Cyware Weekly Cyber Threat Intelligence April 09 - 13, 2018

The Good

• Britain’s Home Secretary Amber Rudd has launched a police crackdown on dark web crime. During a speech at the National Cyber Security Centre’s conference, Rudd announced the Home Office will be releasing £9m to support law enforcement units that deal with cybercrime and dark web activity. Another £5m will be spent on improving local cybercrime units at a regional and local level. The funding is part of the £50 million allocated to bolster the UK’s cyber-defensive capabilities at a national, regional and local level.
• A new £13.5 million cyber innovation centre is being developed at London’s Queen Elizabeth Olympic Park to spur growth and development in the growing East London tech cluster and the nation’s cybersecurity sector. Run by Plexal, the London Cyber Innovation Centre will offer local start-ups the infrastructure, space and technology to work closely with larger enterprises on security risks, challenges and solutions.
• Cisco Systems with working with Canadian startup Isara, to develop new quantum-safe cryptographic algorithms that may help companies protect their internal systems, platforms and data against potentially powerful quantum threats. The two companies will be working on a proof-of-concept project to test digital certificates that operate in both classic and quantum-safe algorithm modes.
• MIT Media Lab researchers have developed a new headset dubbed AlterEgo that can “hear” your thoughts and allows you to “silently” communicate with a computer interface simply by vocalizing internally. By reading the neuromuscular signals your brain sends to the face and jaw during internal speech, the headset can identify the words you think of, but don’t actually say out loud, and reconstruct it with 92% accuracy.

The Bad

• Food services and facilities management Sodexo has warned a number of customers to cancel their credit attack after its cinema voucher platform, Filmology, suffered a “targeted attack”. The website was taken down “to eliminate any further potential risk” to consumers and the incident has been reported to the UK’s Information Commissioner’s Office. Sodexo Filmology has advised all employees who used the site between March 19 through April 3 to cancel their payment cards and check their payment card statements.
• Inogen revealed it experienced a security incident that saw an employee’s email account illegally accessed between January 2 and March 14 this year. Rental customers’ personal information including names, contact information and Medicare identification numbers were compromised in the breach. However, no financial data was accessed.\
• A number of popular music videos posted by music service Vevo on YouTube were hijacked and defaced by hackers calling themselves Prosox and Kuroi’sh. The music video for the hit song Despacito along with others by Shakira, Selena Gomez, Drake and Adele were affected. The clip was replaced with a photo of masked people wielding guns at the camera while the description below the video was replaced with the words “Free Palestine”. The videos were briefly taken down until the issue was resolved.
• Nearly 438 bitcoins worth $3 million were stolen from Coinsecure, a Delhi-based cryptocurrency exchange. However, the company said its system was not hacked or compromised. The company has filed an FIR accusing its CSO of swiping the money from the firm’s digital wallet and have asked authorities to bar him from leaving the country until the investigation is completed.

New Threats

• Trend Micro researchers have detected a significant amount of scanning activity from China akin to that of the infamous Mirai botnet in 2016. Researchers’ network monitoring system observed a surge of activity from over 3,000 IP addresses of scanners with Brazil seeming to be the target location. Similar to Mirai, the scanners were constantly scouring the internet for potentially vulnerable internet-connected devices. such as routers or IP cameras, and using default administrator credentials to hijack them.
• A new, but unusual strain of ransomware called PUBG locks down victims’ computer files and will only decrypt them if you play the game “PlayerUnknown’s Battlegrounds.” The ransomware encrypts the user’s files with a .PUBG extension and displays a pop-up warning instructing the victim to play to restore them. Interestingly, the ransom instructions offers a code to unlock their files immediately as well as an option to play the game for an hour. The TlsGame program only needs to run for about 3 seconds to start the decryption process, suggesting it’s likely a joke.
• The US Department of Homeland Security (DHS) released an intelligence note identifying a new malware called SmashingCoconut that shares similarities to the one used by North Korea against Sony back in November 2014. The 32-bit Windows-based wiper malware can render a targeted system inoperable if run using administrator privileges, delete all files and write over the master boot data record and wipe both the bootable and non-bootable partitions on the hard drive.
• Researchers uncovered a new fake update scam that has been exploiting thousands of legitimate websites since December 2017. The “FakeUpdates” campaign affected websites using outdated versions of WordPress, Joomla and Squarespace. The affected sites display authentic-looking messages to visitors prompting them to “save” the update for Firefox, Chrome or Flash. If a user does fall for it, a heavily obfuscated JavaScript file is downloaded from DropBox that deploys the ZeusVM variant - Chtonic banking malware -  or a NetSupport RAT.