Cyware Weekly Threat Intelligence, April 27 - May 01, 2020

Share Blog post

The Good

The Shade ransomware has finally retired. The operators of the ransomware, also known as Troldesh, have released over 750,000 decryption keys as a goodwill gesture after shutting down their operations. Meanwhile, Microsoft and Google have updated their respective cloud computing services to improve the security of data processing.

  • The operators of Shade ransomware announced the shut down of their operations by releasing over 750,000 decryption keys. These keys are available in the GitHub repository.
  • Microsoft and Google announced updates for their respective virtual machine (VM) instances for highly confidential information to be processed in Microsoft Azure and Google Computer Engine.
  • The Cybersecurity and Infrastructure Security Agency (CISA) issued an update to its Microsoft Office 365 security best practices as part of an alert from the US National Cyber Awareness System. These recommendations addressed Office 365 security configuration errors that could weaken an organization's otherwise sound security strategy.

The Bad

Coming to data leaks, several online services’ and products’ companies leaked email data of their customers to third-party advertising and analytics companies. On the other hand, ExecuPharma and CivicSmart suffered a major blow after being attacked by ransomware.

  • A new study highlighted that multiple online services’ and products’ companies leaked email data of their users to third-party advertising and analytics companies. The websites included Quibi.com, JetBlue.com, KongHQ.com, NGPVan.com, Mailchimp’s Mandrill.com, WashingtonPost.com, and Wish.com.
  • Le Figaro exposed 7.4 billion records due to a misconfigured Elasticsearch database. The exposed PII data included full names, emails, home addresses, countries of residence, postcodes, IP addresses, server access tokens, and passwords for new users.
  • This week, the dark web saw the dumping of confidential data stolen from Huiying Medical and ExecuPharm. While the source code for COVID-19 detection and experimental data belonging to Huiying Medical was sold for 4 BTC, ExecuPharm found the personal data of its employees dumped onto a dark web site.
  • State-sponsored hackers used a zero-day vulnerability in Mail.ee’s service to hijack some high-profile email accounts that were of interest to a foreign country. The attack was carried out by hiding a malware in emails sent to Mail.ee recipients.
  • A ransomware attack had disrupted the operations of the smart parking meter company, CivicSmart. The attack was carried out by Sodinokibi ransomware operators. In another incident, Maze ransomware operators took the responsibility of last year’s attack on Banco BCR.
  • Two Usenet service providers - UseNeXT and Usenet.nl - disclosed that they were affected in security breaches due to vulnerability in a software from a third-party company. Both companies had shut down their websites following the breaches.
  • Nearly 9 million travel logs belonging to British citizens were exposed due to a glitch in Sheffield City Council’s automatic number-plate recognition (ANPR) system. The exposed records included number plates and travel logs going through Sheffield’s road network. In a different incident, GDPR.EU had also leaked Git data and passwords due to a flaw in the website.
  • Details about a data breach at Warwick university had emerged this week. The incident, that occurred last year, led to the compromise of personal information of students, staff, and volunteers participating in research studies.

New threats

Several attack campaigns that included an updated version of Aggah malspam, PhantomLance, and PerSwaysion were also witnessed by researchers this week. The purpose of these campaigns was either to distribute malware or to steal credentials from users.

  • Cisco Talos observed an upgraded version of Aggah malspam campaign delivering multiple remote access trojans like Agent Tesla, njRAT, and Nanocore RAT. The trojans were distributed via malicious Microsoft Office documents.
  • Some new malware like EventBot, LeetHozer botnet, and Asnarök trojan, were also uncovered by researchers this week. While EventBot targeted banking apps and cryptocurrency wallets for Android, LeetHozer botnet exploited the telnetd service in a target device to launch DDoS attacks. The Asnarök trojan was used in an attack campaign that exploited a zero-day SQL injection vulnerability in Sophos firewall products.
  • A sophisticated PhantomLance campaign, which has been active since 2015, continues to target Android users in Southeast Asia. The campaign is still ongoing and is operated by the OceanLotus APT group.
  • A new variant of Black Rose Lucy ransomware impersonated FBI officials and tricked victims into paying a ransom of $500. The malware variant was distributed via social media links and messaging applications.
  • A massive spear-phishing attack campaign targeted several US universities using adult dating as a lure. The purpose of the campaign was to distribute the Hupigon RAT designed to record keystrokes, monitor webcams, and give attackers access to rootkit functionality on infected devices.
  • Attackers targeted small businesses with Remcos RAT in a phishing campaign. It was executed by spoofing the SBA.gov website and sending the same through phishing emails.
  • Trickbot trojan made a comeback in a phishing campaign that leveraged the Family and Medical Leave Act (FMLA) to create lures related to COVID-19. The trojan was distributed via emails that appeared to come from the US Department of Labor (DoL).
  • Multiple threat actors ran a widespread phishing attack that targeted more than 150 companies around the world. Dubbed PerSwaysion, the campaign stole credentials from Microsoft Office 365 users.

 Tags

warwick university
asnarok trojan
aggah malspam campaign
eventbot
perswaysion
remcos rat
phantomlance campaign
black rose lucy ransomware

Posted on: May 01, 2020

Get the Weekly Threat Briefing delivered to your email!


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.


Join Thousands of Other Cyware Followers!