel-based NSO group. In another vein, an extensive Emotet campaign crippled Lithuania’s National Center for Public Health (NVSC) and several municipalities.

  • Last month witnessed a massive supply chain attack on SolarWinds Orion platform used by several U.S. government agencies and private firms, such as Boeing, AT&T, and Ford. Microsoft stated that the ultimate purpose of the actors behind the SolarWinds supply chain attack was to access victims’ cloud assets after deploying the Solorigate backdoor on their local networks.
  • REvil (Sodinokibi) ransomware actors claimed to have pumped out about 600GB of documents from The Hospital Group and published a sample database with a threat to release before and after pictures of celebrity clients.
  • Vodafone-owned Ho mobile was caught in a data breach after an actor allegedly dumped about 2,500,000 customer records and other data on a hacker forum. Besides customers’ PII, leaked information included SIM card PUK code, ICCID number, IMSI number, and various base64-encoded hashes.
  • Fashion marketplace app 21 Buttons exposed over 50 million private files belonging to hundreds of influencers across Europe via a misconfigured AWS cloud storage bucket. Researchers discovered invoices for commissions paid by 21 Buttons to the influencers.
  • Broker business Freedom Finance allegedly leaked 12GB of confidential data of around 16,000 clients on darknet forums after an employee fell for a phishing email. The attackers were successful because an employee opened an email despite the security warning.
  • At least 36 employees of AlJazeera were targeted in a cyberespionage campaign that leveraged an invisible zero-click iOS exploit called KISMET to hack into their iPhones. The infection malware was traced back to the Israel-based cyber intelligence company NSO Group (previously criticized for selling spyware to governments).
  • ThreatNix unearthed a phishing campaign on Facebook touching 615,000 lives in Egypt, the Philippines, Pakistan, and Nepal. Criminals used ads to steal user credentials. The campaign would redirect users to GitHub where the actual phishing pages resided.
  • Cybercriminals compromised the DNS server of cryptocurrency firm Voyager Digital in a cyberattack that halted trading activities. The company tweeted that no funds or personal information were compromised.
  • More than 250,000 databases were compromised due to an ongoing ransomware attack that abused weak credentials on MySQL servers. The campaign was launched in January and, to date, 83,000 victims have been targeted.
  • The Netherlands-based staffing agency Randstad was hit by Egregor, in which its IT services were breached. The hackers published some internal corporate data, including financial reports and legal documents, in an extortion attempt.
  • A large-scale Emotet campaign infected the systems of Lithuania’s National Center for Public Health (NVSC) and several municipalities. As per reports, infected computers started sending fake emails or engaging in various types of malicious activities.
  • nTreatment inadvertently exposed thousands of medical records online after it failed to add password protection to a cloud server. The misconfigured server included medical records, doctors’ notes, insurance claims, lab test results from third-party providers, and other sensitive patient information.

New Threats

In a parallel world, healthcare continued to flounder due to external, as well as insider threats. A research group found 45 million medical images—including X-rays and CT scans—exposed on unprotected servers, while the Emotet group launched COVID-19 related phishing campaigns. Meanwhile, several threats including APTs, malware, and vulnerabilities made the final month of 2020 a bit challenging for security teams.
  • Unprotected online storage devices tied to hospitals and medical centers all over the world had left 45 million medical scans exposed to the internet. Not only these scans were available online over the past twelve months, but malicious folks had also accessed those servers and poisoned them with apparent malware.
  • Group-IB uncovered a cybercriminal gang, dubbed UltraRank, targeting more than a dozen e-commerce sites to knock off payment card data in a new campaign. Over the last five years, the cybercriminal group has targeted more than 700 e-commerce sites as well as 13 third-party suppliers in North America, Europe, Asia, and Latin America.
  • Sansec warned against a multi-platform credit card skimmer that can target online stores running on Shopify, BigCommerce, Zencart, and Woocommerce. The skimmer would show a bogus payment form that convincingly recorded customer keystrokes before they reached the actual checkout page.
  • Financial institutions in the U.S. and Canada were reported under greater risk from a new credential stealer—written in AutoHotkey (AHK) scripting language—that had various browsers such as Chrome, Opera, and Microsoft Edge on its target.
  • New variants of AgentTesla, Gitpaste-12 botnet, and SystemBC made impacts on several observed attack campaigns. These variants were designed to target more devices with additional abilities.
  • Security experts uncovered APT28, a Russia-linked cyberespionage gang, leveraging COVID-19 phishing lures to disseminate the Go version of its Zebrocy malware. The lure was spread as a part of a Virtual Hard Disk file that can be accessed only by Windows 10 users.
  • After a two-month hiatus, Emotet botnet returned in circulation around Christmas targeting unsuspecting users with Christmas and COVID-19-themed campaigns. Reports suggested that the group behind Emotet was hitting 100,000 targets per day.
  • Critical vulnerabilities discovered in D-Link routers make them susceptible to zero-day attacks. The flaws include an unauthenticated remote LAN/WAN root command injection flaw (CVE-2020-25757), authenticated root command injection vulnerability (CVE-2020-25759), and an authenticated crontab injection (CVE-2020-25758).
  • A new form of biohacking technique was reported that had the potential to disrupt operations in the biological research sector. The attack form focuses on infecting a biologist’s computer with malware and replacing substring in DNA sequencing at the same time.
  • A new strain of the RANA Android malware was spotted spying on Telegram, WhatsApp, Skype, and other instant messaging platforms. The malware has been linked to the APT39 Iranian cyberespionage group and possesses new surveillance functionalities.
  • Cisco Talos detected two RCE bugs—CVE-2020-7559 and CVE-2020-7560—in Schneider Electric EcoStruxure. These bugs could be abused by sending the target a specially designed network request or project archive.
?

 Tags

rana android malware
ho mobile
al jazeera
solarwinds supply chain attack
ultrarank skimming group
gitpaste 12 botnet
randstad
agenttesla rat
systembc malware
the hospital group
21 buttons

Posted on: January 07, 2021

Get the Monthly Threat Briefing delivered to your email!


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.


Join Thousands of Other Cyware Followers!