Cyware Weekly Threat Intelligence, February 03-07, 2020

Share Blog post

The Good
So getting ready for another February weekend? Hold on for a moment! Before you set your eyes on to-do lists for this weekend, let's take a quick glance at the major developments that occurred in the cyber ecosystem. NIST unveiled a set of guidelines to protect the integrity of data in the event of ransomware attacks. On the other hand, Japan CERT simplified the detection of Emotet trojan by releasing a utility tool called EmoCheck.  

  • The National Institute of Standards and Technology (NIST) has released a draft that offers updated advice and best practices on how to protect the confidentiality, integrity, and availability of data in enterprises. The draft has been introduced due to the increasing threats from ransomware and other large-scale cyber events.
  • The Office of the Director of National Intelligence (ODNI) has rolled out a new strategy to encourage the private sector in protecting the country from cyber threats. The strategy requires the intelligence community to think of the private sector as a consumer of its threat information.
  • Japan CERT has released a new utility tool called EmoCheck that allows Windows users to check if they are infected with the Emotet trojan. Once installed on a system, the tool will scan for the trojan and if it is found, it will alert the user with the process ID and the location of the malicious file.
  • Apple has come up with a new way to make SMS two-factor authentication (2FA) less susceptible to phishing attacks. This will help dodge phishing websites that fool people into entering their passwords and usernames.

The Bad
Meanwhile, ransomware attacks took a toll on five United States law firms by encrypting their data and demanding a ransom of two Bitcoins from each firm. Two publicly accessible databases, one owned by Pabbly and the other belonging to FutebolCard, exposed millions of sensitive records of their customers, thus endangering the personal data to identity theft and more.

  • Maze hackers group attacked and compromised five United States law firms and demanded two Bitcoin ransoms from each firm. According to data shared by a cybersecurity firm, Maze actors have already started publishing part of the stolen data on two websites.
  • An open and publicly accessible database belonging to an email marketing firm Pabbly exposed nearly 51 million records. The exposed records dated back to 2014 and contained customer names, email addresses, subject lines, email messaging, and internal data. 
  • The city of Racine was hit with a ransomware attack on January 31, 2020. This knocked most of its non-emergency computer services offline. However, tax collection, 911, and public safety systems were unaffected by the attack. 
  • Australian logistics company Toll Group fell victim to a ransomware attack. The firm became aware of it on January 31, 2020, and immediately disabled the relevant systems to prevent the ransomware infection. Over 1000 servers were crippled due to the attack.  
  • Fondren Orthopedic Group notified around 31,000 patients that their medical records may have been damaged in a malware attack. The affected data included names, addresses, telephone numbers, diagnosis and treatment information, and health insurance information of patients. 
  • An S3 bucket owned by FutebolCard leaked 25GB of sensitive data belonging to supporters of a number of Brazilian organizations. The exposed information included names, contact details, dates of birth, marital status, social security numbers, and payment method of fans. Futebol rectified the issue on January 31, 2020, by taking the bucket offline.   

New Threats
Talking about new threats, the week witnessed the emergence of a new variant of AZORult trojan that includes three levels of encryption techniques to bypass email security gateways and avoid detection by client-side antivirus. A new swathe of e-commerce sites compromised by the Magecart group came to notice after researchers found stolen data on opendooorcdn[.]com

  • Camubot, which first appeared in 2018, made its comeback in targeted attacks against Brazil. The first half of the campaign stretched from mid-August to mid-September 2019. Meanwhile, the second half started at the beginning of October and went till November 2019.
  • DoppelPaymer became the latest ransomware to adopt the ‘Name & Shame’ tactic. The ransomware operators are planning to publicly release the stolen data if victim organizations do not pay a ransom demand.
  • Threat actors of the infamous AZORult trojan enhanced the malware capabilities to include three levels of encryption techniques to slip past spam gateways and avoid client-side antivirus detection. The malware variant makes use of phishing emails for propagation.
  • Researchers found a new sample of ransomware family that appends ‘.SaveTheQueen’ extension to encrypted files. The ransomware does not encrypt files that have EXE, DLL, MSI, ISO, SYS, or CAB extensions.
  • Technical details for four older vulnerabilities affecting HiSilicon chips were published by a researcher. The flaws could be exploited by sending a series of commands over TCP port 9530 to vulnerable devices.
  • Five critical vulnerabilities, collectively dubbed as ‘CDPwn’, were found in the Cisco Discovery Protocol (CDP) which could lead to remote code execution and denial of service. The flaw could allow attackers with an existing foothold to remotely take over millions of devices running the protocol.
  • The TA505 threat actor group returned with a change in their tactics to target users. The group leveraged attachments with HTML redirectors in order to deliver Excel documents containing malware.
  • The operators behind the RobbinHood ransomware exploited a vulnerable GIGABYTE driver to install a malicious and unsigned driver into Windows that is used to terminate antivirus and security software. The purpose behind this is to evade detection.
  • Magecart threat actor group was held responsible for compromising nine more websites apart from sites set for Olympic 2020. Researchers found that the stolen data was sent to an opendooorcdn[.]com website operated by the group.
  • The China-based Winnti group targeted two Hong Kong universities with a new variant of ShadowPad backdoor. The new version is much simpler compared to previously analyzed malware samples used by the group and is likely executed via DLL side loading.
  • Attackers created over 20 phishing websites and 925 malicious files to infect users with malware and steal their sensitive info such as credit card details and personal information.
  • The new Metamorfo banking trojan variant returned with keylogging capabilities to target financial firms. The recent variant is distributed via phishing emails.

 Tags

camubot
robbinhood ransomware
doppelpaymer ransomware
city of racine
azorult trojan

Posted on: February 07, 2020

Get the Weekly Threat Briefing delivered to your email!



More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.



Join Thousands of Other Cyware Followers!