Go to listing page

Cyware Weekly Threat Intelligence, December 23 - 27, 2019

Cyware Weekly Threat Intelligence, December 23 - 27, 2019

Share Blog Post

The Good
Welcome to the most exciting weekend of the year and the final weekly threat intelligence newsletter this year. Let’s begin with the good news for the week. In a new study, researchers discussed a new cryptography method for full secrecy based on One-time pad (Vernam Cypher). Also, CISA unveiled Trusted Internet Connection policy (TIC) 3.0 to help government agencies build secure networks. Further, US Congress cleared the TRACED Act to curb robocall spam menace and it is now headed to the Oval Office.

  • A group of researchers presented a new cryptography method for full secrecy based on One-time pad (Vernam Cypher). The complex time-varying irreversible structures of silicon chips can be used as the one-time key, which cannot be recreated and intercepted as it is never stored anywhere. Also, the method is compatible with the existing optical communication infrastructure.
  • Cybersecurity and Infrastructure Security Agency (CISA) released Trusted Internet Connection policy (TIC) 3.0—a draft set of use cases and other guidance to help government agencies build secure networks. The administration hopes it will give agencies enough flexibility to make sound security decisions for any kind of network, including those just over the horizon.
  • The US Congress passed the Telephone Robocall Abuse Criminal Enforcement and Deterrence (TRACED) Act to fight against spam robocalls. The bill includes penalties of up to $10,000 per incident for robocallers that break the law and it pushes telcos to implement stricter call authentication technologies.

The Bad
The week remained eventful for some organizations where security incidents were reported. The radio network giant Entercom was attacked for the second time since September. In other news, operators of Maze ransomware made 2 GB of stolen data public to prove to the media that they have a lot more than that. Meanwhile, attackers targeted the cryptocurrency project NULS, incurring the development team a loss of $480,000 worth of NULS tokens.

  • The radio network giant Entercom was hit by a cyberattack, forcing some stations to rely on their previously recorded programs. The company also experienced connectivity problems that disabled email communication, access to files, and content for the digital platforms. This is the second time that the network has suffered an attack within a few months. However, the operations were fully restored the next morning.
  • The operators of Maze ransomware publicly released publicly 2GB (of 32 GB) files that were stolen by them during the attack at the city of Pensacola. The crooks had demanded a $1 million ransom to decrypt the locked files. The attackers stated that they released the stolen data to prove to the media that they stole more than just a few files during the attack.
  • The development team behind the cryptocurrency project NULS lost almost $480,000 worth of NULS tokens in a hack. The team reported that more than half a million tokens were liquidated via cryptocurrency exchanges. NULS network participants were later urged to update their node software to the latest version as soon as possible.
  • The personal data of 2,400 Ministry of Defence (Mindef) and the Singapore Armed Forces (SAF) personnel, was potentially affected after systems at ST Logistics were impacted by a malware attack. ST Logistics said attackers sent malicious emails to its employees’ email accounts. No details were given on when the phishing had occurred or for how long.
  • Truckstop.com experienced disruption in its online services following malware attacks on its network. Though the incident did not affect its customer information, it forced customers to look for alternatives right before the Christmas rush. The firm is said to be working on the issue. Truckstop.com is one of the largest neutral freight matching marketplaces in North America and handles about 500,000 loads per day.
  • The Islands restaurant chain and Champagne French Bakery Cafe announced payment card breaches for locations across the U.S. In both cases, attackers used PoS malware to capture card data stored in the magnetic stripe. As per reports, the malware was active between February 18, 2019, and September 27, 2019.
  • Around 260 passengers were left stranded after RavnAir canceled at least a half-dozen flights in Alaska due to a cyberattack on its computer systems. Airlines said operations were expected to be slowed or disrupted for the next week because of the necessity of shutting down the IT network. The airline serves more than 100 communities in Alaska, many of which are not accessible by road.
  • Healthcare startup Lyfebin exposed more than 93,000 medical imaging files stored on its unprotected Amazon Web Services storage bucket. The files were dated between September 2018 and October 2019 and were stored in the DICOM format. The exposed files were X-rays, MRI, and ultrasound scans. Lyfebin secured the data after being warned of the security lapse.

New Threats
Moreover, numerous vulnerabilities and threat campaigns also found their place in the headlines. Right at the top was a flaw in Citrix Application Delivery Controller and Citrix Gateway which imperiled 80,000 corporate LANs at risk. Additionally, a phishing campaign targeting PayPal customers was discovered by security researchers. Also, a researcher managed to exploit a bug in Twitter’s Android app and matched 17 million phone numbers to authentic Twitter user accounts.

  • A critical vulnerability in Citrix Application Delivery Controller and Citrix Gateway put almost 80,000 companies in 158 countries potentially at risk. The bug could allow an attacker to perform arbitrary code execution even without proper authentication. The company had not immediately released a patch but it recommended mitigation techniques that could be implemented until a firmware fix arrives.
  • A vulnerability was discovered in the Twitter app for Android that attackers could have exploited to obtain sensitive information or take control of accounts. A security researcher said he matched 17 million phone numbers to Twitter user accounts by exploiting the flaw. He matched records from users in Israel, Turkey, Iran, Greece, Armenia, France, and Germany until Twitter put a break on his efforts.
  • The dating app Plenty of Fish immediately pushed out a fix for its app after a security researcher revealed that it leaked information that users had set to ‘private’ on their profiles. The leaked information included users’ first names and postal ZIP codes, leading to disclosing people’s home address.
  • A new P2P botnet dubbed Mozi was found infecting Netgear, D-Link, and Huawei routers. The botnet borrows its code from Gafgyt botnet. The attackers wanted to launch DDoS attacks through this. The botnet used telnet and exploits for propagation to new vulnerable devices.
  • Magellan 2.0, a new set of five SQLite vulnerabilities, was seen affecting Chrome versions prior to 79.03945.79. The vulnerabilities were tracked as CVE-2019-13734, CVE-2019-13750, CVE-2019-13751, CVE-2019-13752, CVE-2019-13753. An attacker could abuse the vulnerability to launch remote code execution, leak program data, or cause a program to crash.
  • A new phishing campaign impersonating the Royal Bank of Canada (RBC) was observed by security researchers. The attack involved sending legitimate-looking emails containing a PDF attachment to multiple organizations and individuals in Canada. The purpose of the campaign was to harvest victims’ RBC express credentials. The attackers behind this were reportedly able to run a large-scale operation and remain under the radar for a long time.
  • Researchers identified a phishing campaign targeting PayPal customers with emails camouflaged as ‘unusual activity’ alerts warning them of suspicious logins. The phishers scared the potential victims with limited account access and that they need to secure it by confirming their identity. People clicking on the link in the email were being redirected to a PayPal phishing login page to enter their details.
  • A critical vulnerability in Cisco’s Appliance Adaptive Security (ASA) and Firepower was being widely exploited by attackers. The vulnerability, tracked as CVE-2018-0296, enabled unauthenticated, remote attackers to view sensitive system information. While Cisco was planning to disclose the details, attackers were aiming at causing a DoS condition.
  • A zero-day vulnerability existed in Dropbox for Windows allowing attackers to gain permission reserved to SYSTEM, the most privileged account on the operating system. The flaw affected the standard Dropbox installations. Dropbox didn’t release a new version but pushed a temporary solution which is freely available in the form of a micro patch.


magellan 20 vulnerability
entercom radio network
maze ransomware
traced act

Posted on: December 27, 2019

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.