Go to listing page

Cyware Weekly Threat Intelligence, April 01-05, 2019

Cyware Weekly Threat Intelligence, April 01-05, 2019

Share Blog Post

The Good

We’re back with the most interesting threat intel of the week. Before we get into cybersecurity incidents and new threats, let’s first acknowledge all the positive events that happened over the past week. DHS has announced that it is planning to roll out its new risk scoring algorithm ‘AWARE’ in October 2019. GSA has expanded its cybersecurity service offerings to help federals agencies and state governments protect their valuable data. Meanwhile, Singapore has introduced a bill that aims at preventing the spread of fake news on online platforms.

  • Department of Homeland Security (DHS) is planning to roll out its new risk scoring algorithm ‘Agency-Wide Adaptive Risk Enumeration’ (AWARE) in October 2019. AWARE will help agencies prioritize mitigation activities and improve their basic cybersecurity hygiene.
  • Singapore has set up a committee to review data security practices in the public sector. However, the government remains firm on its decision to exclude such organizations from Singapore’s Personal Data Protection Act (PDPA)
  • The General Services Administration (GSA) has expanded its cybersecurity service offerings to help federal agencies and state governments to protect their valuable data. This will help agencies secure high-value assets on mission-critical systems.
  • Singapore has introduced a bill ‘Protection From Online Falsehoods and Manipulation Bill’ that aims at preventing the spread of fake news in online platforms. The bill promises to punish disseminators of fake news, with fines of up to SG$100,000 or imprisonment of up to 10 years, or both.
  • The Australian government's 2019-20 Budget provides funding for the country’s ‘cyber uplift’ which includes the creation of ‘cyber sprint teams’ under the Australian Cyber Security Centre (ACSC) as well as a Cyber Security Response Fund.

The Bad

Over the past week, several data breaches and massive cyber attacks have come to light.  Toyota suffered a data breach compromising sales information of almost 3.1 million customers. Albany, the capital of the US state of New York was hit by a ransomware attack. Last but not least, Facebook has been hit by a data breach caused by third-party companies that exposed almost 540 million user records.

  • Hackers breached Toyota’s IT systems and gained unauthorized access to servers that contained sales information of almost 3.1 million customers. The data belonged to several sales subsidiaries such as Toyota Tokyo Sales Holdings, Tokyo Tokyo Motor, Tokyo Toyopet, Toyota Tokyo Corolla, Nets Toyota Tokyo, Lexus Koishikawa Sales, Jamil Shoji (Lexus Nerima), and Toyota West Tokyo Corolla.
  • Albany, the capital of the US state of New York was hit by a ransomware attack. The ransomware attack infected the network of the City of Albany crippling some of the City Court Services such as birth certificates, death certificates, or marriage certificates. The ransomware attack also impacted computers in the patrol cars which had incident and accident reports.
  • Georgia Tech suffered a data breach exposing personal information of over 1.3 million individuals after a third-party gained unauthorized access to its web application. The impacted individuals include some current and former faculty, students, staff, and student applications.
  • Bithumb cryptocurrency exchange platform suffered a cyber attack compromising 3 million EOS worth $13.4 million and 20 million Ripple coins (XRP) worth $6 million. An internal inspection revealed that the incident is an ‘accident involving insiders’.
  • Attackers planted malicious software on certain Earl Enterprises’ restaurants’ POS systems, as a result of which payment card details of guests who dined at Earl Enterprises’ restaurants were compromised. The impacted restaurants include Buca di Beppo, Earl of Sandwich, Planet Hollywood, Chicken Guy!, Mixology and Tequila Taqueria.
  • A security researcher detected an unprotected database belonging to the Department of Medical, Health and Family Welfare of a state in northern India that exposed medical records of almost 12.5 million pregnant women who underwent an ultrasound scan, genetic testing, or sex determination testing of their unborn child.
  • Researchers detected a phishing page that was hosted on the Nigerian National Assembly (NASS) site for almost two weeks. This phishing page was found stealing DHL account credentials. The fake DHL page was shoddily designed and displayed a “Norton Secured” picture next to the DHL logo.
  • A researcher detected almost 13,500 unprotected iSCSI storage clusters that could allow attackers to plant ransomware on companies’ networks, steal sensitive data stored on the devices, or drop backdoors inside backup archives.
  • Arizona Beverages was hit by a ransomware attack infecting almost 200 servers and computers that were connected to the network. The ransomware attack led to shutting down its sales operations for almost two weeks. The company’s back-end servers were running an outdated Windows operating systems, therefore, they were unable to restore its systems and retrieve the data for days.
  • Researchers uncovered two misconfigured Amazon cloud servers belonging to third-party companies  ‘Cultura Colectiva’ and ‘At the Pool game’ that contained over 540 million Facebook user records. The exposed user records include account names, Facebook IDs, comments, likes, list of Facebook friends, photos, groups, checkins, and user preferences like movies, music, books, and interests.
  • Several HR companies in China have exposed over 590 million resumes in the past 3 months due to unprotected databases. This indicates that Chinese HR firms are not taking the security of their servers seriously. While some of these misconfigured databases have been secured, there are few that are still leaking data on the internet.
  • Researchers observed tax-themed phishing campaigns in the US that either attempts to drop malware, downloaders, or banking trojan onto victim’s systems or lure victims into submitting their financial information.

New Threats

Several vulnerabilities and malware strains emerged over the past week. A security researcher uncovered new ransomware dubbed ‘vxCrypter’ that deletes duplicate files apart from encrypting files in an infected computer. Researchers spotted a new malware dubbed ‘Xwo’ which is capable of scanning for credentials and exposed services. Meanwhile, Aite Group tested 30 Android financial apps and found several vulnerabilities in the apps.

  • Researchers have discovered a new variant of Emotet trojan that distributes a malware downloader dubbed ‘Nymaim’. This malware downloader, in turn, downloads the Nozelesn ransomware. This Emotet variant has been found targeting the hospitality sector.
  • Researchers spotted a new variant of BatMobi adware. This new variant of the adware is found to be delivered via apps from a third-party app store named Uptodown. This new BatMobi variant arrives in the form of apps that download videos from YouTube, such as Videoder, Video Downloader, Snaptube, and TubeMate.
  • Aite Group tested 30 Android financial apps that are available for download in the Google Play store and found several vulnerabilities in the apps. The vulnerabilities include a lack of binary protections, insecure data storage, unintended data leakage, weak encryption, and insecure random-number generation. These vulnerabilities could expose source code, sensitive data, access to other apps via APIs, and more.
  • A security researcher uncovered a new ransomware dubbed ‘vxCrypter’ that deletes duplicate files apart from encrypting files in an infected computer. vxCrypter keeps a track of the SHA256 hashes of each file it encrypts and if it encounters the same SHA256 hash while encrypting other files, it would delete the file instead of decrypting it.
  • Researchers spotted a new malware dubbed ‘Xwo’ which is capable of scanning for credentials and exposed services. This malware is related to two other malware families namely MongoLock ransomware and XBash. Xwo does not include any ransomware or exploitation capabilities.
  • A bug in the WordPress iOS application might have exposed users’ account authentication tokens to third-party websites. These account authentication tokens can be used to access a user’s WordPress account without a password. Automattic, the company behind WordPress has fixed the issue in the latest updated version of the WordPress iOS app.
  • Researchers have discovered four new versions of Bashlite botnet. They are named as Backdoor.Linux.BASHLITE.AMF, Troj.ELF.TRX.XXELFC1DFF002, and Trojan.SH.BASHDLOD.AMF. One of these versions is used to target devices with the WeMo Universal Plug and Play (UPnP) API.
  • A new malware campaign targeting companies in the US and Europe has been observed by researchers. In this campaign, Emotet is used to drop TrickBot, which then steals sensitive information and downloads the Ryuk ransomware into the victims’ computers.
  • Android device owners are complaining about a bug in Skype that automatically answers incoming calls. Some users reported that calls are being answered automatically when their Android device is paired with a smartwatch. Microsoft is working on a fix and has already fixed the issue in the latest Skype preview app.
  • Researchers noted that the OceanLotus threat actor group is using the steganography technique to drop variants of Denes and Remy backdoors on the affected systems. This technique is leveraged to hide an updated version of Remy backdoor and a version of Denes backdoor within PNG image files.
  • Security researchers have created a decryption key for Mira ransomware. Mira ransomware uses Rijndael algorithm to encrypt files on victims’ systems. Researchers have created the decryption key by retrieving the password, salt and the iteration count of the ransomware.
  • Researchers from Check Point detected a vulnerability in Xiaomi’s pre-installed security app named ‘Guard Provider’ that exposes users to MitM attacks. The vulnerability is due to insecure network traffic to and from ‘Guard Provider’ and the use of multiple SDKs. As a result, attackers connected to the same WiFi as users, can perform Man-in-the-Middle (MitM) attacks.
  • Researchers have uncovered over a dozen servers that are hosting ten different malware families. The malware families are distributed via phishing campaigns potentially tied to the Necurs botnet. The ten malware families include Dridex, Gootkit, IcedID, Nymaim, Trickbot, Gandcrab, Hermes, Fareit, Neutrino, and Azorult.


trickbot malware
mira ransomware
hermes ransomware
gandcrab ransomware
batmobi adware
vxcrypter ransomware
nymaim downloader
new variant of emotet trojan
xwo malware
dridex trojan
necurs botnet
tax themed phishing campaign

Posted on: April 05, 2019

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.