Cyware Weekly Threat Intelligence, August 19 - 23, 2019

See All
The Good

As we gear up for a new weekend, let’s quickly glance through all that happened in cyberspace over the week. Before delving into the security incidents and new threats, let’s first take a look at all the positive events. The Global Cyber Alliance launched a cybersecurity development platform named AIDE for the Internet of Things (IoT) products. Major tech companies including Alibaba, Google Cloud, IBM, Intel, Microsoft, joined the Confidential Computing Consortium. Meanwhile, NSA researchers are planning to release their project’s end product named ‘SMI Transfer Monitor with protected execution (STM-PE)’ to the public soon.

  • The Global Cyber Alliance, an international cross-sector effort designed to address cyber risks, launched the Automated IoT Defence Ecosystem (AIDE), a cybersecurity development platform for the Internet of Things (IoT) products. AIDE enables small businesses, manufacturers, service providers, and individuals to identify and patch vulnerabilities, and secure IoT devices against cyber threats.
  • Major tech companies including Alibaba, Arm, Baidu, Google Cloud, IBM, Intel, Microsoft, Red Hat, Swisscom, and Tencent joined a new industry group named the Confidential Computing Consortium, which focuses on promoting secure computing practices. This consortium plans to bring together hardware vendors, developers, and others to promote the use of confidential computing, and better protect data.
  • Researchers at the National Security Agency (NSA) are planning to release their project’s end product named ‘SMI Transfer Monitor with protected execution (STM-PE)’ to the public soon. STM-PE works with x86 processors that run Coreboot and it protects machines from firmware attacks.
  • Facebook awarded the Internet Defense Prize worth $100,000 to a research team from the Saarland University, Germany, for developing ERIM, a new code isolation technique that can be used to protect sensitive data while it's being processed inside a computer. This new technique combines both hardware and software security features to provide a new way of isolating sensitive data processed inside a computer.
  • Visa announced that it has added a new fraud threat detection and blocking technology which is designed to enhance transaction security on its payments network. This technology helps financial institutions to prevent payment fraud while using its electronic payments network.


The Bad

Several data breaches and security incidents were witnessed in this week. Twenty-two local Texas government entities were targeted with a coordinated ransomware attack. A cyber-espionage campaign linked to North Korea targeted several foreign ministries, four research organizations, and five email service providers. Meanwhile, Silence hackers targeted banks across 30 countries including China, Russia, the United Kingdom, Bangladesh, and Bulgaria, among others.

  • A coordinated ransomware attack targeted almost twenty-two local government entities in Texas. The impacted organizations are not revealed because of security concerns, however, two of the impacted municipalities, the City of Borger and the City of Keene publicly disclosed that they’ve been impacted by the ransomware attack. The threat actor who attacked Texas governments demanded a collective ransom payment of $2.5 million.
  • Attackers hacked the website of Macon County Circuit Clerk and defaced the webpage with a graphic of a person in a Guy Fawkes mask with a message that read “Hacked by Iranian Hackers” and “Hacked by Mamad Warning.” However, the county’s Information Technology department restored the webpage.
  • Tivoli Gardens, an amusement park in Copenhagen, Denmark had its ‘My Tivoli’ website compromised, allowing hackers to gain access to Tivoli products and guest information. The compromised guest information includes names, date of birth, e-mail addresses, phone numbers, addresses, previous purchases, as well as credit card details.
  • Researchers from Cyjax analyzed the files submitted to three popular online malware analysis sandboxes and found that a majority of these files contain sensitive information. Researchers found over 200 sensitive documents including invoices and purchase orders. CVs and professional certificates were two other prevalent documents that were uploaded to the online sandboxes.
  • According to a new report published by Group-IB, Silence hackers launched 16 campaigns against banks across 30 countries including China, Russia, the United Kingdom, Bangladesh, and Bulgaria, among others. Within a span of 3 years, from June 2016 to June 2019, Silence hackers have stolen at least 4.2 million US dollars.
  • New Payments Platform Australia (NPP) disclosed that PayID records and associated data in the Addressing Service were exposed in a data breach caused by a vulnerability in one of the financial institutions sponsored by Cuscal Limited. The exposed PayID records include PayID names and the associated account numbers. However, NPP confirmed that none of the exposed data can enable the withdrawal of funds from a customer’s account.
  • An unprotected database belonging to a popular movie-ticket subscription service MoviePass exposed almost 161 million records of customer credit card data. The exposed records revealed details such as debit card numbers, expiry date, customer card balance, and card activation date. Researchers also said that more than 58,000 records contained customer card data and the customer count was growing by every minute.
  • Fargo Public schools and Rome City District school fell victim to a data breach incident involving an older version of the Pearson Clinical Assessment's program, AIMSweb that was accessed by an unauthorized third party. Pearson announced that it is offering free credit monitoring to Fargo Public schools and Rome City District school students whose information may have been compromised in the breach.
  • Eighth Army-Korea warned that the payment card information from nearly 1 million credit cards, including at least 38,000 U.S.-issued cards have been stolen and put up for sale on the dark web in late May 2019.
  • A North Korean cyber-espionage campaign targeted the Ministry of Foreign Affairs agencies of three countries, four research organizations, and five email service providers. The four impacted research organizations include the Stanford University, the Royal United Services Institute (RUSI), Congressional Research Service (CRS), and a United Kingdom-based think tank.

New Threats

This week also witnessed the occurrence of several new malware strains and vulnerabilities. Researchers uncovered that Magecart skimmer scripts have been injected into PokerTracker website. A new version of  NanoCore v1.2.2 was uncovered by researchers. Meanwhile, a privilege escalation zero-day vulnerability has been detected in Steam that impacts over 96 million Windows users.

  • Researchers uncovered that Magecart skimmer scripts have been injected into PokerTracker’s subdomain and root domain as both are running an outdated version of Drupal (6.3x). The researchers reported the incident to PokerTracker and the company immediately identified the issue and removed the outdated Drupal module.
  • Researchers uncovered a new version of NanoCore v1.2.2. Its capabilities include stealing passwords, keylogging, recording audio/video from a web camera, remotely control the mouse and open web pages. This RAT also has the ability to remotely shutdown or restart the machine.
  • A security researcher disclosed a privilege escalation zero-day vulnerability in Steam that impacts over 96 million Windows users. The vulnerability could allow an attacker to launch a three-stage attack by exploiting a vulnerability in a Steam game, a Windows app, and the OS, and gain SYSTEM permissions on the compromised machine. This would allow attackers to disable firewall, antivirus and rootkit installation, steal any Windows user’s private data, hide the process-miner, and more.
  • Researchers spotted a new cryptominer dubbed Beapy/PCASTLE. This cryptominer possesses advanced cryptomining capabilities in addition to using worm-like methods to move laterally and compromise victims. It can pause its mining operations when the victims' machine is running intensive processes. This cryptominer is distributed through supply chain attacks via potentially unwanted applications.
  • The latest variant of Bolik banking trojan dubbed ‘Win32.Bolik.2’ is distributed via cloned NordVPN website. Users visiting the cloned website in search of a download link for the NordVPN client will be infected with NordVPN installers that install the NordVPN client while dropping the Win32.Bolik.2 Trojan malicious payload in the background.
  • Researchers at the Ben-Gurion University of the Negev uncovered that network isolation provided by routers can be broken by direct or timing-based covert channels. These two covert channel methods do not allow exfiltration of large amounts of data. However, it can allow attackers to break a logical network that uses the same router hardware across two segregated software networks.
  • A major botnet operation related to Neutrino was found to be active for more than a year. The botnet is hijacking web shells of other malware operations to install a cryptocurrency-mining malware. The botnet has been quite successful in infecting Windows servers running phpStudy.
  • Researchers detected new Android adware that disguises as photography and gaming apps. Over 85 such malicious apps were detected by the researchers that were available for download on Google Play Store and have been installed over 8 million times. Tracked as AndroidOS_Hidenad.HRXH, this adware leverages unique techniques to evade detection through user behavior and time-based triggers. Researchers shared their findings with Google following which, the adware apps were removed from Google Play.





  • Share this blog:
Previous
Cyware Weekly Threat Intelligence, August 26 - 30, 2019
Next
Cyware Weekly Threat Intelligence, August 12-16, 2019
To enhance your experience on our website, we use cookies to help us understand how you interact with our website. By continuing navigating through Cyware’s website and its products, you are accepting the placement and use of cookies. You can also choose to disable your web browser’s ability to accept cookies and how they are set. For more information, please see our Privacy Policy.