Cyware Weekly Threat Intelligence, June 15 - 19, 2020

Share Blog post

The Good

Maintaining security across payment systems is an utmost priority for all entities that store, process, or transmit cardholder data. Following the spike in attacks against Point of Sale (PoS) systems, the PCI Security Standards Council (SSC) has released a new set of security requirements to protect cardholders’ data from being compromised during transactions. Furthermore, the Advertising Standards Authority (ASA) and the Internet Advertising Bureau (IAB) have set up a new scam ad alert tool to protect online users from ad frauds.

  • The PCI Security Standards Council (SSC) has updated the PCI PTS POI Modular Requirements to enable stronger protections for cardholder data. This will enhance security controls to defend against physical tampering and malware attacks that can compromise card data during payment transactions.
  • The Advertising Standards Authority (ASA) and the Internet Advertising Bureau (IAB) have set up a new scam ad alert tool with support from digital ad platforms and tech giants. The tool will help protect UK citizens from online ad frauds.
  • The British government will invest £10 million in the next four years to develop groundbreaking cybersecurity technologies. The declared sum, which is a part of the government’s ‘Digital Security by Design’ program, will be distributed among nine research teams.
  • Google revealed that it is relying on artificial intelligence to combat coronavirus-related threats in the UK, India, and Brazil. The firm has incorporated Safe Browsing protection into Google Search, Chrome, Gmail, and Android to block such threats automatically.
  • Intel unveiled a new security feature, Control-Flow Enforcement Technology (CET), for devices that will use the company’s upcoming Tiger Lake mobile processors. The feature will help prevent Return Oriented Programming/Jump Oriented Programming/Call Oriented Programming malware attacks.


The Bad

Multiple data leaks due to misconfigured AWS S3 buckets caught the attention of security experts this week. In one incident, Ariix Italia exposed more than 36,000 documents of Italian citizens, while some eight dating apps leaked 845 GB of private information on the internet. On the other hand, DeliveryHero confirmed a data breach of its Foodora brand, affecting personal details of 727,000 accounts.

  • Attackers hijacked an Oxford University email server to send phishing emails to harvest Microsoft Office 365 credentials from European, Asian, and Middle Eastern targets. The attackers also made use of an Adobe server hosted on Samsung’s domain.
  • Delivery Hero disclosed a data breach of its Foodora brand. The incident affected users across 14 countries, including personal details of 727,000 accounts.
  • PostBank replaced 12 million cards for its customers due to a security breach that took place in December 2018. Rogue employees of the firm had stolen the 36-digit master key to withdraw more than $3.2 million in fraudulent transactions.
  • Ransomware attackers hacked the computer systems of the City of Keizer, Oregon. They demanded a ransom of $48,000 from the city for the retrieval of stolen data.
  • IT services giant, Cognizant, revealed that Maze ransomware operators pilfered a limited amount of data from its systems. This included social security numbers, driver’s license numbers, tax IDs, and passport numbers of employees.
  • Amazon’s AWS Shield service mitigated the largest-ever DDoS attack that occurred in mid-February this year. The DDoS recorded a range of 2.3 Tbps.
  • An unsecured Amazon S3 bucket belonging to Ariix Italia had leaked more than 36,000 documents of Italian citizens. The exposed documents included scans of national IDs, credit cards, and health insurance cards. The bucket also contained full names, addresses, and signatures of individuals.
  • DraftKings disclosed that its partner SBTech was affected in a ransomware attack during their merger. This had affected the company’s sports betting and iGaming services.
  • MaxLinear Inc. was hit by Maze ransomware this week. Following the attack, the hackers released some proprietary information about the company online. The threat actor group is also behind an attack on a Puerto Rico-based management firm, CSA group.
  • The UK National Health Service (NHS) confirmed that some 113 internal email accounts were compromised to send malicious spam messages outside the organization. The emails sent using the breached account included a link to a fake login page of the NHS.
  • Several websites belonging to different Australian financial institutions, law firms, and entertainment companies were put for sale on MagBo underground forum. The access to these websites was sold at prices up to $10,000.
  • Web skimmer codes were used against Intersport, Claire’s, and Icing in an attempt to harvest credit card details from customers. The malicious code was planted on the checkout pages of the targeted websites.
  • A misconfigured AWS S3 bucket had leaked 845 GB of data belonging to different dating apps. The affected apps include 3somes, CougarD, Gay Daddy Bear, Xpal, BBW Dating, SugarD, GHunt, and Herpes Dating.

New Threats

Coming to new threats, a set of 19 vulnerabilities, collectively known as Ripple20, was found affecting a TCP/IP software library developed by Treck Inc. These flaws can be exploited to pilfer data from millions of IoT devices. Additionally, new versions of the Shlayer Mac malware and IcedID trojan capable of sneaking past security solutions more efficiently, were also uncovered this week.

  • The Ginp mobile malware, which is well-known for targeting banking customers in Spain, Poland, and the United Kingdom, expanded its attack campaign to Turkey. Researchers found several fake web pages, mimicking banks in Turkey, designed to distribute the malware.
  • Researchers tracked a new cyberespionage campaign associated with the infamous Lazarus group. Codenamed as Operation In(ter)ception, the campaign was carried out via LinkedIn to target personnel at European aerospace and military organizations.
  • Google removed 106 malicious Chrome extensions that were involved in collecting user keystrokes, clipboard content, cookies, and more. The primary connection between all the extensions was that they sent user data back to domains registered through the GalComm domain registrar.
  • Shlayer Mac malware returned with a new variant that sneaked past security solutions by purporting to be an Adobe Flash Player installer. The malicious installer is distributed by poisoning Google search results to lure victims.
  • A multi-stage attack, distributed via a malicious Word document, disguised as a resume to users worldwide. In the last stage, the threat actors used Cobalt Strike’s Malleable C2 feature to download the final payload and perform C2 communication.
  • An unpatched vulnerability in USB for Remote Desktop can allow attackers to elevate privileges on a target machine by adding fake devices. The flaw affects a bus driver for the Remote Desktop developed by FabulaTech.
  • Research revealed that the Turla threat actor group had abused a vulnerability in Oracle’s VirtualBox software to spread a malware named AcidBox. The malware was used by the gang twice against the Russian organization in 2017.
  • Google Alerts picked up a new trend of fake data breach notifications pushed by fraudsters. The attackers are leveraging black SEO techniques,Google sites, and spam pages to redirect users to fake notifications from well-known brands to distribute malware and scams.
  • A collection of 19 vulnerabilities, known as Ripple20, has been found in a TCP/IP software library developed by Treck Inc. These flaws affect millions of IoT devices using the software and can be abused to steal data and take control of devices.
  • Malware distributors abused a DLL hijacking vulnerability in Apple's APSDaemon.exe, AnyToIso, and CrystalBit software to install coin miners. The campaign starts with users being redirected to sites that make false claims to offer copyrighted software.
  • A new version of the IceID banking trojan was spotted using steganography to stealthily infect victims. It is distributed via phishing emails that pretend to be related to the Family and Medical Leave Act (FMLA).
  • The Black Kingdom ransomware group exploited an RCE vulnerability in Pulse Secure VPN to gain access to corporate networks. The vulnerability in question is identified as CVE-2019-11510.

 Tags

pulse secure vpn servers
acidbox
pci security standards council ssc
ripple20 vulnerability
shlayer mac malware
dll hijacking vulnerability
iceid banking trojan

Posted on: June 19, 2020

Get the Weekly Threat Briefing delivered to your email!



More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.



Join Thousands of Other Cyware Followers!