| Cyware Weekly Cyber Threat Intelligence | March 05 - 09, 2018

The Good

• Researchers at IBM have remodified the C++ homomorphic encryption technique which is now said to be operating at a 75 times faster rate. The technique allows users to operate on encrypted data sans decryption, thus enabling a secure operation. For instance, companies could use the technique to encrypt their cloud-based database and work on them without decoding the text. The first version of HElib C++ library was released by IBM three years ago.
• Academics have come up with a new facial recognition system, named Face Flashing. The design works on two important factors viz. the light patterns that get reflected off a human face and the speed with which the system interprets the reflected light to detect any forgery attempt. The technique works with cameras and in connection with an LCD screen on computers, phones, and authentication panels.
• Last year, prominent Telecommunication companies - AT&T, Verzion, Sprint and T-Mobile had joined hands to launch Mobile Authentication Task Force. The focus was to create an improved security solution for their devices. The Telecom companies seem to have arrived at the solution that will now undergo further trials in coming weeks and would likely be available for adoption by the year end.

The Bad

• The Memcached-based DDoS attacks have taken the entire security world by surprise. After GitHub, another company was targeted by the hackers. In a blog post, Arbor Networks uncovered a massive 1.7 Tbps DDoS attack targeting customers of a US based internet service provider. The attack was carried out using the same technique that was used in the 1.35 Tbps attack on GitHub. The number of affected victims has not been disclosed yet.
• Danish Telecom company TDC's recently reported about network problem which could potentially affect their customers in Denmark, Sweden, and Norway. Due to the network failure, at least 450,000 of their customers who are predicted to be affected, were unable to make or receive any call. The problem is yet to be identified.
• A security researcher has managed to identify nearly 50,000 websites which have been  infected with crypto-jacking scripts. These websites include government and public service agency portals. Atleast, 7,368 of these compromised sites are powered by WordPress. However, some these sites have already been cleared away with the malware. According to the researcher,  Coinhive continues to be the most widespread crypto-jacking script out there, accounting for close to 40,000 infected websites – a stunning 81 percent of all recorded cases.
• RMH Franchise Holdings disclosed that more than 160 Applebee's restaurants across the US were affected by an anonymous malware that was found on point-of-sale (PoS) systems. The malware was designed to extract details such as names, credit/debit card number, expiration dates and card verification codes, though it did not impact payments made online or using self-pay tabletop devices. In majority of cases, the malware was present in PoS systems since December 6, 2017, while in some cases the malware has been active since November 23 or December 5, 2017.

New Threats

• A new variety of cryptocurrency miner, named “CryptoJack”, that targets other cryptocurrencies and online wallets, has been spotted by security researchers recently. The malware works by replacing clipboard addresses with an attacker-controlled address which sends funds into the attacker’s wallet. This technique relies on victims not checking the destination wallet prior to finalizing a transaction. It includes a 'kill list' feature that disables the processes of other coin miners and infects the targeted computer to mine currency only for itself. In 2017, CryptoShuffler was the first malware to work on the same tactics.  
• Academics from the leading university of Iowa and Purdue University have uncovered new vulnerabilities in the core protocols that power 4G LTE mobile networks across the world. The vulnerabilities affect the attach, detach, and paging procedures that are part of Long-Term Evolution (LTE), a standard for high-speed wireless communication for mobile devices. An attacker could connect to a 4G LTE network using another user's identity, send messages on behalf of another user, intercept messages meant for that user, spoof the location of a mobile device, and even force other devices to disconnect from a mobile network.
• Researchers have unearthed a new version of the GandCrab ransomware. Dubbed GandCrab 2, the version is supposedly more secure with a significant difference from the original one. The new version has been released just after the decryption key for the original version was released by the security researchers. The GandCrab version 2 comes with different hostnames for the C&C servers at the back-end. Interestingly, one of the hostnames is politiaromana.bit, names in honor of the Romanian police which was instrumental in recovering decryption keys for the original version.
• Security researchers have discovered a new attack method that allows hackers to bypass Microsoft’s Code Integrity Guard (CIG) and inject a malicious code into protected processes, including Microsoft Edge. CIGslip bypasses CIG's security mechanisms while mimicking natural Windows DLL loading from the disk. The technique abuses a non-CIG enabled process, the most popular form of process on Windows, to inject code into a CIG-protected target process. This serves as an entry point for an attacker to load any kind of code, malicious or benign, into Microsoft Edge.