Cyware Weekly Threat Intelligence, March 02-06, 2020

Share Blog post

The Good
With another weekend coming to an end, let’s take a quick glance at all the good developments that happened this week. In a major announcement, four largest browser vendors - Mozilla, Google, Apple, and Microsoft - have taken a decision to block over 850,000 websites that still use the legacy TLS protocols by the end of this month. On the other hand, the FCC has proposed fines of over $200 million against four major wireless carriers for improperly selling customers’ location data. 
     
  • Germany’s Federal Office for Information Security in collaboration with the Federal Criminal Police Officer has issued a joint statement on how to deal with a ransom demand following a ransomware attack. In addition to this, the agency has also provided a detailed guide to the local governments and municipal institutions on how to deal with ransomware attacks. 
  • More than 850,000 websites that run outdated TLS 1.0 and 1.1 protocols are scheduled to be removed from most major browsers later this month. These communication protocols use weak cryptographic algorithms and are vulnerable to a series of cryptographic attacks.
  • The Cyber Security Agency of Singapore (CSA) has planned to launch a new Cybersecurity Labelling Scheme (CLS) to improve the security of IoT products against cyberattacks. The scheme is part of the country’s new Safer Cyberspace and will initially include Wi-Fi routers and smart home hubs.    
  • The UK’s National Cyber Security Center (NCSC) has released a set of guidelines to boost the security of smart security cameras and baby monitoring devices. The new guidance has been issued to help users in protecting their devices from being compromised.  
  • An American university has launched a unique toolkit called FileTSAR to help law enforcement agencies catch cybercriminals. It can also be used to detect staff who acted as insider threats.  
  • The FCC has proposed fines of more than $200 million against four wireless carriers - T-Mobile, AT&T, Verizon, and Sprint - for improperly selling access to their customers’ location data. The carriers had apparently allowed outside companies to capture the location of wireless devices without their owners’ knowledge or consent.

The Bad
This week, there were also some major data breaches reported by different organizations. One had occurred at the supermarket giant Tesco, following which it had reissued 620,000 new Clubcard numbers and the other victim was Walgreens - that exposed the personal details of some of its users due to a bug in its mobile app. Meanwhile, an unprotected database hosted on Google Cloud had exposed over 200 million records belonging to US residents. 

  • An unsecured database hosted on Google Cloud had exposed more than 200 million records related to US residents. The exposed data included a victim’s name, address, email address, age, gender, ethnicity, employment, credit rating, and property information.   
  • The wireless carrier T-Mobile came under fire again for unavailable to protect users’ information after a security breach. The possible leaked data includes names, addresses, phone numbers, account numbers, rate plans, and billing information of users.  
  • Walgreens, the second-largest pharmacy store in the U.S, disclosed that its official mobile app contained a bug that exposed the personal details of some of its users. The exposed data included names, prescription details store numbers and shipping addresses of users. 
  • A database containing personal information of Australian Defence Force (ADF) personnel was taken offline last month following a cybersecurity incident. The Defence Department acknowledged the incident to be a ‘potential security concern’ but suggested that there was no evidence of data being stolen. 
  • A ransomware attack at Simon Fraser University had affected the personal details of some employees and students. The university revealed that the incident affected the data of those individuals who joined the university prior to June 20, 2019. 
  • Legal services giant Epiq Global was also a victim of a ransomware attack. Sources claim that the ransomware had hit the organization’s entire fleet of computers across its 80 global offices. 
  • Two units of cruise operator Carnival Corp - Holland America Line and Princess Cruises - disclosed that they were targeted in a cyberattack last year. The attack had led to the compromise of personal data of some guests and employees. 
  • A potential data breach at Tesco had forced the firm to reissue 620,000 new Clubcard numbers. The retailer believes that a database of stolen username and password combinations was tested on its website to gain access to their customers’ accounts. 
  • An unsecured Amazon web service bucket had exposed the email address and travel details of about 10,000 people who used the free wi-fi service at UK railway stations. The affected railway stations included Harlow Mill, Chelmsford, Colchester, Wickford, Waltham Cross, Norwich and London Bridge.
  • Two casinos’ websites along with computer networks owned by the company TLC Casino Enterprise Inc. were out of order for almost a week due to a ransomware attack on February 27. The incident had also affected slot machines, player loyalty programs, credit card processing, hotel reservations, and ATMs at two casinos.
  • Virgin Media reported a breach that occurred due to a misconfigured database. The leaky database contained personal information of about 900,000 customers.  
  • Steelmaker Evraz in North America was forced to shut down its IT systems following a cyberattack. The company confirmed was no indication of compromise of any confidential data.          


New threats
Among the new threats discovered this week, thirty vulnerabilities uncovered in file upload mechanisms of 23 open-source web apps, CMSes, and forums could be abused to plant malicious files on a victim’s servers. On the other hand, a new ransomware called PwndLocker demanded a ransom of over $650,000 from victim organizations in the U.S.   

  • North Korean APT group Kimsuky was found using new malware implants to conduct a cyberespionage campaign. The group leveraged a shorter attack chain that involved the use of a ‘.scr’ extension file in order to bypass AV detection.  
  • Researchers detected a malicious Chrome extension named Ledger Live that is targeting the owners of Ledger cryptocurrency wallets. The extension, which is still available through the official Chrome Web Store, allows attackers to gain access to users’ accounts and steal their funds. 
  • Thirty vulnerabilities discovered in the file upload mechanisms of open-source web apps, CMSes and forums could be abused to plant malicious files on a victim’s servers. These vulnerabilities were uncovered using a FUSE, a new automated penetration testing toolkit. 
  • A new version of MTK-su rootkit that can be used to exploit a vulnerability CVE-2020-0069 was detected this week. The rootkit can be used against various models from Alcatel, Amazon, ASUS, Blackview, Huawei, LG, Meizu, Nokia, Motorola, OPPO, Sony, Realme, Xiaomi, and ZTE. The flaw exists in all of MediaTek’s 64-bit chips.
  • Ransomware operators continued to dominate the threat landscape with their newly adopted ‘naming-and-shaming’ technique. This week, the authors of Nemty ransomware launched a website to disclose the data and files of victims that refused to pay ransoms. Apart from this, there was also a discovery of a new ransomware called PwndLocker targeting the US businesses and local government with ransom demands over $650,000. 
  • A MalBus attack that involved the use of four popular Korean-language transit apps were compromised to target military and political data. These applications, all related to bus information, were available for more than five years on the Google Play Store.   
  • Cybercriminals were found using fake security certificate update requests to infect potential victims with a Mokes backdoor and a Buerak trojan. These fake certificate requests were available on compromised websites. 
  • New encryption flaws found in Toyota, Hyundai and Kia’s chip-enabled mechanical keys can allow hackers to clone similar keys and steal the cars. Some affected models are Toyota Camry, Corolla, and RAV4; the Kia Optima, Soul, and Rio; and the Hyundai I10, I20, and I40. 


 Tags

t mobile us inc
malbus attack
walgreens
epiq global
virgin media
pwndlocker ransomware
mtk su rootkit
kimsuky threat actor

Posted on: March 06, 2020



More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.