Cyware Weekly Cyber Threat Intelligence May 14 - 18, 2018

Good


The week started on a good note with many countries taking proactive steps to bolster their cybersecurity. China has developed a defense system that can withstand over 500,000 attacks while the US has unveiled a five-year cybersecurity strategy to address the cyber risks in various sectors. Denmark has introduced a $240 million cyber defense plan that is aimed at protecting their business.

  • A mimic defense theory, developed by China, has withstood over 500,000 hacker attacks in an international challenge, held in Nanjing, capital of east China’s Jiangsu Province. The defense system features a constantly changing software environment which makes a conventional hacker difficult to locate a target. The idea which been inspired by Mimic Octopus -- which can change its appearance according to its environment -- was first proposed by Chinese scientists in 2007.
  • The US Department of Homeland Security has introduced a new cybersecurity strategy to keep pace with the evolving cyber risk landscape over the next five years. The strategy will mainly focus on five factors namely, Risk Identification; Vulnerability Reduction; Threat Reduction; Consequence Mitigation; and Enable Cybersecurity Outcomes.
  • The government of Denmark has unveiled a $240 million cyber defense plan that aims to protect government authorities, businesses and individuals from any cyber threat. The initiative was undertaken following the increase in attacks by cybercriminals and nation-state actors. The proposed plan is expected to be implemented in the next five years and consists of 25 concrete initiatives to bolster the society's defense system against cyber attacks.

Bad


Along with the good news, comes the bad. This week saw several data breaches worldwide including incidents impacting the City of Riverside’s Police and Fire department, the FPNSW, the Danish company DSB and the BCCI. Moreover, a researcher submitted a report this week that revealed the leak of more than 3 million Facebook users.

  • The city of Riverside’s Police and Fire department suffered yet another ransomware attack - the second one since the April incident. The department’s servers were badly hit in the attack with eight hours worth of data completely wiped out by the attackers. However, the good news is that the city had a backup of its data.
  • Up to 8,000 clients may have been affected due to a data breach affecting Family Planning New South Wales (FPNSW). The exposed data contained data of clients who have contacted FPNSW via its website over the past 2½ years to make appointments or give feedback. It included names, contact details, dates of birth and the reason for their inquiries. Officials claim that the attackers may have abused vulnerability in the software that was used to build the website, in order to execute the attack.  
  • DSB, the largest train operating company of Denmark, suffered a massive DDoS attack that caused service disruption across the country. This DDoS attack halted train operations and blocked travelers from buying tickets. It also affected the company’s website, ticket machines, apps and 7-Eleven kiosks inside the railway stations.
  • Researchers have revealed a newly discovered breach that left data of more than 3 million Facebook users exposed for four years on an unsecured website. The leaked info consisted of information collected by the popular ‘myPersonality’ quiz, conducted on the social media site. The website’s low security potentially gave anyone provision to access the details.  
  • A misconfigured S3 bucket of Board of Control for Cricket in India (BCCI) resulted in the leakage of personal data of several thousand Indian applicants who had submitted forms between 2015 and 2018. The number of affected people is estimated to be between 15,000 - 20,000 while the exposed data includes name, date of birth, permanent address, medical records, birth certificate, mobile number, SSC certificate of a person.

Threats


Various new malware were unearthed by researchers this week. While PRB-Backdoor stole info and executed code on infected systems, StalinLocker prompted victims for a specific code or have their data deleted. A new variant of Dharma ransomware emerged while Grobios Trojan was found to be delivered via RIG Exploit Kit.

  • The recently detected Powershell backdoor, dubbed PRB-Backdoor malware, has been found to be stealing information and executing various commands on the infected systems. The malware is distributed via Word document named ‘Egyptairplus.doc’ containing malicious macros. Other capabilities of the malware include writing files to disk, reading files, launching a shell, recording keystrokes, taking screenshots of the screen and getting system info.
  • A new-in-development screenlocker called StalinLocker was discovered giving victims 10 minutes to enter a specific code or have their hard drive data deleted. Upon execution, the malware locked the screen, displayed a picture of Stalin and a countdown timer while playing the USSR anthem in the background. The countdown is displayed until the files are deleted.
  • A new malware has been reported to collect cache and key files from instant messaging service Telegram. This new malware was first seen on April 4, 2018, with a second variant emerging on April 10. The second variant is capable of stealing login credentials and collecting Telegram's desktop cache and key files. The two malware are distributed using various downloaders written in different languages.
  • A new variant of Bip Dharma/Crysis ransomware was discovered this week that is being distributed via spam emails. Upon installation, it encrypts the content of files and later appends them with .Bip extension in order to extort victims to pay up in Bitcoin.
  • Researchers discovered a RIG Exploit Kit being used to deliver a Trojan named Grobios. In this attack, victims are directed to the RIG landing page after visiting the domain latorre[.]com[.]au. The main purpose of Grobios malware is to help attackers gain a strong foothold in targeted systems by employing various kind of evasions and anti-VM techniques.










  • Share this blog:
To enhance your experience on our website, we use cookies to help us understand how you interact with our website. By continuing navigating through Cyware’s website and its products, you are accepting the placement and use of cookies. You can also choose to disable your web browser’s ability to accept cookies and how they are set. For more information, please see our Privacy Policy.