Go to listing page

| Cyware Weekly Cyber Threat Intelligence | March 19 - 23, 2018

| Cyware Weekly Cyber Threat Intelligence | March 19 - 23, 2018

Share Blog Post

The Good

Researchers have made progress in lot many areas, this week. The US Army is moving closer towards developing a new method that would leverage brain-like computer architectures for integer factorization. Meanwhile, scientists at University of Texas at San Antonio (UTSA) developed a new algorithm that helps in detecting and preventing cyber attacks in real-time.
The best news of all, researchers from the Moscow Institute of Physics and Technology are making progress in creating ultra-high-speed quantum internet.

  • U.S Army is moving closer to cracking codes with brain-like computers. A new method to leverage upcoming brain-like computer architectures for a well known old number-theoretic problem known as integer factorization has been discovered by scientists at the U.S Army Research Laboratory. The scientists have mimicked brain functions of mammals in computing and subsequently opened up paths to new age solution space that is very different from traditional architectures but nearer to devices that are able to operate within size-, weight-, and power constrained environments. The new technology will dramatically increase computing power in the battlefield and exponentially increase information processing and computational problem-solving capability.
  • If there is one thing on which almost everyone would agree, it would be needed for a faster internet. Now, researchers from the Moscow Institute of Physics and Technology are making progress in creating ultra-high-speed quantum internet by using a previously known substance called ‘silicon carbide’. The paper published in npj Quantum Information talks about increasing data transfer rate in unconditionally secure quantum communication lines to more than 1 Gbps bringing it at par with its classical counterpart. Silicon Carbide is a semiconductor that gave birth to the field of optoelectronics. It is the same material in which the phenomenon of electroluminescence was observed for the first time and later used to create the world’s first light-emitting diode (LED).
  • Scientists at the University of Texas at San Antonio (UTSA) have developed a new algorithm that may help detect and prevent cyber attacks on GPS-enabled devices in real time. Electrical Grids depend on GPS signals to understand time and location. For example, the US electrical power grid depends on GPS to give timestamps for its measurements at stations across the country. However, hackers can spoof these signals and disrupt the understanding of these signals. As of now, the algorithm has successfully mitigated the effects of spoofed GPS attacks on electrical grids and other GPS-reliant technologies.

The Bad

This week registered one of the largest social media breaches, involving Cambridge Analytica, which impacted 50 million Facebook users. In other news, two companies have reportedly become victims of data breaches. Hackers have gained access to Camelot and Orbitz, impacting 10.5 million registered users and 880,000 payment cards respectively.
City of Atlanta suspects its systems have been infected with SamSam ransomware. In the meantime, a new attack on PREPA was reported from Puerto Rico.

  • One of the largest social media breaches in the history impacting 50 million people was unearthed when a whistleblower disclosed how Cambridge-Analytica violated privacy policy of Facebook to steal personal information of the users. An app, named My Digital Life, developed by the firm Cambridge Analytica paid 270,000 account holders to take a personality test. However, the data was then used to steal every account holders friend information. The information was later used to send targeted political advertisements. The breach has raised various serious questions and impacted the credibility of Facebook. Many governments across the world are now planning to posture their social media laws to prevent any misuse of data for manipulation of voters.
  • The famous fast-moving-games business Camelot has asked millions of National Lottery players to change their passwords following a suspicious activity involving lottery accounts. As per Camelot, the hackers have not been able to access core systems or databases and hence lottery draws or prizes have remained unimpacted. However, it has recommended about 10.5 million registered users to change their login passwords after a number of unauthorized logins were noticed. As per the officials, the account breaches might have been carried out through “credential stuffing” attack.
  • Soon after the United States disclosed that Russia had been targeting its energy sector, a new attack on PREPA, an energy utility organization, was reported from Puerto Rico. The company revealed that though hackers had succeeded in hacking it, but no customer data was compromised. The official disclosure further revealed that PREPA’s customer service system was not affected though the attack led to longer wait times at its service center.
  • Orbitz, a subsidiary of online travel agency Expedia Inc suffered a data breach impacting 880,000 payment cards. As per the official statement, hackers may have accessed personal information from about 880,000 payment cards. The breach is learned to have occurred somewhere between Jan. 1, 2016 and Dec. 22, 2017, for the partner platform and between Jan. 1, 2016 and June 22, 2016, for the consumer platform. The information that may have been stolen includes phone numbers, names, email and billing addresses. The company assured that social security numbers of its U.S customers were not impacted in the breach.
  • City of Atlanta’s computer systems were attacked probably by SamSam ransomware. The incident was confirmed by an official statement that disclosed the incident involving city computer’s experiencing outages on internal and customer-facing applications. While the attack did not impact the services but some applications that customers use to pay bills or access court-related information were severely impacted. As of now, there is no clarity if any personal or financial information or any kind of employee data has been compromised.

New Threats

This week, researchers have discovered several new threats--including a new ransomware, a new cryptomining malware, and a new Android Trojan. The Zenis ransomware has been discovered and found using customized encryption method. Codenamed GhostMiner, a cryptomining malware was found leveraging PowerShell code to obtain fileless execution. The new Android Trojan, TeleRAT, uses Telegram Bot API to communicate with the command and control (C&C) server. Also, an old Java-based remote access tool named Qrypter, was found back in operations.

  • A two-year-old Java-based remote access tool named “Qrypter” has been found becoming quite a favorite amongst existing cross-platform backdoors like Adwind as an efficient Malware-as-a-Service (MaaS) platform. The malware attracted attention when it targeted individuals applying for a US Visa in Switzerland in March 2016. The hackers first inject the tool into target systems using phishing emails. Once the target is socially engineered to download the tool, the malware executes two VBS files in the %Temp% folder using random filenames which subsequently collect details of antivirus products or firewall installed on the target system.
  • A new ransomware, called ZENIS,  that encrypts files and later purposely deletes the backups has been discovered by researchers. The ransomware uses a customized encryption method and scares the victim by threatening to delete the infected files if the payment is not made. As of now, the distribution method of Zenis is not completely known. The researchers have been able to zero-in at only one means of propagation of this self-proclaimed “mischievous boy” Zenis and that happens through Remote Desktop Services.
  • Researchers have discovered a new Android Trojan that uses Telegram Bot API to communicate with the command and control (C&C) server and to exfiltrate data. Dubbed TeleRAT, the malware appears to be originating from and/or to be targeting individuals in Iran. The conclusions were drawn when experts found similarities with another Android malware dubbed IRRAT Trojan, which also leverages Telegram’s bot API for C&C communication communications. The malware is laced with capabilities to receive remote commands allowing it to steal sensitive data like contacts, location, app list or any other copied on the clipboard amongst other features.  
  • A new strain of cryptomining malware has been unearthed. Codenamed GhostMiner by researchers, the malware leverages PowerShell code to obtain fileless execution. It is a competitive malware that scans the system to look out for other cryptominers and if found, halts their process. As of now, the financial profitability is not high for GhostMiner but the malware has garnered attention for its technical features. The malware is the first fileless cryptocurrency miner malware detected that allows hackers to run malicious codes directly from memory without leaving any files on disk. As such it makes itself hidden to classic antivirus engines.  


threat intelligence
samsam ransomware
telerat trojan
zenis ransomware

Posted on: March 23, 2018

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.