Go to listing page

Cyware Weekly Threat Intelligence, July 22-26, 2019

Cyware Weekly Threat Intelligence, July 22-26, 2019

Share Blog Post

The Good

As we gear up for a new weekend, let’s quickly glance through all that happened in the cyberspace over the week. Before delving into the security incidents and the new threats, let’s first take a look at all the positive events. The National Security Agency (NSA) announced plans to establish a new cybersecurity division that will help defend the US against foreign cyber-threats. JPMorgan Chase researchers have presented a paper that describes how AI and deep learning helps in detecting and neutralizing malware. Meanwhile, Microsoft is currently updating its Office 365 Threat Explorer with enhanced manual threat hunting features.

  • The National Security Agency (NSA) announced plans to establish a new cybersecurity division named ‘Cybersecurity Directorate’ that will help the US defend against foreign cyber-threats. This new division will enable organizations to better share information with their customers so they are equipped to defend against cyber threats. The directorate will become operational on October 01, 2019. 
  • JPMorgan Chase is integrating artificial intelligence (AI) into its internal security systems to prevent malware infections. In a research paper, JPMorgan researchers describe that AI and deep learning helps in detecting and neutralizing malware that an employee might have accidentally installed on their workstation. It can also block web-browser links that redirect to a landing page for malware.
  • Microsoft is currently updating its Office 365 Threat Explorer with enhanced manual threat hunting features. The features are expected to be rolled out to all environments in August 2019. The new features will allow Office 365 admins to preview and download malicious emails for further analysis, to access email timeline, to differentiate multiple events being triggered for the same malicious email, and more.
  • Romania and Israel signed an agreement to work together in cybersecurity research and development, thereby strengthening security across both nations. Romanian Prime Minister Viorica Dancila said that both the countries will collaborate together in protecting their organizations, institutions, and citizens.

The Bad

Several data breaches and security incidents were witnessed in this week. A Chinese cyberespionage group targeted several German firms including BASF, Siemens, and Hankel with Winnti malware. An unprotected database belonging to YouHodler exposed over 86 million user records. Last but not least, American Esoteric Laboratories, Laboratory Medicine Consultants, Austin Pathology Associates, South Texas Dermatopathology, and Pathology Solutions disclosed data breaches as a result of the AMCA incident.

  • A Chinese cyberespionage group targeted several German firms including BASF, Seimens, and Hankel with Winnti malware. Apart from these German firms, Roche, Marriott, Lion Air, Sumitomo Corporation, and Shin-Etsu Chemical were also targeted by the group.
  • A hacker group named ‘0v1ru$’ breached SyTech, a contractor for the Russian Federal Security Service (FSB) and stole information about internal projects. The contractor had worked for FSB unit 71330 and with fellow contractor Quantum since 2009. The projects include Nautilus, Nautilus-S, Reward, Mentor, Hope, and Tax-3.
  • A hacker who goes under the name ‘tomholland’ gained access to the private data of almost 200,000 users of a Taiwan-based job site ‘1111 Job Bank’ and leaked them on a US hacking forum ‘RaidForums’. The leaked information includes job applicants’ ID card numbers, full names, dates of birth, email addresses, phone numbers, mailing addresses, and work history.
  • Attackers hacked the official Twitter account of the UK’s Metropolitan Police Service (MPS) and posted a series of tweets calling for the release of a jailed British rapper. Apart from these tweets, strange messages also appeared in the news section of the MPS website. Upon discovery, MPS took down all these unsolicited messages both from Twitter and its news page.
  • American Esoteric Laboratories, Laboratory Medicine Consultants, Austin Pathology Associates, South Texas Dermatopathology, and Pathology Solutions notified their patients about a data breach that was caused due to the American Medical Collection Agency (AMCA) incident.
  • Swedish cryptocurrency exchange QuickBit exposed the personal information of almost 300,000 customers due to an unprotected MongoDB database that was left publicly accessible without any authentication. The unsecured database exposed personal information for approximately 2% of QuickBit's customers. The exposed information includes customers’ names, addresses, email addresses, and credit card information.
  • The University of Hawaii suffered a data breach compromising the personal information of around 70,000 public school students after a third-party gained unauthorized access to one of its servers. The compromised information includes student names, dates of birth, gender, race, ethnicity, addresses, grade level, courses taken and grades, CGPA scores, and proficiency levels.
  • Graduation Alliance suffered a data breach compromising the personal information of thousands of public school students from Tennessee after an unauthorized third-party entity gained access to its servers. The compromised information includes students’ personal data such as names, dates of birth, gender, ethnicity, and ACT scores for a subset of students. However, no Social Security numbers or addresses were compromised.
  • An unsecured database belonging to YouHodler exposed over 86 million records of user data including names, dates of birth, email addresses, addresses, phone numbers, passport numbers, passwords, credit card numbers, CVV numbers, bank details, and crypto wallet addresses. YouHodler acknowledged the data leak and secured the database by restricting public access.
  • City Power, an electricity provider owned by the city of Johannesburg, suffered a ransomware attack. The ransomware infection encrypted the company's databases, systems, applications, the internal network, and the official website. The attack disabled a few clients from buying electricity units using the company’s prepaid electricity vending system.
  • Security researchers from Data Group uncovered an unprotected server containing 250GB of data which was publicly accessible without any authentication. The unsecured server contained sensitive information of clients of various local banks. Even though the server is linked to more than one bank, a majority of the exposed details were related to a local bank named Banco Pan.


New Threats

This week also witnessed the occurrence of several new malware strains and vulnerabilities. BSI, the German national cybersecurity authority, issued a warning about a malspam campaign that distributes the Sodinokibi ransomware. A critical vulnerability was detected in Palo Alto GlobalProtect SSL VPN software that allows attackers to execute arbitrary code. Meanwhile, the NSO Group revealed details about the Pegasus spyware.

  • BSI, the German national cybersecurity authority, issued a warning regarding a malspam campaign that distributes the Sodinokibi ransomware. The mails are sent from the meldung@bis-bund[.]org email address and go with the subject line of “Warnmeldung kompromittierter Benutzerdaten.” Once launched, the ransomware encrypts the victims’ files with unique extensions and later demands a ransom amount ranging between $2500-$5000.
  • Researchers analyzed a sample of the MegaCortex ransomware that targets enterprises. The attackers behind the ransomware operated by accessing a target network and then compromising the Windows domain controller. After encrypting compromised workstations, the ransomware asks a ransom that falls somewhere between 2-3 bitcoins to 600 BTC.
  • Emsisoft released a free decryption tool for the LooCipher ransomware. This decryptor was created by security researcher Michael Gillespie with assistance from another security expert Francesco Muroni. This free decryptor allows LooCipher victims to decrypt their encrypted files without paying the ransom.
  • A critical remote code execution vulnerability was detected in the Palo Alto GlobalProtect portal and GlobalProtect Gateway products. The vulnerability tracked as CVE-2019-1579 impacts all companies that use the GlobalProtect software, including ride-sharing platform Uber. This vulnerability could be exploited by attackers to perform arbitrary code execution. The impacted versions include PAN-OS 7.1.18, PAN-OS 8.0.11, and PAN-OS 8.1.2.
  • Security researchers uncovered that the Chinese threat actor group APT15 was using a backdoor called Okrum for over two years. The backdoor is capable of downloading and uploading files, executing binaries, running shell commands, updating itself, and more. Okrum was also used to deliver Ketrican malware.
  • An ongoing attack campaign is distributing the BillGates/Setag backdoor through a multistage attack to compromise unsecured Elasticsearch databases. The backdoor can be used to turn the Elasticsearch database into a botnet zombie for performing DDoS attacks. Setag backdoor is capable of hijacking a system, deters debugging, and replaces the infected system’s systools.
  • Researchers observed an ongoing malvertising campaign that abuses stored cross-site scripting (XSS) vulnerability in the Coming Soon Page & Maintenance Mode WordPress plugin. This causes the compromised WordPress sites to display unwanted popup ads and redirect visitors to malicious landing pages, including tech support scams, malicious APKs, and pharmaceutical ads.
  • NSO Group recently revealed details about the Pegasus spyware. The spyware is enhanced to copy authentication keys and access cloud services like Google Drive or iCloud. The malware is capable of scraping a target’s data from the servers of Apple, Google, Amazon, Facebook, and Microsoft.
  • Security researchers uncovered a new variant of the Watchbog malware that targets Jira and Exim servers. The malware exploits remote code execution vulnerabilities in both the servers. Upon infecting the servers, the resulting botnets are used to mine Monero cryptocurrency.
  • Researchers spotted the Monokle trojan using new techniques to exfiltrate data. This trojan currently targets Android devices, however, researchers have found some samples of the malware targeting iOS devices. Its capabilities include keylogging, capturing photos and videos, as well as retrieving the history of apps including web browsers, social media services, and messengers.

 Tags

okrum backdoor
monokle trojan
sodinokibi ransomware
pegasus spyware
loocipher ransomware
setag backdoor
watchbog malware
megacortex ransomware

Posted on: July 26, 2019


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

The Virtual Cyber Fusion Suite