Cyware Weekly Cyber Threat Intelligence January 28 - February 01, 2019

See All
The Good

Say Goodbye to January 2019, and welcome February with the most interesting cybersecurity news of the week. The past week has witnessed several technical advancements in the cybersecurity landscape. Researchers have released a free, open-source tool that detects unprotected Robots on the internet. Another group of researchers has developed a machine named ‘Mayhem’ that detects software vulnerabilities and patches them. Meanwhile, Google is working on a feature that provides protection against ‘drive-by-download’ attacks.

  • Alias Robotics, a cybersecurity firm focused on robotics has released a free, open-source tool dubbed as ‘Aztarna’ that detects vulnerable Robots on the internet. Aztarna is capable of detecting vulnerable industrial routers and robots powered by ROS (Robot Operating System), SROS (Secure ROS) and other robot technologies.
  • Researchers have developed a machine named ‘Mayhem’ that detects software vulnerabilities and patches them. Mayhem identifies possible weaknesses and generates a working exploit. This machine can work directly on a binary code, which means that Mayhem can analyze a program without the help of a human.
  • Google is in the process of adding drive-by-download protection feature to all the versions of Chrome. The feature is already active in the current Chrome Canary edition. However, a more stable version will be available on Chrome 73, scheduled for release in March or April.

The Bad

Several data breaches and massive cyber attacks occurred over the past week. Universiti Teknologi Mara (UiTM) suffered a data breach affecting the records of over 1.6 million students. Airbus was hit by a data breach compromising employees’ data. Discover Financial Services was also a victim of a data breach which led to the compromise of its customers’ data. Last but not least, the new Collection #2-5 breach totals 2 billion unique usernames and passwords.

  • Universiti Teknologi Mara (UiTM) has suffered a data breach affecting the records of around 1,164,450 students. The breach included the records of those students who were or are in the institute from 2008 to 2018. The leaked data included details such as students’ names, MyKad numbers, student IDs, campus codes, residence addresses and more.
  • Attackers hit DailyMotion with a credential stuffing attack, thereby gaining access to a limited number of accounts. Upon learning the incident, DailyMotion took necessary measures to stop the attack. The company has notified its potentially affected users on the incident and has asked them to reset their passwords.
  • Discover Financial Services suffered a data breach providing attackers with an undisclosed amount of customer data which included payment card details such as account numbers, card expiration dates, security codes, etc. The financial institution is issuing new cards for all the customers who might have had their card information compromised in the attack.
  • Private data of almost 14,200 individuals who had been diagnosed with HIV up to January 2013 were leaked online. A US citizen residing in Singapore gained unauthorized access to the HIV registry and leaked the data online. The leaked information included names, identification numbers, phone numbers, addresses, HIV test results, and other related medical information.
  • Airbus ‘Commercial Aircraft business’ information systems were breached, resulting in unauthorized access to data. Airbus disclosed that some private data of some of its employees in Europe was compromised in the incident. The compromised private data included employees’ professional contact details and IT identification details.
  • The Minnesota Department of Human Services has been hit badly in a phishing attack. The attack might have compromised the personal information of nearly 3,000 people. The attack occurred after a worker’s email was hacked in September 2018.
  • Followed by Collection #1 that totaled 773 million username-password leaks, Collection #2-5 totals 2.2 billion unique usernames and passwords. This confidential data is said to be distributed in online hacker forums and torrent websites. All of these leaked data seemed to have been drawn from earlier breaches of Yahoo, LinkedIn, and Dropbox.
  • Researchers spotted a Distributed Denial of Service (DDoS) attack that generated more than 500 million packets per second which is the largest Packets-Per-Second (PPS) attack recorded so far. Researchers noted that the packets sent in the attacks were more than four times the volume of packets sent at Github last year.

New Threats

Over the past week, several vulnerabilities and malware strains emerged. Researchers recently spotted a new campaign distributing the FormBook info-stealer malware via malware-friendly hosting service. A new malware strain written in Go language was also spotted in the wild. Multiple malware strains were distributed in the ‘Love Letter’ malspam campaign. Researchers uncovered a critical bug in Apple iOS devices that could allow Facetime users to access the microphone and front camera of recipients. In the meantime, LockerGoga Ransomware infected the systems of Altran Technologies.

  • Recently, a security researcher uncovered a Trojan dubbed as ‘TROJANSPY.WIN32.TEAMFOSTEALER.THOABAAI’ that disguised itself as a TeamViewer executable file. Present in a malicious URL, the spyware steals data from the victim’s computer after infection.
  • Researchers spotted a Russian-language spam campaign that distributed phishing emails written in the Russian language. This spam campaign delivered the infamous ransomware called Shade, also known as Troldesh. The spam campaign also affected people from other countries such as Ukraine, France, Germany, and Japan.
  • Researchers uncovered a critical bug in Apple iOS devices that could allow Facetime users to access the microphone and front camera of who they are calling even if the call recipient does not answer the call. Researchers confirmed that this bug exists in iOS 12.1.2 version.
  • Researchers recently spotted a new campaign distributing the FormBook info-stealer malware. This new campaign targets the retail and hospitality industries both within and outside the US. Moreover, researchers observed a file hosting service being used in the new campaign for distributing the FormBook info-stealer.
  • Attackers infected the systems of Altran Technologies with LockerGoga ransomware that spread throughout the company’s network affecting operations in some European countries. The company shut down its IT network and all applications to protect its client data.
  • The ‘Love Letter’ malspam campaign has changed its target to Japan and has doubled the volume of malicious emails it delivered. This malspam campaign distributes a cocktail of malware consisting of GandCrab Ransomware version 5.1, a Monero XMRig miner, and the Phorpiex spambot.
  • A new Golang-based malware has been observed in attacks in the wild targeting cryptocurrency wallets. This malware is written in Golang/Go, which is a relatively new language as compared to other programming languages typically used for by malware authors.
  • An updated version of Remexi malware was used in a cyber-espionage campaign that targeted Iranian IP addresses. The goal of the campaign was to infect systems that belonged to foreign diplomats residing in Iran’s border.
  • Researchers recently observed the AZORult information stealer malware disguised as a Google Updater program and achieving persistence by replacing the legitimate Google Updater program on the compromised systems.
  • The newly discovered Mac malware dubbed as CookieMiner targets Mac users to steal the contents of cryptocurrency wallets. Researchers named the malware as CookieMiner because of its ability to steal browser cookies associated with cryptocurrency exchanges and wallet service sites visited by the victim.
  • A new malware has been spotted affecting WordPress sites. Researchers observed that websites were flooded with spam URLs and after a detailed analysis, a theme file was found harboring this malware in the pretext of a license key.






  • Share this blog:
Previous
Cyware Weekly Cyber Threat Intelligence February 4-8, 2019
Next
Cyware Weekly Cyber Threat Intelligence January 21-25, 2019
To enhance your experience on our website, we use cookies to help us understand how you interact with our website. By continuing navigating through Cyware’s website and its products, you are accepting the placement and use of cookies. You can also choose to disable your web browser’s ability to accept cookies and how they are set. For more information, please see our Privacy Policy.