Go to listing page

Cyware Weekly Threat Intelligence, February 17-21, 2020

Cyware Weekly Threat Intelligence, February 17-21, 2020

Share Blog Post

The Good
The week started on a good note, with governments focusing on increasing the cybersecurity budget to bolster their countries’ critical infrastructure and IT systems. While the U.S administration has requested a fund of $9.8 billion for the fiscal year 2021 to enhance the cybersecurity posture of DoD, Singapore has set aside a total of $1 billion over the next three years to build the government’s cyber and data security capabilities. Meanwhile, MITRE Engenuity has rolled out its plan to evaluate and validate cybersecurity products based on the threats from the Carbanak gang.

  • The U.S. administration has requested an allocation of $9.8 billion towards cybersecurity operations for the Department of Defense (DoD) for the fiscal year 2021. The budget once approved, will be used to enhance the Cyberspace Science & Technology and cloud security of DoD.
  • A U.S senator for New York has proposed a Data Protection Act (DPA) with an aim to give consumers more control over their data. The bill will focus on the establishment of an independent data protection agency that will solely take care of data privacy across both the public and private sectors.
  • Singapore has set aside $1 billion over the next three years to build up the government’s cyber and data security capabilities. This is to safeguard citizen’s data and critical information infrastructure systems.
  • MITRE Engenuity has announced plans to evaluate the effectiveness of firms in detecting and protecting against threats from a hacker gang known as the Carbanak group. Also referred to as Fin7, the group is associated with attempts to infiltrate banks and ATMs.

The Bad
Two major data leaks due to misconfigured AWS S3 databases also grabbed the attention of security experts this week. While one belonged to PhotoSquared, the other was related to a medical imaging firm NextMotion. MGM Resorts was also in the news after its 10.6 million guest records were posted on an online hacking forum. The records included data of high-profile celebrities and government officials.

  • Over 10.6 million guest records stolen from MGM Resorts were posted on an online hacking forum this week. The compromised records included data of regular tourists, celebrities, tech CEOs, government officials, reporters, and professionals from tech firms.
  • A popular photo app PhotoSquared had leaked around 94.7 GB data containing over one million records due to a misconfigured S3 database. The records dated back from November 2016 to January 2020. The exposed data included user photos, order records, receipts and shipping labels.
  • Just like PhotoSquared, NextMotion, a medical imaging firm, also suffered a data breach due to an unprotected S3 bucket. The leaky bucket contained approximately 900,000 files including sensitive patient images and videos and consultation documents.
  • The popular OurMine hacker group again made headlines this week for hacking the official Twitter accounts of the FC Barcelona and the International Olympic Committee. Last week, the group had hacked Twitter and Instagram accounts for both Facebook and Messenger to highlight the security lapses on social networking platforms.
  • Public Services and Procurement Canada had inadvertently shared the data of more than 69,000 public servants with the wrong people. The data included full names, personal record identifier numbers, home addresses, and overpayment amounts of employees.
  • A newly discovered Chinese hacker group called DRopBox Control (DRBControl) had hacked gambling websites in Southeast Asia to steal the target company’s database and source code. Researchers indicate that the group’s operational tactics overlap with tools & tactics used by Winnti and Emissary Panda.
  • Some IT and email systems at the Denmark-based facilities management company ISS World were crippled due to a ransomware attack on February 17, 2020. The firm had immediately disabled access to shared IT services across its sites and countries to contain the infection.

New Threats
Among the new threats observed this week, Adwind returned with a new version 3.0 to target more than 80 Turkish companies. The infamous BlueKeep flaw, for which a patch has been released, continues to affect over 55% of medical imaging devices - including MRIs, X-rays and ultrasound machines. On the other hand, the Fox Kitten cyber espionage campaign, which was active for at least three years, has now evolved to exploit 1-day vulnerabilities in VPN and RDP services.

  • A three-year-old cyber espionage campaign called Fox Kitten was found now exploiting 1-day vulnerabilities in VPN & RDP services to launch attacks against the critical infrastructure sector. Researchers claimed the attacks to be the work of three Iranian groups, namely APT33 (Elfin, Shamoon), APT34 (Oilrig), and APT39 (Chafer).
  • Adwind 3.0 that came with additional obfuscation techniques, had targeted more than 80 Turkish companies via phishing emails. The malware variant stole sensitive information from the infected computers and later sent it to the attackers’ C2 server.
  • A new report has revealed that BlueKeep flaw continues to plague more than 55% of medical imaging devices. The flaw tracked as CVE-2019-0708 affects RDP service running on outdated Windows versions.
  • A new skimmer implant, probably associated with the Magecart group, was found in the wild. The attack involved hijacking vulnerable eCommerce websites and introducing malicious JavaScript to steal credit card information of customers.
  • Over 20,000 WordPress sites were detected running trojanized versions of premium WordPress themes and plugins designed to distribute WP-VCD botnet. The purpose of the attackers was to generate more revenues by misleading visitors with fraudulent ads.
  • Emotet was observed in a SMiShing attack that mimicked the bank’s mobile banking page. The SMS message sent to recipients appeared to come from local U.S. numbers and alerted them about a locked account.
  • AZORult trojan also made a comeback in a campaign disguising itself as fake ProtonVPN installers. Once installed, the trojan collected the infected machine’s environment data and sent it back to an attacker’s C2 server located in Russia.


fox kitten
azorult trojan
adwind 30 rat
magecart group

Posted on: February 21, 2020

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.