Go to listing page

Cyware Weekly Threat Intelligence, August 12-16, 2019

Cyware Weekly Threat Intelligence, August 12-16, 2019

Share Blog Post

The Good

The week ended on a good note with many government agencies taking proactive steps to bolster their cybersecurity. The U.S. Energy Department is updating its Cybersecurity Capability Maturity Model to help organizations counter cyber threats. In other instance, the DHS announced the funding of a new project called STAMP in an effort to hunt for bugs in their IT systems.

  • The Department of Homeland Security has awarded a new contract to GrammaTech for the Static Tool Analysis Modernization Project (STAMP) project. The goal of the project is to improve software security tools available across the government. 
  • A team from the Georgia Institute of Technology has developed a tool dubbed SkyWalker to check vulnerabilities in mobile apps that use multiple clouds. The tool lets app developers audit various cloud-based tools and find vulnerabilities before they integrate them into their products. 
  • The U.S. Energy Department is upgrading its Cybersecurity Capability Maturity Model to help federal agencies and private companies better assess the strength of their cyber defenses. The model was revised in 2014 and it reflects recent advances in both digital threats and protections. 
  • The Southern African Development Community (SADC) has planned to create multiple emergency response teams to help online users against cybercrime. Some of the 16-member states of SADC including Tanzania, South Africa, Zambia, and Mauritius have already established cybercrime emergency response units.  

The Bad

Along with the good news, comes the bad. This week saw several data breaches worldwide including incidents impacting Choice Hotels, Suprema’s Biostar 2 and LEE. Moreover, a report disclosed by the FBI this week revealed that the culprit behind the massive Capital One data breach may have also hacked more than 30 other organizations.   

  • Largest lodging franchisor Choice Hotels suffered a data breach which resulted in the exposure of some 700,000 customers’ records. The cybercriminals had managed to gain access to the unprotected MongoDB database to steal the records and left behind a ransom note, asking a ransom of $3,800. 
  • Another publicly accessible database had leaked biometric data of over 1 million people who used Biostar 2 app. The exposed information included fingerprint records, facial recognition information and other personal details. 
  • The FBI disclosed that the culprit behind the massive Capital One data breach might have hacked more than 30 other organizations. The data breach at Capital One had exposed more than 100 million Credit applications.  
  • Security researchers discovered several vulnerabilities in four popular dating apps - 3Fun, Grindr, Romeo and Recon - which could allow attackers to steal GPS locations and other personal information of users. In another incident, the Chinese app Sweet Chat exposed the private chat contents and photos of over 10 million users due to an unsecured server.
  • A database containing 6,840,339 unique user accounts from the StockX data breach was put for sale on dark web forums by cybercriminals. The database was sold on the Apollon marketplace for $300. Later researchers found exposed credentials being distributed on underground hacker forums for an amount as low as $2.15. 
  • Over 3.69 million records were exposed by Leadership for Educational Equity (LEE) due to an unprotected Elasticsearch database. The exposed data included names, home addresses, gender, ethnicity, and salesforce ID of individuals.  

New Threats

Attacks due to new and existing malware were also unearthed by researchers this week. Malware like Ursnif and DanaBot trojans made a comeback in different cyberespionage campaigns targeting organizations and individuals across the world. Apart from these, Troldesh ransomware and PsiXBot botnet were upgraded with new anti-analysis techniques to evade detection.

  • Security experts uncovered two variants of Clicker trojan - Android.Click.312.origin and Android.Click.313.origin - that infected over 1 billion Android users. The malware variants leveraged apps related to dictionaries, online maps, audio players, barcode scanners and other software.
  • The infamous Troldesh ransomware had evolved to be distributed via PHP files of compromised websites. Previously, the malware was propagated through social media posts and phishing emails.
  • Attackers leveraged malicious Word document and fake DHL invoices in two different phishing campaigns to distribute Ursnif trojan. These techniques were used to avoid detection by antivirus tools. 
  • A new version of PsiXBot was observed in the wild. The malware was distributed via Spelevo and RIG exploit kit. It did not infect Russian users.
  • A new report revealed that Baldr trojan is infecting cheaters of popular multiplayer games like Apex Legends, Fortnite and Counter-Strike Global Offensive. The malware is capable of stealing credit card numbers and login credentials. 
  • The notorious DanaBot trojan returned in a new campaign to target organizations in Germany. The campaign is primarily unleashed via phishing emails. 
  • New variants of Neko, Mirai and Bashlite botnets affecting various router models and IoT devices were detected by researchers. These botnets included several exploits to infect the devices. 
  • Newly discovered NetWiredRC trojan targeted the hospitality industry in North America in a series of phishing campaigns. The malware was used to steal system information and login credentials. 
  • A new Android trojan dubbed Cerberus has emerged recently. The malware allows a remote attacker to take total control over the infected Android devices. Its capabilities include harvesting contact list and messages.

 Tags

troldesh ransomware
netwiredrc trojan
danabot trojan
capital one
clicker trojan

Posted on: August 16, 2019


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

The Virtual Cyber Fusion Suite