Cyware Weekly Cyber Threat Intelligence April 16 - 20, 2018

The Good

• The US Department of Energy announced $25 million in grants for projects that can strengthen the cyberdefenses of the nation’s critical energy infrastructure, including its power grid, oil, and natural gas industry. The announcement comes just weeks after cyberattacks crippled electronic communications systems for several US pipeline companies.
• Facebook, Microsoft, Oracle and 31 other technology companies signed the Cybersecurity Tech Accord this week pledging to defend all customers and products from cyberattacks. They also took a “no offense” commitment to not help governments launch cyberattacks and protect their services against tampering and exploitation at every stage, from development to distribution.
• Researchers at Ben-Gurion University of the Negev and the University of Washington have developed a new algorithm to detect fake users on social media platforms, including Facebook and Twitter, based on the assumption that fake accounts typically establish unlikely links to other users. The algorithm features two machine learning-based iterations - one to estimate the probability of a link existing between two users and the second to generate meta-features used to construct a generic classifier to detect fake profiles.
• At the RSA Conference in San Francisco, IBM unveiled the Adversarial Robustness Toolbox - an open-source security library designed to help support developers and users fight against cyberattacks that target AI systems. Featuring a library, interfaces, and metrics, the toolbox will help developers create and deploy practical cybersecurity defense systems for the AI sector.

The Bad

• TrueMove H, one of Thailand’s biggest mobile operators, suffered a data leak compromising the data of at least 11,400 customers. Customers’ personal data, which included scanned images of ID cards, was exposed in an unprotected Amazon Web Services S3 cloud storage bucket. The company said the leak was fixed on April 12, but the incident has already triggered scrutiny and backlash from regulators and customers.
• Texas Health Resources disclosed that an unauthorized third party may have accessed patient data back in October 2017 after compromising some of the organization’s email accounts. Compromised data included patient names, addresses, medical record numbers, dates of birth, insurance and clinical data. The firm reportedly said less than 4000 patients were impacted.
• The US Department of Homeland Security, Federal Bureau of Investigation and the UK’s National Cyber Security Centre issued a rare joint statement accusing Russian state-sponsored hackers of penetrating network infrastructure devices such as routers within government, private companies, critical infrastructure, and ISPs. The agencies accused Russia of using compromised routers to conduct espionage, extract intellectual property and maintain persistence to possibly conduct larger offensive attacks in the future. The Kremlin has dismissed the allegations as “unsubstantiated” and of “no value.”
• Handyman-for-hire app, TaskRabbit revealed it suffered an apparent data breach saying an “unauthorized user” managed to gain access to its systems and compromised certain personally identifiable information. The company briefly took down its website and app to safeguard its users. Users have been advised to change their passwords and monitor their accounts for any suspicious activity.
• Localbox, a little-known data firm that builds personal profiles by scraping data from public sites and social media networks like Facebook, Twitter and Zillow without users knowledge or consent, accidentally leaked a trove of personal data. UpGuard’s Chris Vickery found the firm left a cache of profile data on an unprotected Amazon S3 storage bucket that listed 48 million individual records.

New Threats

• Kaspersky Labs researchers found a new strain of malware dubbed the Roaming Mantis. Hackers distribute the malware by hijacking DNS settings on vulnerable routers to redirect users to malicious websites. While it is still not clear how hackers managed to gain access to exposed home routers, the crooks were able to hijack traffic from 150 unique IP addresses and redirect users to malicious sites about 6,000 times between February 9 and April 9.
• Security firm Lookout found new samples of the ViperRAT malware lurking on the Google Play Store again.Two ViperRAT-infected apps - VokaChat and Chattak - had been downloaded over 1000 times before they were detected by Lookout and removed by Google. The new malware samples appeared to be updated with chat functionality enabled within the apps to evade detection and suspicion.
• Lookout researchers also uncovered the Desert Scorpion spyware packaged in mobile messaging apps on the Google Play Store. Believed to have been developed by surveillance actor APT-C-23, it targeted individuals of interest in the Middle East, particularly in Palestine. A chat app called Dardesh was used to download the first stage of the malware before tricking users into downloading the more sophisticated surveillance-focused second stage.
• Dell SecureWorks Counter Threat Unit detailed a new Nigeria-linked BEC group called Gold Galleon that has been plundering the global maritime shipping industry. Using publicly available business email addresses, low-tier RAT tools and spear-phishing techniques, the group has attempted to steal at least $3.9 million between June 2017 and January 2018.
• Palo Alto Networks’ Unit 42 identified a new malware called SquirtDanger that appears to have been developed by veteran Russian malware author “TheBottle”. Written in C#, the malware comes with various capabilities including the ability to take screenshots, list and kill processes, access and delete files, and even steal wallets or swap existing ones with one belonging to the attackers.