Cyware Weekly Cyber Threat Intelligence May 7 - 11, 2018

The Good

• The first EU-wide legislation on cybersecurity - NIS Directive - came into force on May 9, to ensure critical infrastructure firms are prepared for and protected from cyberattack and computer network failure. Operators of “essential services” such as health, water, energy, transport and digital infrastructure that fail to report breaches or outages to regulators within 72 hours could face fines of up to £17 million, as per the new law.
• Google announced at its I/O event on Thursday, that Android P will come with new privacy and security updates including limits on what apps can access when you’re not actively using them. Starting with Android P, apps are given permission to your location, microphone, camera or network status when the app is running in the background.
• In the US, the House passed a bill aimed at helping small businesses better defend themselves against cyberattacks and threats. As per the legislation, the Small Business Administration will establish a “cyber counseling certification program” to train employees in cybersecurity at small business development centers.
• Meanwhile, the Australian Parliament House will get its own $9 million cybersecurity operations centre to “enhance cybersecurity protection for the parliamentary computing network.” Overseen by the Department of Parliamentary Services, the centre will be responsible for the Parliament House internet services, email addresses and device management of MPs, senators and staff.

The Bad

• FLEETCOR Technologies revealed that it suffered a data breach in April after its gift card systems were accessed by an unauthorized party. The company said it identified suspicious activity on systems involving its Store Value Solutions gift card business. It said a “significant number” of gift cards at least six months old and PIN numbers were accessed in the breach, but did not include personally identifiable information (PII).
• Popular Android app Drupe, downloaded over 10 million times, inadvertently left users’ photos, selfies, audio messages and other sensitive data exposed online. The data was publicly available on unsecured servers on Amazon Web Services. Drupe said the exposed files were sent through Drupe Walkie Talkie and other feature that allows images to be sent during a call. It claimed these features have been used by less than 3% of its users, noting that the issue has been resolved and exposed files deleted.
• Copenhagen’s city bikes network Bycyklen was hacked by an unidentified hacker who deleted its entire database and disabled users’ access to the bicycles. Bycyklen said the hack was “rather primitive”, but noted it was likely carried out “by a person with a great deal of knowledge of its IT infrastructure.” No data was stolen in the attack, but the firm advised users to change their PIN codes for the bikes.
• The Together for Yes campaign which is calling for a Yes vote in the upcoming Eighth Amendment referendum in Ireland said its crowdfunding website was hit with a DDoS attack. The attack temporarily knocked the website hosted by CauseVox offline at 5:45pm which the agency said would “ordinarily be a peak time for donations.” The interruption also affected CauseVox’s security infrastructure.
• The city of Goodyear, Arizona, temporarily disabled its online utility payment system after a resident reported fraudulent activity on the card used to pay a utility bill. The city has begun a forensic investigation into the breach that could affect 30,000 customers. The city said severe vulnerabilities within the software used for some payment card transactions were likely exploited. The affected server has been disabled and customers have been advised to monitor their payment card statements.

New Threats

• Over 400 websites running on the Drupal content management system, including government and university sites, were targeted by a cryptomining campaign exploiting the critical CVE-2018-7600 remote-code execution vulnerability, dubbed Drupalgeddon 2.0. Some of the websites affected included those of Lenovo, the San Diego Zoo, UCLA and more.
• Researchers discovered a series of legitimate websites that have been found delivering the notorious Gandcrab ransomware. Cisco Talos researchers said the key issue for these compromised websites were multiple vulnerabilities in outdated software - ripe for the picking for adversaries. Some of the affected websites included a courier service in India and a WordPress site for a herbal medicine seller.
• Trend Micro researchers discovered the Maikspy malware that comes disguised as an adult game named after former adult film actress Mia Khalifa. Targeting Windows and Android users, the fake game app is promoted on social media to distribute the malicious link. The link redirects users to a website that distributes other malicious apps, connects to a C&C server and uploads data from infected devices including account info, phone numbers, contacts, photos, SMS messages and more.
• Flashpoint researchers said the source code of the TreasureHunter PoS malware has been leaked on a Russian-speaking underground forum. Following the source code’s release in March 2018, researchers predict the leak will likely inspire a new round of nasty PoS malware strains much like previous source code leaks for Mirai, BankBot and Zeus have done so in the past.