Cyware Weekly Threat Intelligence, June 01 - 05, 2020

Share Blog post

The Good

With another week coming to an end, let’s take a quick glance at all the positive developments that happened this week. The Cybersecurity and Infrastructure Security Agency (CISA) came up with new strategies to strengthen the cyber ecosystem of government agencies. One of them includes the release of six Cyber Essentials toolkits that will improve the level of security awareness among organizations. The other is related to a new Domain Name System(DNS) resolver that will enhance the resiliency of online systems of federal agencies. 

  • As a follow-up to the November 2019 announcement of Cyber Essentials, the DHS’ CISA has released the first set of Cyber Essentials toolkits to address cybersecurity risks in government agencies and small businesses. It consists of six toolkits that are aimed at developing security awareness, protecting critical assets, and more.   
  • The CISA has also planned to roll out a new Domain Name System (DNS) resolver service to ensure online systems are resilient. The service will also enable CISA to gain insights into active cyber threats to analyze and protect federal agencies.
  • A group of academics has developed a prototype of security and privacy labels for IoT devices to increase cybersecurity awareness among users. The labels have been created after consulting a diverse group of privacy and security experts. 
 
The Bad

Meanwhile, ransomware attacks continued to be a major concern for several organizations as attackers stole sensitive files and threatened to leak them online. Some of the victim organizations include the University of California San Francisco (UCSF), Digital Management Inc., and Westech International.

  • Maze ransomware operators wreaked havoc on Westech International, a US military nuclear missile contractor. After gaining access to the company’s network, the attackers stole company emails, payroll data, and some personal information.
  • The Netwalker ransomware operators successfully attacked the UCSF and exfiltrated several sensitive information before encrypting the computers. The compromised data includes student applications with social security numbers, employee information, medical studies, and financial details.
  • The San Francisco Employees’ Retirement System (SFERS) suffered a data breach that affected the information of nearly 74,000 members. The incident occurred after hackers gained unauthorized access to a database hosted in a test environment.
  • A large-scale attack campaign was carried out by attackers with an intent to harvest database credentials from 1.3 million WordPress sites by downloading their configuration files. The campaign was launched between May 29 and May 31, 2020.
  • Coincheck cryptocurrency exchange was hit in a cyberattack after hackers gained access to some emails sent by customers. These emails included names, dates of births, and phone numbers of customers.
  • DopplePaymer ransomware gang allegedly breached the network of Digital Management Inc. To support their claim, they posted 20 archive files on a dark web portal.
  • Spanish e-Learning platform, 8Belts, exposed private details of at least 100,000 e-learners due to a misconfigured Amazon S3 bucket. The bucket contained identity numbers, full names, email IDs, and contact information of users.
  • The Sodinokibi ransomware operators leaked the files allegedly stolen from the UK power grid company, Elexon, after they did not receive the ransom. The firm was attacked in May 2020.
  • U.S passenger railroad service, Amtrak, informed about some of its customers’ personal data that may have been compromised as a result of unauthorized access to guest reward accounts. These accounts contained names, email addresses, phone numbers, billing addresses, and mailing addresses of customers.
  • Joomla reported a data breach after a team member left a backup of the JRD portal exposed on an Amazon S3 bucket. The backup file included details of around 2,700 users who registered and created profiles on the JRD website.
  • A hacker going by the name of KingNull uploaded a database belonging to Daniel’s Hosting (DH) on a file-sharing portal. The leaked data included 3,671 email addresses, 7205 account passwords, and 8580 private keys for .onion domains.

New Threats

Talking about new threats, security researchers discovered a new BazarBackdoor malware operated by the gang behind the TrickBot trojan. Another new malware, dubbed USBCulprit, associated with the Cycldek APT group was also found stealing data from air-gapped systems.

  • An attack campaign that distributed malicious LNK files between May 12 and May 31, is believed to be associated with the Higaisa APT group. These files were disguised as CV and International English Language Testing System (IELTS) exam results to trick users.
  • Google removed two barcode reader apps - Barcode Reader and QR & Barcode Scanner - from its Play Store after they started showing unusual behavior. These apps requested ads in every 15-minutes interval, causing the screen of phones to crash.
  • A new ransomware strain named Tycoon was found targeting Windows and Linux systems in a recent campaign. It deployed a trojanized Java Runtime Environment to hide its malicious intentions. The malware is distributed via insecure internet-facing RDP servers.
  • Three fake iOS VPNs - Beetle VPN, Buckler VPN, and Hat VPN Pro - with over millions of downloads tricked users into paying high subscription fees without actually providing them the services.
  • Researchers came across a new malware, dubbed USBCulprit, that has the ability to propagate across air-gapped systems. The malware is linked with the Cycldek APT group.
  • Threat actors used Excel 4.0 macro functionality to deliver Ursnif trojan in a cyberespionage campaign. This enabled the attackers to hide the trojan while continuing with their infection process.
  • TrickBot operators used a new BazarBackdoor malware to gain full access to targeted networks. The newly discovered malware was distributed via spearphishing emails that leveraged employee termination notices, customer complaints, and other themes to trick recipients. 
  • Researchers discovered a new attack technique, called DABANGG, that would improve the effectiveness of timing channel attacks such as Spectre.
  • Ransomware gangs are teaming up to extort victims through a shared data leak platform. As part of this initiative, the Maze ransomware operators published the data stolen by LockBit ransomware gang on their site.
  • The Sodinokibi ransomware gang launched an auction site to sell data stolen from different organizations. The first auction was held for data stolen from a Canadian agricultural company.
  • Cybercriminals took advantage of the massive uptick in unemployment across the U.S. to target users with ZLoader malware in a phishing campaign. The malware was distributed via malicious files masquerading as resumes and CVs.

 Tags

usbculprit malware
hat vpn pro
tycoon ransomware
ursnif trojan
sodinokibi ransomware
bazarbackdoor malware
zloader malware

Posted on: June 05, 2020

Get the Weekly Threat Briefing delivered to your email!


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.


Join Thousands of Other Cyware Followers!