Cyware Weekly Threat Intelligence, July 13 - 17, 2020

Share Blog post

The Good

Cybersecurity for remote workers amid the pandemic has become an important requirement. Keeping the need in mind, the U.K.’s National Cyber Security Centre (NCSC) has released a new set of free tools and roleplay exercises to help organizations keep their employees safe while working from home. Additionally, Google Meets has included a Zoom-Bombing protection feature to protect its education customers from unwanted intrusions.

  • The U.K.’s National Cyber Security Centre (NCSC) released a new set of free tools and roleplay exercises to protect remote workers from cyberattacks. The exercises focus on safe access to networks, securing employee collaboration and managing  cyber incidents remotely.
  • The U.S. Secret Service announced the creation of the Cyber Fraud Task Force (CFTF) after a merger between Financial Crime Task Forces (FCTFs) and Electronic Crimes Task Forces (ECTFs). CFTF’s main goal is to investigate and defend American individuals and businesses from a wide range of cyber-enabled financial crimes, BEC scams, and ransomware attacks.
  • Google Meets added a ‘Zoom-Bombing’ prevention feature to protect educators from unwanted intrusion. This will be especially useful for users joining Google Meets video conferences organized through G Suite.

The Bad

Data leaks on various dark web forums grabbed the headlines as hackers dumped data stolen from Wattpad, MGM Hotel Resorts, Bhinneka, and LiveAuctioneers. A U.K. ticketing provider was also affected after its 4.8 million records were sold at a price of $2,500.

  • The reports of spearphishing attacks, conducted by Chinese government hackers, that happened in May 2020 on the Hong Kong Catholic Church  attacks came to light this month. In this operation, malware files were sent in the form of ZIP and RAR archives that contained Windows executables.
  • The Hong Kong-based UFO VPN leaked over 20 million user logs due to an unprotected Elasticsearch database. The data included plaintext passwords, IP addresses, session tokens, and information of devices.
  • MyCastingFile.com leaked private data of over 260,000 individuals owing to an unguarded database. The database contained 1GB data, including names, physical addresses, email addresses, phone numbers and dates of birth of users and some staff members.
  • An unsecured Amazon S3 bucket associated with LPM Property Management had leaked more than 31,000 images of users’ passports, driver’s licenses, evidence of age documents and more. The bucket was secured after researchers contacted the firm.
  • Around 130 Twitter accounts of major companies and individuals were compromised with a purpose to promote a bitcoin scam. The accounts belonged to President Barack Obama, Elon Musk, Bill Gates, Kanye West, Michael Bloomberg, and the giant, Apple.
  • An unsecured database belonging to Wattpad was put up for sale before it was offered for free on hacker forums. The database contained 270 million user records.
  • A trove of 4.8 million records belonging to a well-known U.K. ticketing provider was put up for sale on the dark web. The data was sold at a price of $2500 by a user named ‘Jamescarter.’
  • Cybercriminals compromised a British cryptocurrency exchange, Cashaa, and stole over $3 million in bitcoin. The incident occurred after malicious hackers gained access to one of the exchange’s digital wallets.
  • A hacker was found selling details of more than 142 million MGM hotel guests at a price of over $2,900. The data included names, postal addresses, and email addresses of individuals.
  • A breach at Benefit Recovery Specialists Inc. had exposed health details of some 275,000 individuals. The exposed information included names, dates of birth, provider names, policy identification numbers, procedure codes, and diagnosis codes.
  • LiveAuctioneers disclosed a data breach after a broker sold 3.4 million user records on a hacker forum. The data was sold at a price of $2,500.
  • Antwerp-based savings bank, Argenta, fell victim to a series of ATM jackpotting attacks that forced the ATMs to spew out all of its cash on demand.
  • Personal data of approximately 40,000 U,S. citizens was dumped on the dark web. This included full names, addresses, states, and dates of birth of individuals.
  • Cybercriminals dumped a stolen database of Indonesia’s largest online store, Bhinneka, on a dark marketplace. The database contained over 1.2 million account records with users’ personal information such as full names, addresses, emails, gender, contact numbers, social media IDs, and salted passwords, among other details.
  • Researchers also discovered the records of over 45 million tourists who traveled to Thailand and Malaysia on the dark web. The leaked data included passengers’ ID, full names, mobile numbers, passport details, addresses, and flight details.
  • More than 8,200 databases containing information of billions of users were compromised by a hacker named NightLion. These databases belonged to a data leak monitoring service, DataViper.
  • Hackers infiltrated the IT consultancy giant, Collabera, and stole some employee’s personal information such as their names, addresses, contact numbers, social security numbers, dates of birth, employment benefits, and passport details.

New Threats

Among the new threats discovered this week, security researchers revealed that seven ransomware families have expanded their activities by targeting Operation Technology (OT) software. Apart from this, a new Android malware named BlackRock was found to be capable of stealing information from 337 banking, dating, social media, and instant messaging apps.

  • The U.S.  ATM maker, Diebold Nixford, is warning banks of a new type of ATM ‘black box’ attack that enables cybercriminals to steal money from ATMs. It is a form of Jackpotting attack where malware is installed by using a ‘black box’.
  • Researchers uncovered a new variant of Thanos ransomware, which is popularly advertised as a Ransomware-as-a-Service (RaaS) tool on the underground market. The variant encrypts specific files on victims’ systems.
  • A total of seven ransomware families have been found targeting processes associated with Operation Technology (OT) software. The ransomware in question are SNAKE, DoppelPaymer, LockerGoga, Maze, MegaCortex, CLOP and Nefilim.
  • A fake component that masquerades as a legitimate plugin SiteSpeed was found spewing several malicious advertisements on compromised websites.
  • A new Android malware strain named BlackRock includes a wide range of data theft capabilities that allowed it to target a whopping 337 Android applications. The malware is based on the leaked source code of Xerxes.
  • Apple macOS users were targeted in a fresh campaign that pilfered cryptocurrency from their wallets. The attack was carried out through trojanized cryptocurrency trading software and applications named Cointrazer, Cupatrade, Licatrade, and Trezarus.
  • Researchers found a new Bazar backdoor malware that exhibits behaviors similar to previous TrickBot campaigns. The malware, that first emerged in April 2020, can be used to deploy additional malware and ransomware, and steal sensitive data from organizations.
  • A new backdoor, dubbed GoldenHelper, that uses a very similar delivery method as GoldenSpy backdoor was found targeting networks of international companies doing business in China.

 Tags

liveauctioneers
blackrock
benefit recovery specialists inc
bazar backdoor malware
ufo vpn
diebold nixford atms
national cyber security centre ncsc

Posted on: July 17, 2020

Get the Weekly Threat Briefing delivered to your email!


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.


Join Thousands of Other Cyware Followers!