Cyware Weekly Cyber Threat Intelligence | July 30 - August 3, 2018

The Good

• The US Department of Homeland Security has formed a new center to safeguard the nation’s critical assets against both physical and cyber threats. The National Risk Management Center help foster coordination between the federal government and private sector to better protect critical infrastructure through information sharing and risk management strategies to identify potential threats and prioritize those that most the greatest threat.
• A bipartisan group of US senators introduced legislation to help improve election infrastructure amid growing concerns over its security in light of the upcoming midterm elections. One of the bills introduced would allow the Justice Department to pursue federal charges against anyone who hacks voting systems used in federal elections. The second would let federal prosecutors shut down botnets and prohibit people from selling them as well.
• HP has launched a printer bug bounty program offering payouts ranging from $500 to $10,000. The private program has invited security researchers to find firmware-level vulnerabilities such as remote code execution, cross-site request forgery (CSRF) and cross-site scripting )XSS) bugs across enterprise printers and report them to Bugcrowd.
• Three alleged high-ranking members of the notorious FIN7 hacker group, also known as the Carbanak Group, were charged by the US Justice Department this week. Each of the three Ukrainian nationals have been charged with 26 felony counts. Since at least 2015, the cybercrime group has used malware to target over 100 US companies since to infiltrate systems and steal more than 15 million credit card records from over 6,500 point-of-sale terminals across 3,600 separate locations. Some of their victims include Chipotle, Arby’s, Chili’s and Red Robin among others.
• Google announced that G Suite admins can now receive special alerts when a government-backed hackers are attempting to infiltrate one of their company’s user accounts. G Suite super admins will also be able to configure special automated actions such as resetting the user’s account password to halt a potential intrusion and send a copy of the alert to the user as well.

The Bad

• Reddit disclosed a breach of its systems that compromised user data. The company said a hacker managed to thwart its two-factor authentication system and gain access to several employee accounts via SMS intercept. The attackers obtained read-only access to systems, source code and other logs including an 2007 database backup of Reddit user data that contained account credentials, email addresses, hashed and salted passwords and more.
• UnityPoint Health warned patients of a data breach that possibly compromised 1.4 million patients. Officials said an employee fell for a phishing attack that resulted in the unauthorized access to sensitive company data and patient information. Compromised data included patients’ names, addresses, medical records, surgical and treatment information, lab results, medications and more.
• Yale University disclosed a security breach that occured a decade ago between 2008 and 2009. The academic institution said a threat actor managed to access a university database and steal names, Social Security numbers, dates of birth and, in some cases, Yale email addresses and physical addresses. About 119,000 were affected in the breach including alumni, faculty members and staff.
• A borough in Alaska were hit with a massive ransomware attack that cripplied their computer infrastructure and forced government employees to rely on typewriters and hand receipts. Officials from Matanuska-Susitna declared a disaster due to the multi-pronged APT-style attack that involved the Emotet Trojan, BitPaymer ransomware and other tools. The ransomware encrypted all 500 Mat-Su desktop workstations and 120 of 150 Mat-Su servers.
• A former high school valedictorian who went on to attend the University of Massachusetts Boston was arrested for allegedly hacking cell phones and using stealing $2 million in cryptocurrency. Joel Ortiz, 20, has been accused of developing a scheme to take over victims’ cell phones and access online accounts containing digital currency assets such as Bitcoin, Coinbase, Bittrex and Binance. He faces over two dozen charges including identity theft, grand theft and computer hacking.

New Threats

• A new threat group dubbed DarkHydrus has targeted at least one government in the Middle East. Palo Alto Network’s Unit 42 researchers said the group used spear-phishing emails written in Arabic along with password protected RAR archive attachments that contained malicious IQY files. These files were used to ultimately install a custom PowerShell-based payload dubbed RogueRobin to gain backdoor access into targeted systems.
• Kaspersky Lab researchers uncovered a new fileless, cryptocurrency-mining malware dubbed PowerGhost that has been targeting corporate networks worldwide. The cryptojacker leverages both PowerShell and EternalBlue to stealthily spread across a network and spread to other PCs and servers to mine for cryptocurrency.
• Proofpoint researchers spotted an updated version of the AZORult infostealer and downloader that attempts to spread the Hermes ransomware version 2.1 in the wild and steal victim data. The new and improved AZORult also sports improved stealing and loading capabilities along with cryptocurrency wallet support.
• Tens of thousands of vulnerable MikroTik routers were spotted serving up web pages that contain a Coinhive miner. The exploited vulnerability in this case was patched by MikroTik within a day of discovery. However, hundreds of thousands of devices that have not been updated by their owners were left vulnerable to exploit. Trustwave researchers estimated up to 175,000 devices were compromised.