Go to listing page

Cyware Weekly Threat Intelligence, January 20-24, 2020

Cyware Weekly Threat Intelligence, January 20-24, 2020

Share Blog Post

The Good
We come to the end of another week and as we look forward to the weekend, let’s take a quick glance at all the major developments that happened in the cybersecurity world. NIST has officially released version 1.0 of its Privacy Framework to help organizations optimize the beneficial uses of data while protecting individual privacy. In other news, a New York senator has introduced Senate Bill S7289 that would ban the paying of a ransom.

  • A New York senator has introduced Senate Bill S7289 that will prohibit municipal corporations or other government entities from paying ransom in the event of a cyberattack against them.
  • Lawmakers in the state of Maryland are considering to penalize anyone who is in the possession of ransomware and intends to use it to cause harm. The state also further plans to grant victims of a ransomware attack the right to sue the hacker for damages in a civil court.
  • The National Institute of Standards and Technology (NIST) has released version 1.0 of its Privacy Framework to help improve organizations’ approach to using and protecting personal data.

The Bad
The week was no good when it comes to breaches. Mitsubishi Electric Corp. disclosed that it had suffered a massive cyberattack, impacting the confidential data of government agencies and other business partners. Microsoft came under the scanner for leaking 250 million call records last year due to unsecured Elasticsearch servers. Buchbinder car rental company was also in soup for exposing the personal information of over 3.1 million customers.

  • Mitsubishi Electric Corp. had disclosed a massive cyberattack that affected the information of government agencies and other business partners. Among the potentially leaked information were the email exchanges with the Defense Ministry and the Nuclear Regulation Authority.
  • Researched noted that Microsoft had briefly exposed call center data of almost 250 million customers due to unsecured Elasticsearch servers. The incident had occurred last year and the exposed information included customer emails, IP addresses, support agent emails, and internal notes.
  • Magecart-type attacks were experienced on websites belonging to Hanna Andersson and resellers of tickets for the Euro Cup and the Tokyo Summer Olympics. The attacks enabled the attackers to steal payment card details of customers.
  • The main server of the Insurance company SAOG in Oman was hit in a ransomware attack, causing the loss of some data created between December 10, 2019, and January 1, 2020. The terror of Sodinokibi ransomware was also seen as the threat actors came up with a new threat of publishing 50 GB of data stolen from the GEDIA Automotive Group.
  • An unsecured Amazon S3 bucket owned by THSuite had leaked Personally Identifiable Information (PII) of 30,000 individuals connected to the medical and recreational marijuana industry. In total, over 85,000 files were leaked due to the unguarded bucket.
  • A data breach at the German car rental company Buchbinder had affected the personal information of over 3.1 million customers. The incident had occurred due to an unprotected database.

New Threats
Variants of several existing malware were also noticed this week. Some of the newly discovered variants belonged to Trickbot trojan, BitPyLock ransomware, and Muhstik botnet families. These malware variants were used to infect individuals and organizations across the globe. A new malware called CARROTBALL, distributed via a phishing email, was used in targeted attacks against a US government agency and two non-US foreign nationals professionally affiliated with North Korea.

  • A new variant of FTCode ransomware was uncovered harvesting and exfiltrating saved user credentials from email clients and web browsers. The variant steals this data before it encrypts victims’ files.
  • A ransomware variant belonging to the BitPyLock family was also spotted targeting individual workstations to compromise networks and stealing files before encrypting devices. The variant used .bitpy extension to append every encrypted file.
  • Various organizations were targeted with fake business emails containing a new variant of NetWire trojan. The purpose of the campaign was to steal victims’ banking credentials.
  • The Muhstik botnet was evolved to include exploits for Tomato routers. The variant scanned Tomato routers on TCP port 8080 and bypassed the admin web authentication by brute-forcing with default credentials.
  • Over 2000 WordPress sites were hacked to redirect victims to scam sites containing unwanted browser notification subscriptions, fake surveys, giveaways, and fake Adobe Flash downloads. The sites were hacked by exploiting vulnerabilities in plugins.
  • Trickbot trojan was upgraded with a new module called ‘ADII’ to target the Active Directory database stored on compromised Windows domain controllers. The new module takes advantage of the ‘Install from Media’ command to dump the Active Directory database and various Registry hives into the Windows Temp folder.
  • Researchers detected a new malware named CARROTBALL that was used as a second-stage payload to target a US government agency and non-US foreign nationals professionally affiliated with current activities in North Korea.


muhstik botnet
mitsubishi electric corp
hanna andersson
trickbot trojan

Posted on: January 24, 2020

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

The Virtual Cyber Fusion Suite