Cyware Weekly Cyber Threat Intelligence July 9 - July 13, 2018

The Good

• In China, 20 suspects were arrested in connection to a major cryptojacking case that affected 3.89 million computers since 2015 and generated 15 million yuan ($2.2 million) in illicit profits. Chinese tech giant Tencent discovered the malware embedded in software designed to help gamers cheat was actually used to mine cryptocurrency. Free downloadable plugins were also used to hijack users’ computers. Authorities were alerted in January and a dedicated task force was created to handle the probe.
• The Ukranian Secret Service said it detected and shut down a cyberattack that used the infamous VPNFilter malware to target a chlorine distillation station. The malware strain targets a large number of router models, can survive device reboots, monitor and intercept traffic, and even brick infected devices. The agency accused Russia of operating VPNFilter and launching the attack.
• Google announced that its latest Chrome 67 release comes with a new Site Isolation feature to protect against side-channel attacks like Spectre. Enabled by default, this fix will help prevent attackers from using speculative execution features of most processors to access parts of memory that should otherwise be restricted. However, the fix does increase Chrome RAM usage by about 10-13 percent.
• YouTube announced a few new features coming to its website and app designed to tackle fake news and the spread of misinformation. Information cards will now be included atop YouTube search results that include information from third parties on historical or scientific topics that are prone to misinformation or conspiracy theories - like the Moon landing or the Oklahoma City bombing. Eventually, similar info cards will be introduced for news-related search results too.

The Bad

• Retail giant Macy’s informed some online customers with profiles on Macys.com or Bloomingdales.com an unauthorized party accessed “a small number” of accounts between April 26 to June 12 using “valid usernames and passwords.” Compromised data included home addresses, credit card numbers, expiration dates and phone numbers. The breached accounts have been blocked and affected customers are advised to reset passwords and contact their credit card companies.
• TimeHop revealed it suffered a data breach on July 4 that affected 21 million accounts - 3.3 million of which had their names, email addresses and phone numbers compromised. It later added that dates of birth and gender were also exposed. However, the popular service that resurfaces memories from past social media posts said users’ financial data and personal content or “memories” stored in the app were not impacted.
• German hosting provider Domain Factory said it experienced a data breach in January that compromised customer data such as names, account numbers, physical and email addresses, phone numbers and dates of birth. Account passwords, bank names and account numbers such as IBAN and BIC were also included. Customer have been advised to change their account passwords as well as MySQL, SSH, FTP, and Live disk passwords.
• A major vulnerability in Thomas Cook Airlines’ booking system was found to have exposed customers’ names, email addresses and flight details. Norwegian security researcher Roy Solberg uncovered the flaw that allowed anyone to retrieve the data using just a reference number. The firm said the flaw only affected its Nordic division and has since been fixed.
• The fitness app Polar Flow exposed the names, home addresses and locations of high-ranking intelligence and military personnel to the public on its network. Researchers found it was possible to exploit Polar Flow’s Explore function to discover 6400 users’ full names, profile pictures and geolocation data across 69 nationalities, along with locations of secret military sites. This function has now been turned off.
• Hackers managed to attack a gas pump in Detroit to steal 600 gallons of gas worth roughly $1800. Investigators said the attackers used a device that allowed them to remotely block the attendant’s control of the pump from a dedicated console while a total of 10 cars used the pump during the 90-minute hack.
• Researchers confirmed a hacker has been selling non-classified, but sensitive materials on the US Air Force’s NQ-9 Reaper drone for $150-$200 on the Dark Web. The attacker also posted information on US Army vehicles and tactics for sale too. The intruder used a 2-year-old FTP vulnerability in Netgear routers to break into a computer at the Creech Air Force Base in Nevada.
• Popular crypto service MyEtherWallet (MEW) suffered an attack after a widely-used VPN service Hola was compromised for five hours, during which any Hola users who navigated to MEW and accessed their wallet may have been affected. Users who used and Hola during the time frame were advised to transfer their tokens to a new wallet account.

New Threats

• Two new Spectre variants were discovered that could be exploited to uncover confidential data via microarchitectural side channels in Intel and ARM CPUs. Spectre 1.1 could be used to create speculative buffer overflows while Spectre 1.2 allows attackers to overwrite read-only data and code pointers to infiltrate sandboxes on CPUs that don’t enforce read/write protections. The researchers who uncovered then earned a $100,000 bug bounty from Intel.
• Check Point researchers said the 6-year-old Dorkbot malware has reemerged in 2018 to become the second biggest banking malware this year. Dorkbot has evolved over the years to become a Trojan that steals users’ credentials using web-injects that are activated as the user attempts to log into their banking website.
• Fortinet researchers discovered a malicious, politically-themed document making the rounds that exploits a 17-year-old Microsoft Office vulnerability to deploy the Hussarini malware. The backdoor comes with the ability to create, read and write files, download and execute files or components and launch remote cmd shell. So far, the campaign has been primarily targeting the Philippines, researchers said.
• Bankbot Anubis has struck again in a new campaign targeting Turkish-speaking Android users. IBM’s X-Force researchers said hackers have managed to slip in at least 10 fake apps that are actually malicious downloaders capable of fetching over 1,000 malicious samples from the attackers C2 servers. The malware itself can capture victims’ keystrokes and steal their banking login credentials.
• A new extortion scam has emerged in which the scammers state that they know the victim’s password, have installed malware on their computer, created videos of the victim using adult websites through their webcam and have stolen their contacts. They then demand a $2900 payment to keep it a secret or risk having the video sent to all of the victims’ contacts. Although the passwords have been gathered from previous data breaches and leveraged to add legitimacy to the frightening email, the rest of the scammers’ claims are bogus so watch out for such scams.