Go to listing page

Cyware Weekly Cyber Threat Intelligence February 4-8, 2019

Cyware Weekly Cyber Threat Intelligence February 4-8, 2019

Share Blog Post

The Good

We’re back with the most interesting cybersecurity news of the week. Let’s start with all the positive advancements that happened in the cybersecurity landscape. Google has released a Chrome extension named ‘Password Checkup’ to protect accounts from data breaches. Google is also working to advance the cyber-security model known as confidential computing with the Asylo project. Meanwhile, Mitsubishi Electric has developed a sensor-security technology that detects malicious attacks on equipment sensors.

  • Google has released a Chrome extension named ‘Password Checkup’ on the Safer Internet Day (February 5, 2019). This extension checks if usernames and passwords combinations entered in login pages are one of over 4 billion credentials that Google knows to have been previously compromised in data breaches.
  • Mitsubishi Electric has developed the world’s first sensor-security technology that detects malicious attacks on equipment sensors by embedding a proprietary algorithm in sensor fusion algorithms. The algorithm detects malicious attacks based on the inconsistencies in measurement data.
  • Google is working to advance the cyber-security model known as ‘confidential computing’ with the Asylo project to protect the integrity of workloads. The confidential computing approach provides an additional layer of protection against malicious insiders, vulnerabilities and compromised operating systems.

The Bad

Over the past week, several data breaches and massive cyber attacks occurred. South Africa’s electricity provider Eskom was hit with a double security breach. Outdated New England Municipal Research Center (NEMRC) software has leaked sensitive information including Social Security number. In the meantime, the restaurant chain Huddle House disclosed a malware attack which occurred on one of its POS systems.

  • South Africa’s primary electricity provider Eskom was hit by not just one, but two security breaches. One was due to an unsecured database that leaked customer data online. The second breach came along with AZORult malware infection disguised as a downloader for The Sims 4 game.
  • The restaurant chain Huddle House disclosed in a press release that attackers breached one of its third-party point-of-sale (POS) systems with malware. The malware was designed to stole payment information such as cardholder names, credit/debit card numbers, card expiration dates, cardholder verification value, and service codes.
  • Outdated New England Municipal Research Center (NEMRC) software has leaked municipal employees’ sensitive information including Social Security number. NEMRC, the software was used by Vermont municipalities as well as the state’s tax department. The exposed information also included municipal taxpayer banking information such as routing and bank numbers.
  • British telecom company Three UK’s homepage exposed other customers’ data when searched by visitors. The exposed data included customer names, their postal addresses, phone numbers, email addresses, amongst others and were shown randomly.
  • The Metro Bank in the UK acknowledged that it is a victim to a malicious Signaling System 7 (SS7) attack. The flaws in SS7 were previously exploited by attackers to intercept text messages and track phones across the globe. However, the attackers have taken this attack to an all new level by emptying the bank accounts of victims.
  • The Australian Federal Parliament’s computer network has been hacked. Parliament’s presiding officers, Speaker of the House of Representatives MP Tony Smith and President of the Senate MP Scott Ryan confirmed that there is no evidence that any data has been accessed at this point of time. However, Australian security agencies are suspecting China to be behind this attack.
  • British MPs were targeted by an attempt to access their contacts list and send texts and emails to all their private contacts. Deputy Chief Whip Christopher Pincher warned MPs to be aware of the text messages and emails asking them to provide overseas contact details or to download a secure message app.

New Threats

Several vulnerabilities and malware strains emerged over the past week. Researchers spotted a new backdoor trojan dubbed ‘Speakup’ that infects Linux and MacOS systems. New vulnerabilities dubbed ‘Zombie POODLE’ and ‘GOLDENDOODLE’ were spotted affecting the HTTPS. Last but not least, a new malspam campaign distributing the ExileRAT was observed targeting the Tibetan government-in-exile.

  • Researchers spotted a new malware campaign distributing a backdoor trojan named ‘SpeakUp’ which exploits known vulnerabilities in six different Linux software. This malware campaign targets servers in East Asia and Latin America, including AWS hosted machines. Researchers noted that this campaign also manages to evade all antivirus solutions.
  • Researchers recently spotted a custom downloader ‘KerrDown’ used by the OceanLotus threat actor group to infect victims with payloads such as Cobalt Strike Beacon. Two methods were used to deliver the ‘KerrDown’ downloader to the victims - MS Office doc with malicious macro and RAR archive which contains a legitimate program with DLL side-loading.
  • A new malspam campaign was observed targeting the Tibetan government-in-exile. This phishing campaign targeted a mailing list managed by CTA. The phishing emails contained a malicious PowerPoint attachment ‘Tibet-was-never-a-part-of-China.ppsx’ containing scripts to download ExileRAT onto systems.
  • A security vulnerability in Ubiquiti Networks impacted nearly 485,000 devices. Jim Troutman, Consultant, and Director of NNENIX, disclosed on Twitter that attackers are remotely exploiting Ubiquity networking devices exposed via a UDP port 10001. A majority of the exposed Ubiquity devices are NanoStation (172,000), AirGrid (131,000), LiteBeam (43,000), PowerBeam (40,000), and NanoBeam (21,000) products.
  • The Outlaw threat actor group was spotted conducting a malware campaign targeting Linux systems in cryptocurrency mining attacks. The campaign used a new version of Shellbot trojan which bridges a tunnel between an infected system and a C&C server operated by the attackers.
  • Attackers have compromised the Github account of Denarius Cryptocurrency project lead and uploaded a backdoor version of Denarius Windows client v3.3.6. This backdoored version of Denarius Windows client installer installed AZORult malware. The backdoored Denarius client installer also infected roughly 3200 users.
  • Researchers have discovered multiple vulnerabilities in the Remote Desktop Protocol (RDP) that could result in the so-called ‘reverse RDP attack’. These vulnerabilities could allow bad attackers to take control of computers. Researchers noted that there are a total of 25 security issues in the RDP. Of which, 16 issues have been detected in the open source FreeRDP RDP client and its fork desktop, as well as in Microsoft’s own RDP client implementation.
  • A quickly evolving botnet called Cayosin has been observed recently by researchers. The botnet has a unique property of combining the most dangerous features of multiple previous botnets and makes them available to a broad audience at a reasonable price. The botnet is actually a custom piece of malware with characteristics similar to QBot, Mirai and a few other pieces of software.
  • A new malware campaign distributing the Orcus Remote Access Trojan (RAT) has been discovered recently. A threat actor group named PUSIKURAC is found to be behind this campaign. The campaign distributed the Orcus RAT by injecting the malware in a Ramadan-themed Coca-Cola video.
  • Researchers observed a Geodo spam campaign targeting employees of a US government agency. This campaign was spotted dropping the Qakbot malware onto unsuspecting systems.  The phishing campaign delivered a malicious Office document containing hostile macros. Once the macro is executed, it downloads a PowerShell-based Qakbot payload.
  • New vulnerabilities dubbed ‘Zombie POODLE’ and ‘GOLDENDOODLE’ were spotted affecting the HTTPS. Researchers noted that these vulnerabilities arise from the continued use of cryptographic modes which should already have been deprecated.


malspam campaign
zombie poodle
kerrdown downloader
the outlaw threat actor group
qakbot malware
orcus remote access trojan rat

Posted on: February 08, 2019

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.