Cyware Monthly Threat Intelligence, February 2020

Share Blog post

The Good
The month of February witnessed much hustle and bustle in the cyber threat landscape, including some path-breaking research by some of the security experts. Recently, a group of researchers devised a method called DEEP-Dig to fool hackers into sharing their tactics. Meanwhile, researchers at Open Cybersecurity Alliance introduced a new language framework to connect cybersecurity tools via a common messaging platform. In other news, scientists developed an automatic system to create random strings of numbers and encryption information.

  • A new cyber defense approach called DEEP-Dig (DEcEPtion DIGging) that focuses on improving intrusion detection of a system, has been developed by a group of scientists at the University of Dallas. The approach will trap malicious actors into a decoy site, allowing machines to  learn their tactics. Researchers anticipate that the approach will benefit defense organizations.
  • A team of researchers devised a powerful approach to secure web browsers last month. The new method works by shifting some of the browser code into ‘secure sandboxes’ that prevent malicious code from taking over a user’s computer. This new strategy  is now a part of the Firefox browser’s test release for the Linux operating system.
  • The Open Cybersecurity Alliance (OCA) launched a new language framework called OpenDXL Ontology to connect cybersecurity tools through a common messaging framework. The new framework aims to eliminate the need for custom integration between entities such as endpoint systems, firewalls, and behavior monitors.
  • For the first time, scientists built a robotic system that uses the crystallization process to create random strings of numbers and encrypted information. This method proves to be  a good alternative to existing true random number generators which usually takes a longer time to crack the algorithm.
  • Japan CERT released a new utility tool called EmoCheck that allows Windows users to check if they are infected with the Emotet trojan. Once installed on a system, the tool scans for the trojan and if it is found, it alerts the user with the process ID and the location of the malicious file.

The Bad
Also, some of the big firms around the world leaked out terabytes of data due to unsecured database servers. Rallyhood, a community collaboration platform, disclosed nearly 4.1 terabytes of files via unprotected bucket. There were more firms that faced similar incidents, including Tetrad and Decathlon. While Tetrad, a US market analysis firm, laid bare 120 million records of Americans, sports giant Decathlon leaked 123 million records belonging to UK and Spain customers.

  • Rallyhood exposed nearly 4.1 terabytes of files via an unprotected AWS S3 bucket, giving anyone access to a decade’s worth of user files. Some of the files contained sensitive data like shared passwords lists, contracts, and other permission slips and agreements.
  • Around 747GB data related to 120 million Americans was exposed by a market analysis company Tetrad due to a misconfigured Amazon S3 bucket. The leaky database included data from Chipotle, Kate Spade, and Bevmo.
  • Sports giant Decathlon also made headlines last month for revealing 123 million records due to an unsecured Elasticsearch server. It contained information belonging to Decathlon Spain and possibly its UK business as well.
  • A data breach at Dutch airline Transavia affected the data of as many as 80,000 passengers. The compromised data dated back to 2015 and included passengers’ full names, dates of birth, and information regarding luggage reservations.
  • Over 10.6 million guest records stolen from MGM Resorts were posted on an online hacking forum last month. The compromised records included data of regular tourists, celebrities, government officials, reporters, CEOs and professionals from tech firms.
  • A popular photo app, PhotoSquared leaked around 94.7 GB data containing over one million records due to a misconfigured S3 database. The records dated back from November 2016 to January 2020. The exposed data included user photos, order records, receipts, and shipping labels.
  • Public Services and Procurement Canada inadvertently shared the data of more than 69,000 public servants with the wrong people. The data leaked included full names, personal record identifier numbers, home addresses, and overpayment amounts of employees.
  • Cosmetics giant Estée Lauder Companies Inc. came under fire for leaking over 440 million records publicly due to an unprotected database. The exposed records included emails in plain text, internal documents, middleware logs, and more. The duration of the data breach was unknown.
  • TastSelv Borger tax portal, managed by the US company DXC Technology, accidentally leaked the personal data of 1.2 million Danish citizens due to a software error. The bug was rectified as soon as DXC became aware of it.
  • Australian logistics company, Toll Group fell victim to a ransomware attack. The firm became aware of it on January 31, 2020, and immediately disabled the relevant systems to prevent the ransomware infection. Over 1000 servers crippled due to the attack.
  • An open and publicly accessible database belonging to an email marketing firm, Pabbly exposed nearly 51 million records. The exposed records dated back to 2014 and contained customer names, email addresses, subject lines, email messaging, and internal data.
  • An S3 bucket owned by FutebolCard leaked 25GB of sensitive data belonging to supporters of a number of Brazilian organizations. The exposed information included names, contact details, dates of birth, marital status, social security numbers, and payment method of fans. Futebol rectified the issue on January 31, 2020, by taking the bucket offline.

New Threats
In new threats for the month, researchers released details about a new threat called KrØØk that impacted Wi-Fi chips provided by Broadcom and Cypress. Also, the infamous BlueKeep flaw returned to affect over 55% of medical imaging devices. Whereas, researchers spotted a variant of Racoon info-stealer targeting over 60 web applications.

  • Security researchers presented the technical details of a serious vulnerability called KrØØk. The flaw affects the Wi-Fi chips made by Broadcom and Cypress and can allow an adversary to decrypt some wireless network packets transmitted by vulnerable devices.
  • A new version of the ‘Cerberus’ android banking trojan was uncovered accessing 2FA-protected accounts by stealing one-time codes generated by the Google Authenticator app. The new variant is available for sale on hacking forums.
  • The capabilities of the Racoon info-stealer were enhanced to extract sensitive data from about 60 applications on a targeted computer. The applications include a wide range of browsers, email client software, and cryptocurrency wallets.
  • A new report revealed that the BlueKeep flaw plagued more than 55% of medical imaging devices including MRIs, X-rays, and ultrasound machines. The flaw was tracked as CVE-2019-0708 affects RDP service running on outdated Windows versions.
  • Over 20,000 WordPress sites were detected running trojanized versions of premium WordPress themes and plugins designed to distribute WP-VCD botnets. The purpose of the attackers was to generate more revenues by misleading visitors with fraudulent ads.
  • AZORult trojan also made a comeback in a campaign disguising itself as fake ProtonVPN installers. Once installed, the trojan collected the infected machine’s environment data and sent it back to an attacker’s C2 server located in Russia.
  • A notification sent out by the FBI alerted US private organizations about an ongoing hacking campaign that distributes Kwampirs malware. The campaign was similar to a supply chain attack that was reported by Symantec in 2018. Now, the campaign has  evolved to target companies in the ICS sector.
  • There was a newly discovered KBOT virus that claimed to be the first ‘living’ virus spotted in the wild. The malware penetrates into a user’s computer via the web, the local network, or an infected piece of external media. It attempts to harm the system by writing itself to Startup and the Task Scheduler.
  • A remote access trojan (RAT) named Parallax was found to be widely distributed through malicious spam campaigns. When installed, it allows attackers to gain full control over an infected system. The malware was being offered for as low as $65 a month on underground forums.
  • Five critical vulnerabilities, collectively dubbed as ‘CDPwn’, were found in the Cisco Discovery Protocol (CDP) which could lead to remote code execution and denial of service. The flaw could allow attackers with an existing foothold to remotely take over millions of devices running the protocol.
  • The China-based Winnti group targeted two Hong Kong universities with a new variant of ShadowPad backdoor. The new version was much simpler compared to previously analyzed malware samples used by the group. It was, as per researchers, much likely executed via DLL side loading.


 Tags

estee lauder
decathlon
mgm resorts
krk vulnerability
raccoon stealer
rallyhood
cdpwn vulnerability

Posted on: April 02, 2020

Get the Monthly Threat Briefing delivered to your email!



More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.



Join Thousands of Other Cyware Followers!