Go to listing page

Cyware Monthly Threat Intelligence, March 2019

Cyware Monthly Threat Intelligence, March 2019

Share Blog Post

The Good

As we gear up for a new month of the year, let’s quickly glance through all that happened over the past month. Let’s first acknowledge all the positive events that happened over the past month. The National Security Agency has announced its cybersecurity tool ‘Ghidra’ as an open-source offering. Google is planning to block unwanted ‘Drive-by-Downloads’ that are initiated from ad frames without any user interaction. Meanwhile, Apple is working on an anti-snooping technology that will secure iPhone users’ privacy.

  • The National Security Agency has announced its cybersecurity tool ‘Ghidra’ as an open-source offering to the public at the RSA conference. Ghidra allows security researchers to analyze malicious code and malware thoroughly with reverse engineering tasks such as disassembly, assembly, decompilation, graphing, scripting, and more.
  • Google is planning to block unwanted ‘Drive-by-Downloads’ that are initiated from within ad frames without any user gesture. This feature will be supported in all six blink platforms - Windows, Mac, Linux, Chrome OS, Android, and Android WebView, except iOS.
  • Apple is working on an anti-snooping technology that will prevent law enforcement authorities from tracking iPhone users’ location and read their private messages. This technology protects iPhone users’ privacy by encrypting information between an iPhone and a mobile network.
  • Instagram is testing a new feature that automatically locks users’ old usernames for 14 days after switching to a new handle. This ‘username auto-lock’ feature will put an end to hackers who use bots to grab usernames as soon as the users switch to a new handle.
  • Computer scientists from the United States have developed a new email app named ‘Easy Email Encryption E3’ that is capable of quickly encrypting messages that appear in an email inbox. The app works with the majority of popular email services such as Gmail, Yahoo, and AOL. This app automatically encrypts emails as soon as you receive emails in your mobile devices or desktops.
  • Microsoft has added tamper protection to its antivirus product Microsoft Defender Advanced Threat Protection (ATP) to prevent malware from disabling antivirus solution on infected systems. The tamper protection also prevents malware from disabling Microsoft's cloud-based malware detection.
  • New Jersey legislators proposed a bill to Gov. Phil Murphy that would expand data breach notification requiring companies to alert consumers on data breaches that include personally identifiable information (PII) such as user names, passwords, email addresses, and security questions.
  • Europol has announced the adoption of the new Law Enforcement Emergency Response Protocol that covers malicious and criminal cyber incidents. The new protocol focuses on rapid assessment, sharing of information, and coordination of the international aspects of an investigation.

The Bad

In March, we witnessed several data breaches and cyber attacks that led to the exposure of millions of people's personal information across the globe. The seller Gnosticplayers, who disclosed 800 million profiles, has made a comeback with the fourth batch of stolen data put up for sale in the DreamMarket marketplace. The aluminum giant, Norsk Hydro suffered a cyber attack, forcing it to switch some of its operations to a manual mode. Meanwhile, it was discovered that FEMA inadvertently shared private data of almost 2.3 million disaster victims with one of its contractors.

  • A security researcher uncovered 18 MongoDB servers that were publicly available without any password protection. The open MongoDB databases contained data from a Chinese surveillance program. The exposed information included online social services related data such as profile names, ID numbers, photos, public and private conversations, file transfers, GPS location, and more.
  • Wolverine Solutions Group suffered a ransomware attack that impacted nearly 700 healthcare organizations as these organizations use Wolverine Solutions Group for their billing and mailing services. The healthcare organizations affected by the breach include Mary Free Bed Rehabilitation Hospital, the Health Alliance Plan, North Ottawa Community Health System, Three Rivers Health and more. The data breach has compromised personal information of almost 1.2 million patients.
  • Attackers attempted ransomware attack against Israeli websites on March 2, 2019, which failed miserably due to a coding error. However, the attackers managed to deface multiple web pages with the words ‘Jerusalem is the capital of Palestine’. What went wrong was that the variable was set only to ‘Windows’ but the browser user agent strings also include Windows version number such as ‘Windows 10’, and ‘Windows 7’.
  • Chinese hackers targeted more than two dozen universities across the world to steal maritime military secrets. The attack campaign targeted almost 27 universities via spear-phishing emails. The emails purported to come from partnered universities and included malicious attachments. The targeted universities include Massachusetts Institute of Technology, the University of Washington, and other colleges in Canada and Southeast Asia.
  • Researchers detected an unprotected MongoDB database belonging to an email marketing firm Verifications. The open MongoDB instance exposed almost 809 million records online. The leaky database contained three folders with different records. The first folder had over 790 million unique email addresses, the second folder contained 4,150,600 records that included both email addresses and users’ phone numbers, while the third folder contained 6 million business lead records.
  • Gnosticplayers, who exposed and sold 800 million user records in February 2019, has yet again come out with the fourth batch of 26 million user records put up for sale in the DreamMarket marketplace. The stolen data belongs to customers of six companies across the world such as GameSalad, Estante Virtual, Coubic, LifeBear, Bukalapak, and YouthManual.
  • Norsk Hydro, one of the world's largest aluminum producers suffered a cyber attack, forcing it to switch some of its operations to a manual mode. The cyber attack has impacted Hydro’s operations and IT systems in most of the business areas across the globe. However, people safety is not affected by the attack.
  • Magecart threat group targeted the bedding websites MyPillow.com and Amerisleep.com in order to steal customers’ personal information and payment card information. While MyPillow has restored its site after the attack, Amerisleep is yet to respond with a fix.
  • ‘Bad Tidings’ phishing campaign targets Saudi Arabia government agencies and a single Saudi-based financial institution impersonating the Saudi Arabian Ministry of Interior’s e-Service Absher. This campaign leveraged three spoofing techniques including Punycode spoofing, SubDomain spoofing, and Typosquatting.
  • The social media Giant Facebook revealed that hundreds of millions of users’ passwords were stored in a readable format on its internal data storage systems. However, Facebook confirmed that there has been no evidence of any misuse of user passwords by its employees.  
  • The United States Federal Emergency Management Agency (FEMA) has inadvertently shared private data of almost 2.3 million disaster victims with one of its contractors that manages its TSA program. The exposed data includes applicants’ SPII such as street address, city names, zip codes, financial institution names, electronic funds transfer numbers, and bank transit numbers.
  • Researchers observed a campaign dubbed ‘Operation ShadowHammer’ that targets the supply chain by spreading a backdoored version of ASUS Live Update Software. This campaign has impacted over 1 million users who have downloaded the backdoored version of the ASUS Live Update utility on their systems.
  • LockerGoga, the ransomware that hit aluminum giant Norsk Hydro, also infected two American chemicals companies Hexion and Momentive. The ransomware attack encrypted the Windows systems of these two chemical companies, forcing the companies to order hundreds of new computers.
  • Two cryptocurrency exchange platforms DragonEx and CoinBene suffered cyber attacks compromising over $1 million and $45 million respectively. Both crypto portals have gone into maintenance mode to investigate the incident and retrieve back the stolen assets.
  • Researchers observed a new credential harvesting campaign dubbed ‘LUCKY ELEPHANT’ that uses doppelganger webpages to impersonate legitimate entities such as foreign governments, telecommunications, and military. The list of organizations that are impersonated by the attackers includes entities in Pakistan, Bangladesh, Sri Lanka, Maldives, Myanmar, and Nepal.

New Threats

Several new malware, vulnerabilities, and ransomware were discovered over the past month. A new Android Adware ‘SimBad’ was detected in 206 Android apps with almost 150 million installs. Researchers observed a new variant of the Mirai botnet that uses 11 new exploits and targets smart TVs and wireless presentation systems. Last but not least, researchers uncovered a Google photos vulnerability that could allow attackers to infer the metadata of the images stored in Google Photos.
  • A new Ransomware-as-a-Service (RaaS) named ‘Jokeroo’ is being promoted on underground hacking forums and via Twitter. The RaaS has been offered in multiple membership packages ranging from $90 to $300 and $600. In the basic package, a member earns 85% of the ransom payments.
  • A security researcher uncovered that Google Photos is vulnerable to a browser-based timing attack called Cross Site Search. This vulnerability could allow attackers to infer the metadata of the images stored in Google Photos. To be precise, the vulnerability could allow attackers to know where, when, and with whom your photos were taken.
  • Adwind RAT which was active in 2017 has resurfaced again, targeting platforms compatible with Java applications and running the Java Runtime Environment. It is distributed via phishing emails that include a malicious JAR file attachment. Once the JAR file runs in the system, Adwind RAT gets installed and it communicates with a remote server to conduct other malicious activities.
  • Fizz, Facebook’s implementation of the TLS protocol, contained a critical security flaw that could have allowed attackers to execute Denial of Service (DoS) attacks on servers. Facebook has released a patched version to address the denial-of-service vulnerability in Fizz.
  • Researchers have detected a new variant of the Cryptomix ransomware that appends the encrypted files with .clop or .ciop extension. This new variant is distributed via executables that have been signed with a digital signature. It targets entire networks rather than individual computers.
  • Necurs botnet made a comeback in the cyberspace with new capabilities. The botnet leveraged a new technique to evade detection while adding more bots to its web. Researchers detected that the Necurs botnet’s latest campaign used new payloads to make itself invisible to detection by antivirus programs.
  • A security researcher discovered a critical bug in the open-source, reverse engineering tool ‘Ghidra’. The vulnerability found in Ghidra could be exploited with a remote code execution attack. This bug has been addressed in the latest version of Ghidra v9.0.1.
  • A new variant of the Ursnif trojan is spotted targeting Japan. This latest variant packs a host of advanced features to evade detection by security tools. It uses steganography to hide malicious content which is decrypted by the PowerShell code.
  • A critical bug was detected in the SSH client PuTTY that could allow Man in the Middle (MitM) attacks. The vulnerability, which is designated as vuln-dss-verify, primarily affects DSA signature checking and provides attackers with an opportunity to bypass signature checks.
  • Researchers detected Android adware dubbed ‘SimBad’ in almost 206 Android applications that are available for download in the Google Play Store. Its capabilities include removing the icon from the launcher, displaying background ads, opening URLs, opening Google Play and 9Apps, installing other malware, and more. Google has removed all the 206 apps from the Google Play Store.
  • A new Point-of-Sale malware dubbed ‘GlitchPOS’ has been spotted targeting firms in the retail and hospitality sectors. The malware is distributed via phishing emails that include a fake game featuring a cute cat. GlitchPOS is generally deployed on retailers' websites and retail point-of-sale locations in order to steal credit card information of customers.
  • Attackers are exploiting a vulnerability in a shopping cart plugin ‘Abandoned Cart Lite for WooCommerce’ to target the Wordpress-based shopping sites. Attackers then implant backdoors and take control of other vulnerable sites. The plugin has been installed for more than 20,000 times across several WordPress sites.
  • STOP Ransomware, which is known for encrypting victims’ files, has now started installing AZORult info-stealing trojan onto victims’ systems to steal account credentials, browser history, desktop files, cryptocurrency wallets, and more. The collected information is then sent to the server operated by the attackers.
  • Cardinal RAT has resurfaced after two years with a new variant. The updated variant of the Cardinal RAT is used in a series of attacks against Israel-based financial technology firms. Researchers noted that this new Cardinal RAT variant shares a relationship with another malware family named EVILNUM.
  • Researchers have detected a total of 51 vulnerabilities in the Long-Term Evolution (LTE) protocol. Of these, 36 have been identified as new vulnerabilities. The vulnerabilities could allow attackers to disrupt mobile base stations, block incoming calls and disconnect users from a mobile network.
  • Researchers observed a new variant of the Mirai botnet that uses 11 new exploits and targets LG Supersign TVs and WePresent WiPG-1000 wireless presentation systems. In addition to using new exploits in its multi-exploit battery, this new variant also includes new credentials to use in brute force attacks against devices.
  • Researchers have uncovered a new version of the AZORult data stealer dubbed ‘AZORult++’ as its code is written in C++ and not Delphi. This new variant is capable of launching an RDP connection by creating a new user account and adding it to the admin’s group.
  • Researchers uncovered a feature in UC browser that downloads extra app modules and runs executable codes on users’ devices, thereby violating Google Play Store policies and exposing its users to Man in the Middle (MitM) attacks. It is to be noted that UC browser has been downloaded by over 500 million users.
  • Researchers spotted a new Android banking trojan dubbed ‘Gustuff’ which is capable of phishing credentials and stealing funds from over 100 banking apps and 32 cryptocurrency apps. This trojan uses social engineering techniques to trick device owners into giving access to the Android Accessibility service.
  • Google has patched a bug in Chrome dubbed ‘evil cursor’ that was exploited by tech support scammers to create an artificial mouse cursor and lock users inside browsers. Partnerstroka threat group exploited this bug by replacing the standard mouse cursor (OS 32-by-32 pixels) with 128 or 256 pixels in size.
  • U.S. Government Accountability Office (GAO) has published a management report stating that the security weaknesses found in the US Treasury Department’s system could pose an increased risk of unauthorized access to the Federal Reserve Bank (FRB) systems.


glitchpos malware
ursnif trojan
mirai botnet
necurs botnet
evil cursor bug
stop ransomware
cardinal rat

Posted on: April 01, 2019

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.