Cyware Weekly Cyber Threat Intelligence July 16 - July 20, 2018

The Good

• Japan and the European Union are strengthening their cybersecurity cooperation ahead of the 2020 Tokyo Olympic and Paralympic Games. To tackle cyber attacks and threats, Japan is acquiring and exchanging knowledge and best practices on cybersecurity with EU, as well as making collaborative efforts in developing new capabilities.
• Colton Grubbs, the 21-year-old malware author behind the infamous LuminosityLink RAT, has pleaded guilty in federal court. He admitted to creating the RAT in April 2015 and later sold it online via hacking forums under the online moniker KFC Watermelon. US authorities secretly arrested Grubb in July 2017.
• Irish resident and alleged administrator of the now-defunct Silk Road, Gary Davis, has been extradited to the US to face charges over his involvement with the Dark Web marketplace. Facing charges of computer intrusion, money laundering and narcotics distribution, Davis could face life in prison if convicted.
• The Girl Scouts of the USA have unveiled a new set of 30 STEM badges that girls aged 5 to 18 can earn for efforts, completing activities and advocacy in “some of society’s most pressing needs.” The new STEM badges will help girls hone their skills in coding, robotics, cybersecurity, mechanical engineering and more.
• Instagram is upgrading its two-factor authentication (2FA) that would not require a user’s phone number to better guard against SIM hacking. The social media company confirmed it is building a token-based 2FA system that works with security apps like Google Authenticator or Duo. Users can receive a special code to log in that can’t be generated on a different phone used by a hacker in a SIM porting attack .
• Researchers at Australia’s Monash University have developed a post-quantum secure algorithm to help stop cyberattacks by supercomputers. The Lattice-Based One Time Ring Signature (L2RS) deploys cryptographical techniques designed to protect the privacy of users, large transactions and transfer of data without risk of being hacked by quantum computers.

The Bad

• Login passwords for over 30,000 vulnerable Dahua DVRs running old firmware were cached by IoT search engine ZoomEye. Although many Dahua devices could be hijacked by exploiting a 5-year-old vulnerability, hackers could have simply used the search engine to unearth thousands of Dahua DVR credentials.
• LabCorp, one of the largest clinical labs in the US, disclosed that it suffered a security incident that forced it to take part of its systems offline. It was later revealed that the firm was hit by the SamSam ransomware. The firm said it has found “no evidence of theft or misuse of data” so far.
• Virginia-based political robocall firm Robocent left hundreds of thousands of voter records exposed on a public, unprotected Amazon S3 bucket. The repository contained both audio files with pre-recorded political messages and voter data such as names, phone numbers, addresses, jurisdiction breakdown and political leanings.
• Spanish telecom giant Telefonica suffered a breach that possibly compromised the personal data of millions of customers. Compromised data included customers’ full names, fixed line and mobile numbers, national ID numbers, banks and call records. The company said the flaw has since has been fixed.
• Gaming giant Ubisoft’s servers were hit by DDoS attacks causing connection and login issues for gamers. The connectivity issues began last Thursday, preventing gamers from signing into their favorite games like Far Cry 5, For Honor and Ghost Recon Wildlands for days.

New Threats

• North Korea-linked Andariel, a hacking group associated with the infamous Lazarus Group, has been active over the past few months targeting South Korean victims. Researchers said the group has been leveraging an exploit on Microsoft’s ActiveX software framework to enable watering-hole attacks on South Korean websites for reconnaissance purposes.
• Magniber ransomware is becoming a global threat as it expands beyond South Korea to target other Asian countries as well. Malwarebytes researchers said its source code is now more refined, comes with multiple obfuscation techniques and is no longer dependent on a C&C server or hard coded key for its encryption process.
• Cisco Talos researchers discovered a highly targeted malware campaign targeting just 13 iPhones located in India. The campaign has been in operation since August 2015 with attackers using an open-source mobile device management (MDM) protocol to carry out the attack and control enrolled devices.
• Researchers at Palo Alto Networks said the Upatre malware downloader has been upgraded with new detection evasion techniques. First discovered back in 2013, the popular downloader has been previously used by cybercriminals for various malware like Locky, Dridex, Zeus, GameOver and others.
• CSE Cybesec’s Z-Lab said Russian threat group Fancy Bear seems to be behind a new malware campaign that targeted Italy’s Navy. The multi-stage cyberespionage campaign named Roman Holiday features an initial dropper and an updated version of the group’s X-Agent backdoor.
• A malware author going by the pseudonym “Anarchy” managed to build a massive botnet comprised of more than 18,000 routers in just a day. Security researchers from NewSky Security spotted the new botnet built by exploiting the CVE-2017-17215 vulnerability in Huawei HG532 routers.