Cyware Weekly Cyber Threat Intelligence June 4 - June 8, 2018

The Good

• Amazon announced it has pulled the flaw-riddled CloudPets from its online store after researchers discovered serious new and old vulnerabilities in the smart toys. Together with Cure53 researchers, Mozilla found CloudPets’ Bluetooth flaws, discovered over a year ago, were still unfixed in addition to newly discovered vulnerabilities. Walmart and Target have also pulled the toys from their shelves as well.
• The US Election Assistance Commission released a list of 26 states that have requested and received funding to secure state voting systems ahead of the 2018 midterm elections. These states have requested nearly $210 million in newly available funds, about 55% of the total available amount, authorities said.
• Apple is introducing new Safari privacy features on MacOS Mojave and iOS 12. At its Worldwide Developers Conference, the company said the next version of Safari will prompt users when a website tries to access cookies or other data, and lets you decide if you wish to allow it. The browser will also stop supporting legacy plugins as well.
• The US House Homeland Security Committee has approved a bill to expand efforts to secure industrial control systems used to power critical infrastructure and services such as power and water systems, manufacturing and transportation. This move comes after researchers warned hackers have been targeting critical infrastructure systems over the past few years using sophisticated tools and techniques.
• On a lighter note, popular mystery author James Patterson teamed up with former US President Bill Clinton to co-author a novel about a commander-in-chief going undercover to prevent a cyberattack. Titled “The President is Missing”, the fictional thriller revolves around President Duncan who is up for impeachment but has to prevent a cyber attack that could cost “massive loss of life… an economic crash greater than the Depression… and violent anarchy.”

The Bad

• DNA testing site MyHeritage suffered a breach compromising the personal data, email addresses and hashed passwords of over 92 million users. A security researcher notified the firm after discovering a file named “myheritage” on a private server outside of the firm. The company said payment card data was not impacted while family trees and DNA data are stored on separate systems and “does not believe those have been compromised.”
• Ticketfly was targeted by hackers last week who defaced its website and stole users’ personal data. Several Ticketfly database files were later found posted to a public server containing over 26 million email addresses as well as users’ names, phone numbers, home and billing addresses. The online ticketing service’s website and app were offline several days following the hack.
• Transamerica said it suffered a breach with hackers stealing around 45,000 customers’ personal and financial data, employment details and Social Security numbers. The company said the incident likely occurred between March 2017 and January 2018.
• Scammers have been targeting hotels and guest houses featured on Booking.com with detailed phishing messages to steal financial details. Customers then received emails asking them for their payment details after these properties were phished. Booking.com said its systems were not compromised, adding that it has notified all potentially affected customers.
• Kenna security researchers found widespread Google Group misconfigurations  exposing organizations’ internal data. As many as 10,000 firms were found publicly exposing some form of sensitive data after many Google Groups visibility were accidentally configured to “public”. Fortune 500 companies, universities, hospitals and even some US government agencies were affected.
• Atlanta’s police department admitted “years” worth of police dashcam footage were destroyed in the recent SamSam ransomware attack that crippled the city’s municipal services in March. Atlanta Police Chief Erika Shields said the data loss could potentially compromise DUI cases “if the officer’s testimony is not where it needs to be.” However, she said she isn’t worried since there are other pieces of evidence.
• Researcher Ruben Santamarta managed to successfully hack into in-flight airplane WiFi networks from the ground. The IO/Active researcher said he accessed on-board WiFi networks including passengers’ Internet activity and read the planes’ satcom equipment. Santamarta plans to demonstrate the hack during his Black Hat USA talk in August.

New Threats

• The notorious VPNFilter malware has been found to be worse than previously thought. Cisco Talos researchers initially said the destructive malware has infected more than 500,000 consumer-grade routers worldwide including Linksys, MikroTik, Netgear, TP-Link networking equipment and QNAP network-attached storage (NAS) devices. Now researchers have updated this list to include those manufactured by Asus, Huawei, D-Link, ZTE, Ubiquiti and Upvel.
• Cybercriminals have incorporated the recently disclosed Internet Explorer zero-day vulnerability to the RIG exploit kit to deliver Monero miners. The remote code execution vulnerability, CVE-2018-8174, was patched by Microsoft in May. However, researchers say hackers are actively exploiting the zero-day flaw to infect unpatched Windows PCs on a global scale.
• A new traffic manipulation and cryptomining campaign dubbed Operation Prowli has already affected over 40,000 devices in 9000 organizations across industries. Guardicore Lab researchers said Prowli targets vulnerable platforms such as CMS servers, DSL modems, backup servers and IoT devices using exploits, password brute-force attacks and weak configurations.
• Cisco Talos researchers discovered North Korean hacking outfit Group 123, also known as Reaper and APT37, are using a remote access trojan dubbed NavRAT to attack South Korean targets. Using the US-North Korea summit as a decoy, the trojan is embedded in a malicious Hangul Word Processor document. The malware itself has keylogging capabilities and is capable of downloading, uploading and executing commands on infected systems.