Cyware Weekly Threat Intelligence, December 07 - 11, 2020

Share Blog Post

The Good

  • The cyberworld did see some sunshine this week in the otherwise mostly gloomy environment. Although it is not much, it definitely is a path leading to better security measures for organizations and individuals alike. 
  • Google security experts open-sourced a fuzzing tool, named Atheris, to help developers find security vulnerabilities and patch them before attackers abuse them. The tool supports Python 2.7, 3.3+, and native extensions created with CPython.
  • Apple, Cloudflare, and Fastly codesigned a new DNS benchmark to deal with privacy issues faced by DNS. The new standard would separate IP addresses from queries to mask requests and make it harder for attackers to track users online.
  • Australia’s National Intelligence Community is planning on building a highly-secure private community cloud service that would be able to protect classified data, including top secrets. The project is led by the Office of National Intelligence, Australia’s top intelligence agency, which has issued call for expressions of interest. 


The Bad

Even with all the positive developments in cybersecurity, there will always be some bad to dampen moods and efforts. Hackers are still leeching off of weaknesses in systems and institutions to pilfer away data or bring chaos. This week witnessed SQL databases on sale, severe attacks on several big firms, and also, more COVID-19 related attacks. Cybercriminals are getting more sophisticated with their tactics and techniques, which has become a major cause for headaches.

  • More than 250,000 databases have been compromised due to an ongoing ransomware attack that abused weak credentials on MySQL servers. The campaign was launched in January and to date, 83,000 victims have been targeted. 
  • An ongoing malware campaign is hitting the internet with malware that disrupts the security of web browsers, adds malicious extensions, and makes changes to victims’ systems. The malware, dubbed Adrozek, has been launched against Google, Yandex, Edge, and Firefox. 
  • Hackers made off with 113,000 voters’ personal information from online voter registration services in Alaska. The data consisted of names, dates of birth, driving licenses, party affiliations, last four digits of their social security numbers, and mailing addresses.
  • The Netherlands-based staffing agency Randstad was hit by a cyberattack using the Egregor ransomware and its IT services were breached. The hackers published some internal corporate data, including financial reports and legal documents, in an extortion attempt.
  • Embraer, the third-largest airplane maker in the world, was hit by a ransomware attack last month. However, the RansomExx operators released some of the firm’s files on their data leak site after the latter refused to pay the ransom.
  • Electronics giant Foxconn underwent a ransomware attack, in which the attackers stole unencrypted files and subsequently, encrypted them. The attack was conducted by the DoppelPaymer ransomware gang who published the stolen data on its leak site. 
  • FireEye announced that it was hacked, allegedly, by Russian hackers. The firm stated that the attackers had used “novel tools” to evade security tools and forensics. The hackers made off with red team tools that imitate the most sophisticated hacking tools. 
  • The European Medicines Agency (EMA) was targeted in a cyberattack, in which documents associated with the vaccine development had been accessed. Pfizer and BioNTech stated that the personal details of trial participants were not stolen and the attack would not have any adverse effect on the timeline.
  • APT28, a Russia-linked cyberespionage gang, has been unveiled leveraging COVID-19 phishing lures to disseminate the Go version of its Zebrocy malware. The lure was spread as a part of a Virtual Hard Disk file that can be accessed only by Windows 10 users. 


New Threats

Another day, another new threat. The education sector is still burdened by the threat of ransomware attacks, leading to data theft or interruption in distance learning services. In addition to that, botnets have gained additional powers and have been causing disaster in their wake. Several new bugs have been identified in different systems that can lead to dire consequences.

  • The FBI and CISA issued a joint warning about the rising ransomware attacks against the K-12 educational sector. The five most active ransomware targeting K-12 schools include Ryuk, REvil, Nefilim, AKO, and Maze.
  • Critical vulnerabilities discovered in D-Link routers make them susceptible to zero-day attacks. The flaws include an unauthenticated remote LAN/WAN root command injection flaw (CVE-2020-25757), authenticated root command injection vulnerability (CVE-2020-25759), and an authenticated crontab injection (CVE-2020-25758).
  • An ongoing phishing scam is targeting Ledger wallet users with fake data breach alerts in an attempt to steal cryptocurrency. The emails state that the user has been impacted by a breach and they should install the latest version of Ledger Live to protect their assets with a new PIN. 
  • A new strain of the RANA Android malware has been unveiled that spies on Telegram, WhatsApp, Skype, and other instant messaging platforms. The malware has been linked to the APT39 Iranian cyberespionage group and possesses new surveillance functionalities.
  • A set of 33 vulnerabilities, dubbed Amnesia:33, has been discovered to affect four open-source TCP/IP stacks. These bugs can be abused to conduct RCE, DoS, info-leak, and DNS cache poisoning attacks. 
  • PlayStation Now (PS Now) bugs allowed hackers to run arbitrary code on Windows devices running vulnerable app versions. The bugs impact the PS Now version 11.0.2 on computers with Windows 7Sp1 or later.
  • Check Point researchers unveiled that there has been a rise in infections caused by the Phorpiex botnet. Infamous for cryptomining and sextortion spam campaigns, the botnet has been discovered spreading the Avaddon ransomware.
  • Scammers are luring victims to fake sites to check the balance on their Target gift cards. While some crooks have gone to the extent of making a fake website eerily similar to the legitimate one, others have registered a targetgiftscard[.]com domain.
  • A new Qbot malware strain switched to a stealthier persistence mechanism that takes advantage of system shutdown and resumes messages to establish persistence. 
  • Cisco Talos detected two RCE bugs—CVE-2020-7559 and CVE-2020-7560—in Schneider Electric EcoStruxure. These bugs could be abused by sending the target a specially designed network request or project archive.

 Tags

sql
d link
embraer
fireeye
covid 19 threat
fancy bear
rana

Posted on: December 11, 2020

Get the Weekly Threat Briefing delivered to your email!


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.


Join Thousands of Other Cyware Followers!