Go to listing page

Cyware Weekly Threat Intelligence, June 24-28, 2019

Cyware Weekly Threat Intelligence, June 24-28, 2019

Share Blog Post

The Good

As we have come to the last week of June, let’s quickly revisit all that happened in the security landscape this week. Let’s first glance through all the positive developments. SK Telecom has developed a new technology that allows quantum password keys to be switched and routed to different networks. Microsoft has announced a new feature called ‘OneDrive Personal Vault’ that adds a security layer to protect sensitive files. Meanwhile, Moody’s Corporation along with Team8 has developed a framework to measure businesses’ defenses against cyber attacks.

  • SK Telecom has announced that it has developed a new technology that allows quantum password keys to be switched and routed to different networks. This technology allows networks to transfer a quantum password key to another network when the network being used is down. It will also allow routing of the transfer when connected to multiple networks.
  • Microsoft has announced a new security layer for protecting sensitive files with its new feature ‘OneDrive Personal Vault’. This feature is a protected area in OneDrive that can be accessed only with the Microsoft Authenticator app or a second step of identity verification such as fingerprint, face recognition, PIN, or authentication code. This feature is supported in web, Android, iOS, and Windows 10. 
  • Financial services company Moody’s Corporation has collaborated with the cybersecurity think-tank Team8 for developing a framework to measure businesses’ defenses and preparedness against cyber attacks. This framework will help companies that engage in mergers and acquisitions or when purchasing cyber insurance policies.

The Bad

Several data breaches and security incidents were witnessed in the past week. A cybersecurity firm has revealed that a Chinese threat group has launched cyberattacks against several telecommunication companies across 30 countries since 2017. In another instance, Chinese cyber-espionage campaign ‘Cloud Hopper’ has compromised almost 8 tech services companies. Meanwhile, the City Hall in Lake City, Florida which suffered a ‘Triple Threat’ ransomware attack on June 10, 2019, has paid the attackers nearly $500,000 in order to recover the encrypted files.

  • A cybersecurity firm has revealed that a Chinese threat group has launched cyberattacks against several telecommunication companies across 30 countries since 2017. The tools used in the attacks are linked to the APT10 threat group.  The attackers attempted to obtain CDR data such as call logs, cell tower locations, etc. and attempted to compromise the critical assets of the telecom companies.
  • A hacker stole 9.3 million Ripple (XRP) coins worth $4.25 million and 2.5 million Cardano (ADA) coins worth $225,000 from the Bitrue cryptocurrency exchange platform. Bitrue administrators detected the hack and immediately shut down trading on their platform. The exchange also worked closely with HuobiGlobal, Bittrex exchange, ChangeNOW to freeze the affected funds and accounts.
  • An unprotected Amazon Web Services S3 bucket exposed sensitive data about apprentices recruited by MEGT such as passport scans, visa details,  invoices, work placement documents, employment agreements, and performance warnings. The unsecured S3 bucket contained almost 143,000 entries that dated back to 2014.
  • The City Hall in Lake City, Florida which suffered a ‘Triple Threat’ ransomware attack on June 10, 2019, has paid the attackers 42 bitcoins worth nearly $500,000 in order to recover the encrypted files. The city’s insurance provider had made the payment on June 25, 2019. Soon after, the attackers provided the decryption key to retrieve the city’s files and data.
  • A new phishing scam that purports to come from Larry Page, former CEO & Co-founder of Google, states that users have won $2.5 million for using its services and asks for their personal details. The scam email prompts users to fill out the claims form in order to claim the prize money. The claims form asks for users’ personal details such as names, addresses, phone numbers, age, email addresses, and occupation.
  • Taiwan’s Ministry of Civil Service (MOCS) suffered a data breach compromising the personal information of almost 243, 376 civil servants including both local and central government officers. The compromised information included ID numbers, names, national identification card numbers, agency information, job designation, and the agencies the civil servants work for.
  • The City of Sun Prairie in Wisconsin suffered a data breach after attackers broke into some of the employees’ email accounts. The compromised email accounts contained personal information of residents including Social Security numbers, account login ID and passwords, driver license or state identification numbers, and banking details.
  • A ‘human hacking’ forum, Social Engineered has been breached and the user data has been published on a rival website. The data includes 89,000 unique email addresses linked to 55,000 forum account holders, usernames, IP addresses, and passwords. The data breach was due to a security hole in ‘My BB’ open-source software.
  • Dominion National, an insurer and administrator of dental and vision benefits disclosed that it suffered a data breach impacting the personal information of some of its former and current members. The compromised data includes names, addresses, dates of birth, email addresses, Social Security numbers, taxpayer identification numbers, bank account and routing numbers, member ID numbers, group numbers, and subscriber numbers.
  • WeTransfer, a cloud-based file transfer service announced that it shared users’ sensitive files to people who were not intended to receive the files. The file sharing service has logged out some user accounts and has asked those users to reset their passwords. It has further blocked transfer links to avoid further transfers
  • Attackers stole the administrative credentials that the tech provider PCM uses to manage client accounts within Office 365. A security expert at a PCM customer said that the attackers prime motive is to steal client information that could be used to conduct gift card fraud at various retailers and financial institutions.
  • An unprotected MongoDB database belonging to MedicareSupplement.com has exposed almost 5 million records containing personal information of users such as names, addresses, dates of birth, gender, email addresses, and IP addresses. The database also included 239,000 records related to insurance interest area such as cancer insurance.
  • Unprotected Amazon Web Services cloud-computer servers belonging to Attunity has exposed the company’s passwords and network information. The leaky servers also exposed sensitive information of some of its high-profile customers including  Ford Motor and the Toronto-Dominion Bank. 
  • Chinese hackers’ global hacking campaign ‘Cloud Hopper’ has compromised almost 8 tech services companies. The impacted companies include Ericsson, Hewlett Packard Enterprise, IBM, Fujitsu, Tata Consultancy Services, NTT Data, Dimension Data, Computer Sciences Corporation, and DXC Technology.


New Threats 

This week also witnessed the occurrence of several new malware strains and vulnerabilities. Researchers observed multiple malspam campaigns that distributed LokiBot and NanoCore trojans. Several vulnerabilities were detected in EA’s Origin platform that could expose 300 million gamers to account takeover attacks. Meanwhile, researchers noted that Sodinokibi ransomware is distributed via malvertising that leads to the RIG exploit kit. 

  • Researchers spotted a new malware dubbed ‘Silex’. This malware is capable of trashing IoT devices’ storage, deleting the network configuration, dropping firewall rules, and halting the device. It was also identified that the malware was a bot designed for bricking IoT devices. ZDNet found that around 2000 devices were inoperable in an hour after the malware’s discovery.
  • Researchers observed multiple malspam campaigns that distribute LokiBot and NanoCore trojans. These malspam emails are disguised as an invoice and an ISO disk file attachment, which upon opening drops the Lokibot and NanoCore trojans on the victims’ systems. 
  • Several vulnerabilities have been detected in Electronic Arts’ Origin platform. These vulnerabilities could expose 300 million gamers to account takeover attacks by abusing authentication tokens and related trust mechanisms. However, these vulnerabilities have been fixed by EA. 
  •  Researchers spotted a new ransomware dubbed ‘LooCipher’ that is actively used in the wild. This ransomware is distributed via spam campaigns. LooCipher ransomware encrypts all files and appends the .lcphr extension to the encrypted files. It leaves them behind as zero-byte files.
  • GreenFlash Sundown exploit kit has expanded its operations out of Asia. Attackers are using the exploit kit to push SEON ransomware on to the victims’ machines. The attackers targeted the popular onlinevideoconverter[.]com website to launch the attack campaign.
  • A security flaw was discovered in Dell’s SupportAssist software that is pre-installed on most of its computers. Tracked as CVE-2019-12280, the flaw is a DLL hijacking vulnerability. It has impacted millions of Dell PCs. However, the vulnerability has been patched by Dell.
  • MobOk is a newly discovered malware that was propagated in the form of two malicious photo editing apps - ‘Pink Camera’ and Pink Camera 2’. Once installed successfully, the malware is capable of collecting device information and sending it back to the hackers so that they can stealthily ‘subscribe’ to fake subscriptions in order to steal money.  
  • Sodinokibi ransomware, also known as REvil is distributed via malvertising that leads to the RIG exploit kit. Sodinokibi is now using exploit kits to infect victims. The malvertising campaigns distributing Sodinokibi are done on the PopCash ad network. 
  • Researchers have uncovered a new malware campaign called ViceLeaker that specifically targets Android users. The malware comes with various backdoor capabilities such as uploading, downloading & deleting files, camera takeover and recording surrounding audio. The malware uses HTTP for communication with the C2 server for command handling and data exfiltration. 


 Tags

greenflash sundown exploit kit
rig exploit kit ek
sodinokibi ransomware
lokibot
mobok malware
nanocore trojan
silex malware
loocipher ransomware

Posted on: June 28, 2019


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

The Virtual Cyber Fusion Suite