Cyware Weekly Cyber Threat Intelligence September 3 - 7, 2018

The Good

• Google is rolling out a verification program to weed out tech support scammers and ensure only legitimate third-party tech support providers use its ad network to reach consumers. The move comes after the Wall Street Journal reported scammers have been buying Google ads and posing as authorized service agents for Apple.
• The latest version of Google’s Chrome browser, version 69, was also released this week and comes with a brand new redesign and an improved password manager. Chrome will offer to automatically generate a random password whenever you sign up to a website for the first time that will be securely stored inside a Google Account. The feature is designed to stop people from using the same password across multiple websites.
• The National Institute of Standards and Technology (NIST) announced plans to create a voluntary privacy framework to help organizations manage risk and protect consumer privacy. The framework will go beyond basic cybersecurity practices and focus on privacy risks that arise from how organizations collect, store, use and share consumer data, the agency said.
• The US Department of Justice announced charges against North Korean programmer Park Jin Hyok over the 2014 Sony hack, the 2016 Bangladesh Bank cyber heist and last year’s WannaCry ransomware attack. Park is linked to the North Korean APT Lazarus Group and has been accused of working with the North Korean government to carry out the attacks. He has been charged with several crimes including hacking charges, conspiracy and conspiracy to commit wire fraud.

The Bad

• British Airways revealed this week that was hacked, compromising hundreds of thousands of customers’ personal and financial details. The airline said the hack continued for nearly two weeks between August 21 and September 5, compromising 380,000 payment cards.
• Spyware app provider Family Orbit exposed a whopping 281GB worth of customers’ data online including pictures of hundreds of monitored children. A hacker discovered the data was stored on unsecured cloud servers that had simple, easy-to-crack password protection. Motherboard verified the breach with Family Orbit who then changed their API key and login credentials.
• Another parental monitoring software provider, mSpy, accidentally leaked millions of sensitive records of customers and targets online. Exposed data included passwords, call logs, contacts, notes, text messages and location data collected from phones running the mobile spyware.
• The Freedom of Information Act (FOIA) request portal accidentally exposed dozens of Social Security numbers and others personal data online during a systems upgrade. Due to a design error, at least 80 full or partial SSNs and other personal data such as dates of birth and immigrant identification numbers were also made public.
• The Mega.nz Chrome extension was compromised with malicious code to steal login credentials and private keys for cryptocurrency accounts to access users’ funds. The collected data would then be siphoned to a server located in Ukraine. The tainted extension has been removed from its Chrome Web Store and a clean version has been submitted by Mega.nz.

New Threats

• A new strain of malware named “Barack Obama’s Everlasting Blue Blackmail Virus Ransomware” was spotted that only encrypts .exe files on a consumer. The ransomware then displays an image of the former US president asking for a “tip” to decrypt the files.
• Cisco Talos researchers discovered a Chinese-language threat actor named Rocke that has been using a mixed bag of tools and Git repositories to infect systems with a Monero-mining malware. The attacker has also exploiting several flaws to deploy to malware including Apache Struts flaws, an Oracle WebLogic server vulnerability and a critical Adobe ColdFusion bug.
• A new banking Trojan dubbed CamuBot has been spotted targeting Brazilian banking customers. IBM X-Force researchers said the malware camouflages itself as a security module required by the banks it targets. The unique malicious code is also capable of hijacking one-time passwords used for biometric authentication as well.
• F5 Labs researchers detected a new cryptomining campaign that targets Linux systems and scours for processes of other cryptominers on the machine to terminate. The competitive CroniX cryptominer leverages the Apache Struts remote code execution flaw CVE-2018-11776.