Go to listing page

Cyware Weekly Cyber Threat Intelligence February 11-15, 2019

Cyware Weekly Cyber Threat Intelligence February 11-15, 2019

Share Blog Post

The Good

It’s weekend and we’re back with yet another set of most interesting news of the week. Let’s start with all the positive advancements that happened in the cybersecurity landscape. Google has developed a new encryption method called Adantium to bring secure storage to low-cost devices. DARPA announced that it will be testing new mobile devices that can house and share information on multiple security levels. Meanwhile, US Senators introduced the bipartisan Cyber Security Exchange Act which establishes a public-private exchange program.

  • Engineers at Google have developed a new encryption mode called Adantium to bring secure storage to less expensive Android devices without disrupting the apps.  The encryption mode Adantium uses the ChaCha stream cipher adapted from HTTPS encryption. The stream cipher is faster on lower-powered devices because its operation is based on the additions, rotations, and XORs available on every CPU.
  • The Defense Advanced Research Projects Agency (DARPA) announced that it will begin testing new devices that can house and share information on multiple security levels. The devices are part of the SHARE program which aims to solve three issues with information-sharing specific to the Defense Department: housing multiple security levels on a single device, improving tactical network technology, and deploying software to auto-configure the network and accelerate devices.
  • US Senators introduced the bipartisan Cyber Security Exchange Act, which establishes a public-private exchange program. This bipartisan Act will allow federal agencies to work with private sector experts in cybersecurity landscape to ensure that the networks are protected.

The Bad

Over the past week, several data breaches and massive cyber attacks occurred. Attackers breached Malta’s Bank of Valletta (BOV) and stole over $15 million from the bank’s systems. Almost 620 million accounts stolen from 16 companies were put for sale on the Dark Web by a seller named ‘gnosticplayers. Additionally, the second batch of 127 million accounts stolen from 8 companies was also made available for sale on the Dark Web.

  • Attackers breached Malta’s Bank of Valletta (BOV) and stole over $15 million from the bank’s systems. The theft was detected immediately after the bank observed ‘reconciliation problems’ in international transfers. As a result, the bank temporarily took down its website and shut off all its operations including email services as well as ATMs.
  • Earlier this week, almost 620 million account credentials stolen from 16 companies were put up for sale on the Dark Web by a seller named ‘gnosticplayers’. The stolen accounts belonged to 16 websites including Dubsmash, MyFitnessPal, MyHeritage, Animoto, 8fit, 500px, Armor Games, CoffeeMeetsBagel and Artsy. The highest number of account credentials were stolen from Dubsmash, recording a total of 162 million.
  • Followed by the first batch of 620 million accounts stolen from 16 companies, a second batch containing 127 million stolen accounts was made available for sale on the Dark Web by ‘gnosticplayers’ who quoted $14,500 in bitcoin for the collection. The stolen accounts belonged to 8 companies including Ixigo, Houzz, YouNow, Coinmama, Petflow, Ge.tt, Roll20.net, and StrongHoldKingdoms.
  • Popular data science learning site DataCamp has suffered a breach compromising sensitive information of some of its users. The compromised information included personal information such as users’ names, email addresses, optional information such as location, company, biography, education, and pictures of the users, and account information such as bcrypt-hashed passwords, account creation dates, last sign in dates & sign in IP addresses.
  • The Houston-based chain restaurant, Truluck’s Seafood, Steak & Crab House has suffered a data breach compromising customers’ credit card information. The data breach has impacted 8 of its restaurants located in Austin, Houston, Naples, Southlake, and Chicago. The malware was injected into the point-of-sale systems at the affected restaurants to gain unauthorized access which resulted in the data breach.
  • Imag-I-Nation Technologies was hit by a data breach compromising its consumer report database. The customer report database was accessed by a mysterious hacker on November 1, 2018. The data stolen in the breach included customers’ full names, dates of birth, addresses, and social security numbers.
  • Dunkin’ Donuts announced that it had suffered a credential stuffing attack which resulted in attackers gaining access to some of its customers' accounts. In the credential stuffing attack, hackers used user credentials leaked at other sites to gain access to DD Perks rewards accounts. The compromised Dunkin’ Donuts customer accounts were put up for sale on the Dark Web forums.
  • LandMark White was hit by a data breach impacting the personal information of up to 100,000 customers. The compromised personal information included property valuations, personal contact numbers, and residential addresses of homeowners, residents, and property agents.
  • VFEmail, an email service provider was hit by a massive cyber attack. Mysterious attackers entirely wiped out their servers with data related to the email provider’s US users. As a result, the email provider has hinted that it is unlikely to resume operations.
  • Optus pulled down its ‘My Account’ site after customers experienced suspicious activities. Optus customers complained about seeing other customers' personal information after logging into Optus My Account. While some customers reported receiving phishing emails purported to be from Optus. The telecom giant is working closely with third-party vendors to identify the root cause of the incident.

New Threats

Several new vulnerabilities and malware strains emerged over the past week. Researchers spotted GandCrab ransomware hidden inside the modified Super Mario image. New Shalyer variant was spotted in the wild which is capable of disabling Gatekeeper protection mechanism in macOS. In the meantime, a security vulnerability was detected in the WordPress plugin ‘Simple Social Buttons’.

  • A malware campaign uncovered by a researcher showed a Super Mario image sheltering malicious PowerShell commands. When these commands were executed, ransomware such as GandCrab got downloaded into the affected system. Researchers noted that this image-based spam campaign appeared to be dependent on the region the computer systems were from.
  • A new variant of Emotet trojan has been observed in the wild. This new variant obfuscates the initial infection VBA macro code to avoid detection by anti-virus software. Researchers noted that the new variant is delivered in two different ways: First, via a URL that is hosted on attacker-controlled infrastructure and second, as an email attachment.
  • Researchers detected a new variant of Shlayer trojan that targets macOS. The new variant is distributed as a malicious Adobe Flash software update via fake update pop-ups on hijacked domains or legitimate sites clones or as part of malvertising campaigns running on legitimate websites. This new Shlayer variant disables Gatekeeper protection mechanism on macOS to run additional second-stage payloads.
  • A security researcher recently discovered a vulnerability affecting the Ubuntu operating system. The researcher named the vulnerability as ‘Dirty Sock’ and noted that this bug is a local privilege escalation vulnerability which could allow attackers to gain root level access to the system.
  • Researchers recently spotted a new version of Trickbot with new capabilities. This updated Trickbot variant is distributed via an email disguised as tax incentive notification mail from major financial institutions. It uses an updated version of the password-grabbing module that steals remote application credentials.
  • Researchers spotted a new malware campaign distributing a variant of AZORult trojan via fake ‘DHL express courier’ phishing emails. This phishing campaign targeted numerous Italian organizations and network users. The phishing email comes with an attached compressed archive that contains malicious executable scripts.
  • A critical vulnerability was detected in the WordPress plugin ‘Simple Social Buttons’ which could allow attackers to modify WordPress installation options. The security flaw was described as an improper application design flow combined with a lack of permission check.  The ‘Simple Social Buttons’ plugin has been installed on more than 40,000 WordPress sites.
  • Triout malware which targeted Android devices in 2018 is back again in a new avatar. This time, it comes bundled with a genuine Android app to perpetuate its spyware functionalities. The malware’s capabilities include recording phone calls, text messages, videos, pictures, as well as monitoring GPS coordinates of the users.
  • A security vulnerability (CVE-2019-5736) was uncovered in runc which could enable a malicious container to escape the confines of its isolated process and impact other containers. Researchers noted that the vulnerability could allow a malicious container to overwrite the host runc binary and gain root-level code execution on the host system.
  • A team of academics has found a new variant of the infamous Bleichenbacher's attack affecting the latest version of the TLS protocol, TLS1.3. The new variant of Bleichenbacher's attack could allow attackers to intercept the TLS traffic and steal data. The new variant of Bleichenbacher's attack also affects Google’s new QUIC encryption protocol.
  • A security bug in macOS was recently uncovered. This bug could allow malicious apps installed on macOS Mojave to steal Safari browsing history data. The developer who uncovered the bug noted that the bug affects all known macOS Mojave versions. The developer described the source of the bug as a ‘bug in a developer API’.



 Tags

trickbot malware
gandcrab ransomware
shlayer trojan
azorult trojan variant
emotet trojan
bleichenbachers attack
triout malware
dirty sock flaw

Posted on: February 15, 2019


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

The Virtual Cyber Fusion Suite