Go to listing page

Cyware Weekly Cyber Threat Intelligence January 14 - 18, 2019

Cyware Weekly Cyber Threat Intelligence January 14 - 18, 2019

Share Blog Post

The Good

The past week saw a lot of good events, cyber attacks, and new threats. Let’s take a quick tour of all that happened in the cybersecurity landscape. Let’s first start with the positive advancements and the new policies. The British Security Industry Association (BSIA) has published guidelines to minimize the exposure to digital sabotage. Massachusetts Governor has signed a new law that protects consumers from security breaches. Emsisoft has a released a browser extension that will block you from interacting with malicious sites.


  • The British Security Industry Association (BSIA) has published new guidelines to reduce the exposure to digital sabotage of network-connected equipment, software, and systems used in electronic security. The new guidelines will enable industrialists to better serve industry consumers by providing professional, safe and secure internet enabled security solutions.
  • Massachusetts Governor Charlie Baker signed a new law on January 10 that amends the state's data breach law. The law named ‘An Act relative to consumer protection from security breaches’  comes with a number of changes to the way companies will have to deal with security breaches involving the personal information of their customers.
  • Emsisoft has a released a browser extension that will block you from interacting with known phishing, malware, or scam sites. This browser extension is currently available for Chrome and Firefox, with plans to have one available for Microsoft Edge in the future.
  • Whatsapp is in the process of bringing fingerprint security for Android and iOS users. Only smartphones with a biometric scanner can make use of this feature.  WABetaInfo suggests that the feature will be introduced in version 2.19.3.
  • Yubico Creates Physical Security Key for iPhones. Instead of entering a password and a code sent to a mobile device, you log in by plugging in the physical key to gain account access. In case hackers get ahold of user passwords, they wouldn't be able to login without the key.


The Bad

Over the past week, several data breaches and massive cyber attacks happened. The City of Del Rio, Texas was hit by a ransomware disabling servers at the City Hall. Cryptopia takes down its services and website following a security breach. Oklahoma Securities Commission accidentally leaked 3 TB data including internal documents belonging to FBI. Meanwhile, 773 million email addresses and almost 22 million unique passwords were found to be hosted on cloud service MEGA.

  • The City of Del Rio, Texas was hit by a cyber attack which led to disabling all servers and turning off the internet connection for all city departments. Further, employees were not allowed to log in to the systems, as a result of which, all the transactions at City Hall were done manually using paper, with no access to any documents or data stored on the City Hall's systems.
  • Cryptopia, a cryptocurrency exchange based in New Zealand, was hit by a security breach resulting in significant losses. Following the breach, the firm has taken the websites and service offline and posted a message on the home page that reads ‘unscheduled maintenance mode’.
  • An unsecured storage server belonging to the Oklahoma Securities Commission exposed 3TB data files including sensitive FBI investigations. The exposed files included years of FBI data including FBI interviews, emails among people involved with investigations, bank transaction history, and letters from witnesses.
  • Set of email IDs and passwords of up to 2,692,818,238 rows from various sources were found to be hosted on cloud service MEGA. Out of which, 773 million were email addresses and almost 22 million were unique passwords. The large collection of files on the MEGA cloud service totaled over 12,000 separate files with almost 87GB data.
  • A misconfiguration issue in NASA web app that uses JIRA server has exposed sensitive information of employees and projects. The data exposed included usernames, email addresses and job roles of employees. The exposed server also contained the name of current projects and upcoming milestones.
  • Attackers breached 30 computers in the Defence Ministry of South Korea and allegedly stole information related to an arms procurement. In the attack, the cybercriminals gained unauthorized access to the server of a security program present in those computers.
  • An unprotected database belonging to Californian voice over IP services provider VOIPO was left publicly available. The exposed database contained millions of VOIP call logs, SMS/MMS records, and internal system credentials including hostnames, usernames, passwords, and API keys.
  • Managed Health Services (MHS), a managed care firm in the Indiana state, recently revealed that patient data of 31,876 members of its programs had been compromised in two different security incidents in 2018.


New Threats

Several vulnerabilities and malware strains emerged over the past week. Magecart group 12 recently compromised an advertising script to inject malicious code into hundreds of websites. A newly discovered JavaScript malware is capable of downloading GandCrab ransomware, SmokeLoader, AZORult Trojan, Phorpiex spambot, and a Monero cryptocurrency miner. In the meantime, Emotet trojan has made a comeback in a new malspam campaign.

  • Magecart Group 12 compromised a script belonging to a French advertising company Adverline, in order to inject Magecart code into its client's websites. The injected Magecart code was designed to steal payment card details entered in checkout pages.
  • New JavaScript trojan dubbed as “TROJAN.JS.PLOPROLO.THOAOGAI” was discovered by researchers. This trojan downloads entities such as GandCrab ransomware, SmokeLoader, AZORult Trojan, Phorpiex spambot, and a Monero cryptocurrency miner.
  • A new threat seems to emerge from torrent sites such as The Pirate Bay, where the malware is often disguised as movie files. Placing itself as a Windows shortcut file when downloaded, it executes a string of instructions in the background to steal cryptocurrency tokens.
  • A new phishing campaign has been discovered distributing Hawkeye keylogger trojan. The malware comes in the form of a Microsoft Word document attached in a spoofed email. The Word document is actually a Rich Text File(RTF) that uses the CVE-2017-1182 equation editor exploit.
  • A new version of NanoCore RAT has been found targeting Windows systems. Dubbed as NanoCore 1.2.2.0, the sample is capable of performing various nefarious activities. The NanoCore 1.2.2.0 capabilities include registry edit, process control, upgrade, file transfer, keylogging, password stealing, and more.
  • Emotet trojan has made a comeback in a new malspam campaign. Attackers are using phishing emails to distribute the malware that is capable of stealing sensitive data of users. Once installed, it connects with the C2 server of the attackers using specific ports that include 20, 80, 443, 7080, 8443, and 50000.
  • Djvu ransomware, which made news last month, is gaining popularity lately. It appears that cybercriminals are relying on software cracks and adware to proliferate this ransomware on Windows computers. Furthermore, a new variant has also been developed in the form of a .tro extension that is sneakily put into crack files. Prior to this, Djvu used .djvu extension for presenting encrypted files.
  • Proof-of-Concept malware sneaks into smart buildings’ security loopholes. Automated environments such as building automation systems(BAS) prone to attacks from modern malware, says research. The BAS systems remain exposed to threats due to various kinds of vulnerabilities including hardcoded credentials, buffer overflow, cross-site scripting, and more.
  • A cryptomining malware has now emerged which uninstalls various cloud security protection and monitoring products. The threat actor group behind the creation of the malware is identified as “Rocke”.
  • Vulnerabilities in ES File Explorer could allow attackers to download files from victims’ mobile devices and SD cards, launch apps, view device information, intercept ES File Explorer’s HTTP network traffic and switch it with their own.






 Tags

nanocore rat
gandcrab ransomware
magecart group 12
hawkeye keylogger trojan
emotet trojan
proof of concept malware
djvu ransomware
unprotected database

Posted on: January 18, 2019


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

The Virtual Cyber Fusion Suite