Cyware Weekly Threat Intelligence, June 22 - 26, 2020

Share Blog post

The Good

Here’s the scoop of good things that happened in cyberspace, this week. The US government has announced its plan for implementing HTTPS on all .gov sites. The plan will come into action from September 1, 2020, and aims to protect online users from unwanted cyberattacks. Additionally, researchers have come up with a new technique, called Void, to safeguard people from vishing attacks.

  • According to reports, the US government is set to allocate $18.78 billion toward cybersecurity in 2021. The fund will support the Pentagon’s efforts to defend against cyberattacks on US forces.
  • Starting from September 1, 2020, all the US .gov sites will only be accessible via HTTPS. The protocol will protect the visitors’ connections by encrypting the exchanged data and protecting them from man-in-the-middle attacks.
  • Researchers from CSIRO’s Data61 have developed a new technique to protect users from voice spoofing attacks. The new solution, called Void, identifies the differences in spectral power between a live human voice and a voice replayed through a speaker.

The Bad

Along with the favorable news, the week noticed some disappointing breaches and attacks. Frost & Sullivan suffered a major data breach after several of its databases were put up for sale on dark web forums. Maze, CLOP, and Nefilim ransomware operators made headlines for targeting LG Electronics, INDIABULLS, and organizations in New Zealand respectively.

  • Ransomware continued to run rampant, ransacking the targeted organizations’ sensitive information and networks. While the Maze ransomware gang claimed attacks on LG Electronics, the operators of CLOP ransomware disrupted the business operations of INDIABULLS.
  • The operators of REVil ransomware are all set to auction the next batch of stolen data belonging to a high-profile celebrity law firm, Grubman Shire Meiselas & Sacks, on July 1. The auction of the stolen data is likely to start at a price of $600,000.
  • A threat actor group, named CryptoCore, stole around $200 million from different cryptocurrency exchanges located in the US, Japan, and the Middle East. The amount was stolen by the actors in a span of around two years.
  • Frost & Sullivan came under the radar after several of its databases containing information related to its employees and customers were put up for sale on a dark web forum. The customer database included information, such as client names, email addresses, company contacts, and other non-sensitive data.
  • A threat actor claimed to sell over 230,000 Indonesian COVID-19 patients’ records on the RaidForums marketplace. The leaked data includes names, addresses, telephone numbers, diagnosis data, and test result dates of patients. However, the Indonesian government refuted the breach of any patient’s data.
  • A database containing over 1.2 million user records from the popular MMO Stalker Online was put up for sale on dark web forums. The leaked records included players’ usernames, passwords, email addresses, phone numbers, and IP addresses.
  • A hacktivist group, dubbed ‘Distributed Denial of Secrets’ (DDoSecrets), leaked 296 GB of data associated with more than 200 US law enforcement agencies and fusion centers. The leaked files, dubbed BlueLeaks, included more than one million files, such as emails, videos, audio files, and scanned documents among others.
  • New Zealand CERT issued a warning that Nefilim ransomware operators are targeting poorly-secured Citrix servers to launch attacks against organizations. Once an attacker gains a foothold through the remote access system, they then use tools such as Mimikatz, PsExec, and Cobalt Strike to elevate privileges.

New Threats

Among the new threats discovered this week, security researchers discovered two new malware - NitroHack and Lucifer - in different attack campaigns. While NitroHack modifies the Discord client for Windows into an infostealing trojan, Lucifer includes cryptomining currency and DDoS capabilities.

  • In a new study, researchers have found that around 80,000 printers are exposed online via the IPP port on a daily basis. This indicates that attackers can collect printers’ names, locations, models, and even organization names just scanning the IPP port.
  • Three new ransomware - Hackbit, WastedLocker, and CryCryptor - were noticed by security experts. While Hackbit targeted mid-level executives across Austria, Switzerland, and Germany, WasteLocker is a creation of the EvilCorp hacker group. The CryCryptor ransomware was used to target Android users in Canada.
  • Operators of Sodinokibi ransomware were found scanning the networks of targets for PoS data in their latest attack campaign. The campaign targeted healthcare, services, and food sectors, among other victims.
  • Attackers abused Google Analytics in new web skimming attacks. Several websites around the service have been registered with an intent to steal credit card details from retail websites.
  • Security researchers discovered two new malware - NitroHack and Lucifer - in different attack campaigns. While NitroHack modifies the Discord client for Windows into an infostealing trojan, Lucifer includes cryptocurrency and DDoS capabilities.
  • Researchers detected a malicious Docker Hub account, azurenql, that is active since October 2019. The account was used for hosting six malicious images intended to mine cryptocurrency. The images hosted on this account were pulled more than two million times.
  • Security researchers detected new variants of XORDDoS and Kaiji botnets targeting exposed Docker servers. For this, the attackers are actively scanning Docker servers that are exposed through port 2375.
  • The full impact of the newly discovered Ripple20 vulnerability, which arises due to a total of 19 flaws in the TCP/IP protocol from Treck, remains unclear. However, researchers believe that the healthcare industry is particularly affected by the flaw. It has been found that there are six times more vulnerable equipment used in healthcare than in other sectors.
  • An unidentified Advanced Persistent Threat (APT) group was found targeting entities based in Myanmar (Burma). The attack campaign leveraged spearphishing to target victims.
  • Group-IB highlighted that the infamous Fxmsp hacker sold access to 135 companies in the last three years. Last year, it was in the news for selling network access to three antivirus companies.

 Tags

fxmsp hacker
lucifer malware
maze ransomware operators
xorddos
frost sullivan
nefilim ransomware
malicious docker hub account
nitrohack malware

Posted on: June 26, 2020

Get the Weekly Threat Briefing delivered to your email!



More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.



Join Thousands of Other Cyware Followers!