Cyware Weekly Threat Intelligence, December 14 -18 , 2020

Share Blog Post

The Good

It’s true that governments have always faced an uphill battle against cyberattackers. Despite the continuing struggles, the governments and federal agencies are putting forward new cybersecurity strategies that are designed to enhance security across different infrastructures. 

  • A new EU Cybersecurity Strategy has been released to bolster Europe’s collective resilience against cyber threats. The strategy is applicable across the electricity grid, banks, planes, public administrations, and hospitals in Europe. 
  • The NIST has drafted a set of guidelines for federal agencies on improving the cybersecurity of IoT devices. The four new documents are drafted with the goal that IoT devices are integrated into the security and privacy controls of federal information systems. 
  • California’s Attorney General has proposed new changes in the California Consumer Privacy Act (CCPA) that will allow consumers to better handle their personal information. 

The Bad

Amid new strategies, the cyber landscape saw a major assault from the Russian hacking group in the form of a sophisticated supply chain attack that impacted several public and private firms. Additionally, ransomware operators continued the menace by targeting Habana Labs and Hurtigruten.
    
  • Intel-owned AI processor developer Habana Labs suffered an attack from Pay2Key ransomware that stole business documents and source code images related to the firm. The stolen data also included Windows domain account information, DNS zone information for the domain and a file listing from its Gerrit development code review system. Norwegian cruise company Hurtigruten also disclosed being targeted in a ransomware attack that seized several sensitive data in exchange for ransom.  
  • Popular digital media service, Spotify, suffered a data breach for the third time after it inadvertently exposed the personal information of its business partners. The incident occurred due to a security vulnerability in its system.
  • The week witnessed a massive supply chain attack on SolarWinds’ Orion platform that was used by several U.S government agencies and private firms such as Boeing, AT&T, and Ford. To prevent the spread of the attack, researchers from Microsoft and FireEye came up with a killswitch from SUNBURST backdoor that was used widely in the campaign. In another supply chain chaos, Vietnam Government Certification Authority (VGCA) was attacked to distribute Phantom spyware.    
  • Cybercriminals breached multiple content management systems to gain access to 22 different websites operated by Lithuania’s public sector. The attackers published articles containing misinformation on the sites. Missouri also came under the attack of ransomware operators who disrupted multiple services and systems.
  • California-based Sonoma Valley Hospital notified 67,000 patients about a cyberattack that exposed their personal data. The hospital had shut down systems to prevent the spread of the attack.  
  • Unprotected online storage devices tied to hospitals and medical centers all over the world had left 45 million medical scans exposed to the internet. Not only these scans were available online over the past twelve months, but malicious folks had also accessed those servers and poisoned them with apparent malware.   
  • Details of 1.9 million members of the Chinese Communist Party were leaked on a hacking forum in the form of a CSV file. The exposed records included name, sex, organization, hometown, ID, address, mobile number, and education details.  

New Threats

In new threats, the week witnessed the discovery of two new attack techniques, named SocGholish and AIR-FI, that can be leveraged to target a specific set of devices. New malware in the form of spyware and trojan were also leveraged for targeting different organizations.

  • Researchers devised two attack techniques named SoCGholish and AIR-FI. While SoCGholish could help criminals impersonate software updates, AIR-FI could enable threat actors to exfiltrate data from air-gapped computers.
  • A new trojan dubbed PyMICROPSIA has been linked to the AridViper threat actor group that is known for targeting the Middle Eastern region. The capabilities include providing persistence and keylogging.  
  • A newly discovered Goontact spyware is targeting Asian users using smartphones. The spyware has the ability to collect data such as phone identifiers, contacts, SMS messages, photos, and location information.  
  • New variants of AgentTesla, Gitpaste-12 botnet, and SystemBC made impacts on several observed attack campaigns. These variants were designed to target more devices with additional abilities.
  • Attackers launched a new ransomware campaign dubbed ‘PLEASE_READ_ME’ in an effort to target MySQL servers. So far, there have been 92 attacks emerging from 11 IP addresses. In another incident, threat actors concealed CoderWare ransomware in Cyberpunk 2077 game for Windows and Android versions to trick users.
  • A new skimmer called Meyhod has been found sitting on the websites of Bosley and the Chicago Architecture Center for several months as part of the Magecart attack.  
  • Taking one step up in the extortion process, the DoppelPaymer ransomware gang has started calling victims and threatening to send individuals to their homes if they don’t pay the ransom.  
  • Two malicious RubyGems packages and 28 malicious browser extensions were observed in campaigns used to mine cryptocurrencies and steal users’ data.  
  • Adversaries were found distributing JsOutProx trojan to target verticals in governmental monetary and financial sectors in Asia. The campaign was carried out through phishing emails containing a malicious HTA file.  

 Tags

jsoutprox trojan
hurtigruten
phantom spyware
socgholish
meyhod skimmer
coderware ransomware
malicious rubygems packages
air fi attack

Posted on: December 18, 2020

Get the Weekly Threat Briefing delivered to your email!


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.


Join Thousands of Other Cyware Followers!