Cyware Weekly Threat Intelligence, August 10 - 14, 2020

Share Blog post

The Good

With the number of cybercrimes increasing day by day, it has become an utmost priority for federal authorities and organizations to improve the cyber resilience of critical infrastructure. Taking this into account, the National Institute of Standard and Technology (NIST) has unveiled the final version of its Zero Trust Architecture to improve the security model of organizations. In Australia, the Department of Home Affairs has proposed some new ideas from the 2020 Cyber Security Strategy to protect the nation from sophisticated attack campaigns.

  • Members of the US House of Representatives introduced a bill to prevent the hack on universities conducting COVID-19 research. The initiative has been taken following the rise in cyberattacks from foreign malicious hackers.
  • The National Institute of Standard and Technology (NIST) unveiled the final version of its Zero Trust Architecture for cybersecurity leaders, administrators, and managers to provide a better understanding of the Zero Trust environment. The guidance has been developed in collaboration with multiple federal agencies.
  • Australia’s Department of Home Affairs proposed some new initiatives from the recently released 2020 Cyber Security Strategy, such as sector-specific cyber obligations and inclusion of government in the cyber response process for private organizations, to protect the nation’s critical infrastructure from catastrophic attacks.

The Bad

Attacks from ransomware operators continued to remain a major concern for firms. This week’s victim organizations include the names of the SPIE Group and Boyce Technologies. In addition to this, the breach of user records from SANS Institute, InMotionNow, and Michigan State University (MSU) grabbed the attention of security experts.

  • The SANS Institute suffered a compromise of 28,000 user records after 513 emails were forwarded to an unknown third-party. The emails included files containing a subset of emails, first names, last names, work titles, company names, industry, addresses, and countries of residence.
  • Instances of unsecured databases leaking millions of records were also observed this week. In one incident, an unprotected AWS S3 bucket belonging to InMotionNow leaked over 5.5 million files and 343GB of data before it was secured by the firm. In another incident, Meow bot deleted 3.1 million patients’ data that was exposed on the internet for around 10 days. The database appeared to be owned by Adit, a Houston-based online medical appointment and patient management software company.
  • Illinois-based healthcare system, FHN, notified its patients about a data breach that occurred in February. The incident took place after an unauthorized person accessed the firm’s email accounts to view patients’ information.
  • Michigan State University experienced a Magecart-like attack after attackers stole credit card and personal details of around 2,600 users from its online store. The attackers injected malicious scripts into the site by exploiting a vulnerability in the website.
  • Nefilim ransomware operators released around 11.5GB data stolen from the SPIE Group. It threatened to leak the remaining compromised data if the firm does not pay the ransom.
  • A mysterious hacker group hijacked around 23.95% of Tor exit relays to perform SSL stripping attacks on Tor users accessing cryptocurrency-related sites.
  • Avaddon ransomware operators launched a data leak site to extort its victim. Since the day of launch, the operators published 3.5MB of documents belonging to a construction company. In yet another ransomware attack, DoppelPaymer targeted Boyce Technologies and leaked a portion of stolen files in a bid to demand a ransom.
  • NCC Group’s training material was leaked on GitHub after a folder purporting to help people pass the CREST pentest certification exams appeared in a couple of repositories. The docs offered step-by-step guides and walkthroughs of information about the CREST exams.
  • A threat actor leaked the databases of Utah-based gun exchange and hunting websites—muleyfreak[.]com, utahgunexchange[.]com, and deepjunglekratom[.]com—for free on a cybercrime forum. The databases were allegedly hosted on an Amazon AWS server and included login names, passwords, and email addresses of registered users.

New Threats

Talking about new threats, researchers discovered a new attack named ‘ReVOLTE’ that can be used to eavesdrop on users’ conversations. Furthermore, around 3.7 million devices across the globe are still affected by multiple iLinkP2P flaws which can allow attackers to snoop on live video streams and steal login credentials.

  • Researchers detected sophisticated script-based malware that infect Windows Operating System (OS) users through Internet Explorer (IE). Some of the malware observed are JScript RAT and AutoIT downloader.
  • As many as 3.7 million devices are affected by multiple iLinkP2P flaws, namely, CVE-2019-11219, CVE-2019-11220, CVE-2020-9525, and CVE-2020-9526. These flaws can allow attackers to snoop on live video streams, steal login details, and conduct other malicious activities.
  • Agent Tesla information-stealing trojan now includes modules to steal credentials from applications including popular web browsers, VPN software, as well as FTP and email clients. The malware variant can also be used to steal victims’ clipboard content data and disable anti-malware analysis software.
  • Researchers identified over 30 vulnerabilities across 20 popular Content Management Systems (CMSs) that could be abused to take over websites. The impacted CMSs include Microsoft SharePoint and Atlassian Confluence.
  • The Federal Bureau of Investigation (FBI) revealed that the Fox Kitten threat actor group abused vulnerable BIG-IP F5 Networks to target the U.S. private and government sector.
  • CactusPete APT group used an updated version of Bisonal backdoor to target financial and military sectors located in Eastern Europe. The method of malware distribution for the new campaign remains unknown.
  • Google Project Zero researchers revealed that Microsoft has issued an incomplete patch for a flaw in the Windows Local Security Authority Subsystem Service (LSASS). The flaw, tracked as CVE-2020-1509, can be triggered through specially crafted authentication requests.
  • In an extensive study, researchers found that a new RedCurl cybercrime group has targeted at least 14 private companies in 26 attacks since 2018. The attacks were aimed at stealing documents containing commercial secrets and employees’ personal information.
  • An updated version of the Mekotio trojan was discovered targeting users in Mexico, Brazil, Chile, Spain, Peru, and Portugal. The malware’s capabilities include stealing bitcoins and exfiltrating credentials.
  • Kaspersky Labs uncovered two zero-day vulnerabilities in a thwarted attack campaign named ‘Operation PowerFall.’ The attack was carried out against a South Korean company in May 2020.
  • Academics detailed a new attack that leverages a vulnerability in the 4G Voice over Long Term Evolution (VoLTE) networks. Named ReVOLTE, the attack can be used to eavesdrop on a conversation.
  • In a joint advisory, the NSA and FBI warned about a new Linux malware dubbed Drovorub. Developed for a Russian military unit, the malware comes with a multitude of espionage capabilities like stealing files and remotely controlling victims’ computers.

 Tags

meow bot
agent tesla malware
spie group
revolte attack
sans institute
cactuspete apt group
mekotio trojan

Posted on: August 14, 2020

Get the Weekly Threat Briefing delivered to your email!


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.


Join Thousands of Other Cyware Followers!