Go to listing page

Cyware Weekly Threat Intelligence, August 17 - 21, 2020

Cyware Weekly Threat Intelligence, August 17 - 21, 2020

Share Blog Post

The Good

There’s no denying that the threat of the malware landscape is becoming commonplace with every passing day. However, amidst this rising menace, security experts and analysts are continuously making efforts to deflate the risks posed by malware. Talking on this aspect, the week witnessed some exciting discoveries of defensive tools for use against the Emotet trojan, GoldenSpy backdoor, and WannaRen ransomware.

  • A kill switch called EmoCrash enabled researchers to hold back the spread of Emotet trojan for nearly six months, between February 6 and August 6, 2020. The kill switch was created by incorporating a buffer overflow flaw found in the trojan.
  • Researchers identified five uninstallers meant to remove the China-linked GoldenSpy backdoor from infected computers. These uninstallers have identical behavior but differ in execution flows and string obfuscation techniques.
  • A decryption tool that enables victims of WannaRen ransomware to recover their files is publicly available for download. The ransomware bears similarities to the well-known WannaCry ransomware.

The Bad

Along with the favorable news, the week noticed some disappointing ransomware attacks. While the University of Utah paid a huge ransom to prevent the leak of its student data, other organizations such as SnapFulfil, SK Hynix, Konica Minolta, and Carnival Corporation continue to struggle after getting hit by disruptive ransomware attacks.

  • The University of Utah paid a ransom of over $450,000 to prevent the ransomware gang from leaking student data on the internet. The decision was made by the university to protect the integrity of the data even after it was restored from backups.
  • In a press release, grocery delivery and pick-up service, Instacart, revealed that the recent data breach affecting the company occurred due to two employees working with a third-party support vendor.  The firm notified 2,180 shoppers about the incident via email.
  • Utah Gun Exchange admitted that its users’ data was compromised and leaked on a public forum which also included data from other sites such as muleyfreak.com and deepjunglekratom.com. Although the leaked data contained personal information of users, there was no evidence of any financial data breach in the incident.
  • The week was no better when it came to ransomware attacks. This time, the affected organizations included SnapFulfil, SK Hynix, and Carnival Corporation. The Ponca City’s public school district also struggled to cope with a ransomware attack that occurred over the weekend.
  • Even the Japanese technology giant, Konica Minolta, and the U.S. wine and spirits company, Brown-Forman, were not spared from the terror of ransomware attacks. While the ransomware behind Konica Minolta is still unknown, the attack on Brown-Forman was conducted using the REvil ransomware.
  • The South African branch of the consumer credit reporting agency, Experian, disclosed a data breach that impacted the personal details of 24 million South Africans and 793,749 local businesses. The incident occurred after the agency handed over the sensitive data to a fraudster posing as a client.
  • A misconfigured database allowed a data broker to expose the profiles of nearly 235 million users of Instagram, TikTok, and YouTube. Each of these records included profile name, real name, profile picture, account description, age, gender, and more.
  • About 80 Israel-based gym and sports apps suffered data breaches due to several vulnerabilities in the Fizikal management platform. The flaws could allow hackers to bypass security checks and launch brute-force attacks on app users.
  • An artificial intelligence company, Cense, leaked 2.5 million records that contained sensitive medical data and Personally Identifiable Information (PII). The breached data was stored directly on the same IP address as that of Cense’s website.
  • Some 513 emails associated with SANS Institute were inadvertently sent to an unknown email address in a phishing attack. This resulted in the compromise of 28,000 records of the institute.
  • Nine data leak incidents that caused the compromise of medical data of 200,000 U.S. users came to light after researchers discovered misconfiguration issues in GitHub repositories. The affected entities included Xybion, MedPro Billing, Texas Physician House Calls, VirMedica, MaineCare, Waystar, Shields Health Care Group, and AccQData.
  • Cooke County, Texas, mailed more than 2,000 letters to inform residents about a ransomware attack that occurred in July. It is believed to have impacted the personal data of some users.

New Threats

Coming to new threats, the week witnessed the discovery of two new and sophisticated malware called BLINDINGCAN and FritzFrog. While BLINDINGCAN  was used in attacks on the U.S. defense and aerospace sectors, the FritzFrog botnet is being actively used to target SSH servers.

  • A massive attack campaign linked with the Transparent Tribe APT group targeted government and military personnel in India and Afghanistan. The attack chain involved the use of spearphishing emails that contained malicious Microsoft Office documents.
  • Researchers demonstrated a new attack technique, called SpiKey, which can enable attackers to spy on users and reverse engineer their door keys through audio recordings collected by installing malware on their smart doorbells, smartwatches, or smartphones.
  • The recently discovered Lucifer DDoS botnet is now capable of scanning vulnerable Linux systems to launch Monero cryptomining bots. Earlier, the botnet was used only against Windows systems to steal credentials and escalate privileges using the Mimikatz post-exploitation tool.
  • The U.S. Cybersecurity and Infrastructure Security Agency (CISA) published an alert about a new North Korean malware, dubbed BLINDINGCAN, that was used in attacks on the country’s defense and aerospace sectors.  The malware was distributed using fake job offers as a bait.
  • A group of academics devised a new attack targeting the OpenPGP and S/MIME encryption schemes. This can enable attackers to conduct a Man-in-the-Middle  (MitM) attack and exfiltrate sensitive information from encrypted emails.
  • A new version of a Magento credit card stealer was discovered sending compromised data to a malicious cdn-filestore[.]com. The malicious code includes a form with all the credit card information along with the CDN-Filestore domain used for the exfiltration of the skimmed payment data.
  • A multi-functional peer-to-peer (P2P) botnet, called FritzFrog, has been actively targeting SSH servers since January 2020. So far, the modular botnet has breached more than 500 servers, including many associated with universities in the U.S. and Europe.
  • A new attack campaign, dubbed Duri, used HTML smuggling and data blob techniques to evade detection and deliver malware onto victim machines. The attack relied on redirecting users to an HTML page hosted on duckdns[.]org.
  • In yet another discovery, researchers explained that mailto links could be abused to launch attacks on the users of several popular desktop mail clients. This is possible either by sending emails containing boobytrapped mailto links or by placing boobytrapped mailto links on websites.
  • Akamai warned that cybercriminals claiming to represent well-known threat groups such as Fancy Bear and Armada Collective, are targeting a variety of sectors in an attempt to extort a large sum of money. These attackers would contact the target companies and warn them of an imminent DDoS attack on their infrastructure unless a ransom is paid.
  • TeamTNT became the first threat actor group to use a crypto-mining malware that contains the functionality to steal AWS credentials from infected servers. The group’s modus operandi involves scanning the internet for misconfigured Docker systems.
  • Researchers found an open directory containing malicious files for a cryptocurrency miner and DDoS bot that targets open Docker daemon ports. To launch these files, the attackers used a shell script named mxutzh.sh that scanned for open ports.


wannaren ransomware
cooke county
goldenspy backdoor
konica minolta
transparent tribe apt group
university of utah

Posted on: August 21, 2020

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

The Virtual Cyber Fusion Suite