Cyware Weekly Threat Intelligence, August 24 - 28, 2020

Share Blog post

The Good

With cyberattacks becoming more sophisticated, addressing them with robust cyber technologies is the need of the hour. Realizing the pressing priority, researchers  have come up with two new Artificial Intelligence (AI) techniques to ward off cyberattacks on medical devices and supercomputers. Moreover, the Cybersecurity and Infrastructure Security Agency (CISA) proposed five strategic initiatives to secure 5G networks from unwanted threats.

  • The Australian state of New South Wales announced an investment of AU$60 million (~USD 44 million) to improve the state’s cybersecurity capabilities. The funding, which spans over the next three years, will be used to protect existing systems, deploy new technologies, and increase the cyber workforce.
  • The DHS’ Cybersecurity and Infrastructure Security Agency (CISA) outlined five strategic initiatives to secure the country’s U.S 5G networks against cyber threats. This will include the development of 5G policy and standards capable of stopping malicious actors from influencing the design of new systems.
  • MITRE released a new Shield framework to help organizations actively detect and counter intruders on their networks. The framework includes different tactics to detect, disrupt, and contain attacks from intruders.
  • Researchers at Ben-Gurion University of the Negev developed a new AI technique to protect medical devices from malicious operating instructions in a cyberattack as well as other human and system errors. The technology will help analyze the instructions sent from PC to connected devices, detecting the presence of any anomalous code.
  • In yet another research, computer scientists designed a new AI system to identify and prevent malicious codes from hijacking supercomputers to mine cryptocurrencies.

The Bad

In addition to the developments and discoveries, , the cyber ecosystem witnessed some terrible cyberattacks this week. The notorious Lazarus threat actor group was found responsible for an ongoing cryptocurrency mining campaign that has been active since 2018. The campaign is carried out through LinkedIn. Meanwhile, the REvil ransomware gang claimed attacks on Valley Health Systems and stole information related to its clients, employees, and patients.

  • New Zealand’s stock exchange resumed trading after facing disruptions due to DDoS attacks for four consecutive days. There is no clarity on who was behind the attacks.
  • REvil ransomware gang claimed to have stolen sensitive data after an attack on Valley Health Systems. The compromised data includes information related to its clients, employees, and patients.
  • The operations of Australian IT vendor, Data#3, were temporarily disrupted due to a cyber incident. The company contacted 28 of its impacted customers to inform them about the mishappening.
  • College of the Desert became the victim of an attack that brought down email and web services. However, there was no evidence of compromise of any personally identifiable information. In a different incident, a malware attack resulted in the shutdown of virtual classes held by Rialto Unified School District. The malware was specifically designed to disrupt, damage, and gain unauthorized access to the computer systems.
  • In an advisory, Autodesk warned users about hackers using a PhysPluginMfx MAXScript exploit that can corrupt 3ds Max settings, run malicious code, and propagate to other MAX files on a Windows system. These malicious codes are capable of collecting passwords from web browsers such as Firefox, Google Chrome, and Internet Explorer.
  • The recently discovered DarkSide ransomware claimed its first attacks on a North American land developer, Brookfield Residential. The operators stole more than 200GB data from the firm and posted a portion of it to extort the victim.
  • An ongoing cyberespionage campaign linked with the Lazarus threat actor group was found to be active since 2018. The campaign, which is carried out through Linkedin, has targeted businesses in at least 14 countries including the U.K. and U.S.

New Threats

Talking about new threats, a group of threat actors were observed modifying their evasion techniques to bypass email security tools. Attackers were spotted using HTML/CSS and Unicode tricks to fool users into believing a spoofed email is legitimate. Additionally, new details about two threat actor groups—BeagleBoyz and UltraRank—were revealed. While BeagleBoyz attacked financial institutions, UltraRank stole credit card details from hundreds of e-commerce sites.

  • A pool of 5000 malicious apps involved in giveaway scams infected around 65,000 devices with a novel ad fraud botnet. Among the free gifts used as lures were boots, sneakers, event tickets, coupons, and expensive dental treatments.
  • The owners and administrators of e-commerce sites were warned of attacks exploiting vulnerabilities in Discount Rules for WooCommerce plugin. They were urged to update the plugin with the latest updates to prevent falling victim to attacks.
  • Low-grade Chinese Android phones manufactured by Transsion were found to be infected by Triada malware, which was also responsible for the download of a second malware called XHelper.
  • A Monero-mining campaign that was executed using fake Malwarebytes installation files was uncovered by researchers. These files contained a backdoor that loaded XMRig malware onto victims’ machines.
  • Threat actors were spotted using HTML/CSS and Unicode tricks to bypass email security tools. With these tricks, even a malicious email looks legitimate to naked eyes.
  • A malicious functionality found within the iOS version of the MintegralAdSDK was used to conduct an ad fraud campaign through hundreds of iOS apps. The SDK was distributed through Mintegral’s GitHub Repository, Cocoapods Package Manager for iOS, and Gradle/Maven for Android.
  • Operators of the Grandoreiro banking trojan targeted Spanish users in an email campaign by impersonating the country’s tax agency, Agencia Tributaria. The email included a link to a ZIP archive that claimed to contain a digital tax receipt.
  • An unpatched weakness in Google Drive could be exploited to distribute weaponized files disguised as legitimate documents or images. This could enable threat actors to perform spearphishing attacks with a high success rate.
  • A newly discovered UltraRank digital skimming group has so far compromised hundreds of sites with a purpose to steal credit card information. The group injected JavaScript sniffer code into the checkout pages of the targeted sites. A newly discovered TA2719 APT group was also found using different lures to target users in Europe and the U.S.
  • In a joint advisory, the FBI, U.S. Cyber Command, and CISA warned about a prolific North Korean hacking group known as ‘BeagleBoyz’ resuming its malicious operation of targeting financial institutions. According to the agencies, the group had attempted to steal $2 billion since at least 2015 and is in the process of targeting banks and other financial services in almost 40 countries.
  • Conti ransomware operators joined the bandwagon of ransomware gangs involved in launching their own leaking sites. Reportedly, Conti is operated by the group behind the Ryuk ransomware.
  • A team of academics from Switzerland discovered a security bug that could be abused to bypass PIN codes for VISA contactless payments. This can enable criminals to make fraudulent purchases in the name of the owner.
  • A new info-stealing malware, named Anubis, is now being actively distributed in the wild. The malware draws its code from Loki malware designed to steal system information, credentials, credit card details, and cryptocurrency wallets.
  • SunCrypt ransomware joined the cartel created by the Maze ransomware gang. The cartel, which already includes LockBit and RagnarLocker, has started to share their information and techniques with each other.

 Tags

grandoreiro banking trojan
revil ransomware
darkside ransomware
valley health systems
physpluginmfx maxscript
ultrarank skimming group
ad fraud botnet
beagleboyz
data3

Posted on: August 28, 2020

Get the Weekly Threat Briefing delivered to your email!


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.


Join Thousands of Other Cyware Followers!