Cyware Weekly Threat Intelligence, March 09-13, 2020

Share Blog post

The Good

Another weekend is around the corner and just before we slide into a relaxed mood, let’s take a peek at the major developments from the cybersecurity world. Microsoft, along with partners from 35 different countries, successfully disrupted the operations of Necurs botnet which had affected nearly nine million computers worldwide. In other news, Google’s open-source developers have created a new USB Keystroke Injection Protection tool to defend users against USB keystroke injection attacks.
    
  • Google’s open-source developers have released a new tool dubbed USB Keystroke Injection Protection to fend off stealthy USB keystroke injection attacks. The tool is effective on machines using the Linux operating system.
  • After an eight year-long coordinated investigation, Microsoft, along with partners from 35 different countries, has successfully dismantled the operations of Necurs botnet that infected an estimated nine million computers worldwide. The botnet was believed to be managed by the creators of the Dridex trojan.
  • Dubai has become the first city in the UAE to enact security standards on industrial control systems (ICS). The step has been taken following the increase in cyberattacks on operational technology (OT) infrastructure in the Middle East.

The Bad

Data breaches exposing millions of personal records of users were also reported worldwide this week. The Dutch government disclosed the loss of two external hard drives that had the personal details of over 6.9 million organ donors stored in them. On the other hand, a software vendor serving small retailers in the EU had exposed nearly 8 million sales records due to a misconfigured MongoDB database.
 
  • Personal data of over 6.9 million organ donors was compromised following the loss of two external hard storage drives. The external hard drives belonged to the Dutch government and included electronic copies of all donors filed with the Dutch Donor Register between February 1998 and June 2010.
  • Card data stolen last year from Volusion-hosted online stores were found on the dark web. The breach had occurred in September-October 2019 and had impacted 6,589 online stores.
  • A software vendor serving small retailers in the EU exposed nearly 8 million sales records on the web due to an unprotected MongoDB database. The exposed sales records included customers’ names, email addresses, shipping addresses, purchases, and the last four digit of credit card numbers.
  • Whisper app leaked 900 million secret posts and all the metadata related to those posts due to a misconfigured database. The firm took down the database on March 9, 2020, after it learned about the leak from other sources.
  • A web server containing records of about 76,000 unique fingerprints was left exposed on the internet. The unsecured fingerprint data along with employees’ email addresses and telephone numbers, had been collected by a Brazilian company called Antheus Tecnologia.
  • Open Exchange Rates announced a data breach that exposed the personal information and salted and hashed passwords of customers of its API services. An internal investigation revealed that an unauthorized user had gained access to their network and a database that included user information.
  • The University of Kentucky and UK Healthcare conducted a major reboot of their systems in an effort to end a month-long cyber attack. The unidentified threat actors had infiltrated Kentucky’s largest university system in early February and installed malware to mine cryptocurrencies.

New threats

Talking about growing threats, researchers demonstrated a new variant of Rowhammer that affects DDR3, DDR4, LPDDR4, and LPDDR4X memory chips. The week also widespread use of ‘COVID-19’ threat as a channel to spread AZORult trojan and FormBook info-stealer.

  • A group of academics from universities demonstrated a new variant of the Rowhammer attack that bypasses Target Row Refresh (TRR) protections on RAM cards. Termed as TRR-bypassing Rowhammer, the flaw affects all DDR3 and DDR4 memory chips. It also affects LPDDR4 and LPDDR4X chips embedded in most modern smartphones.
  • Researchers also discovered that Intel CPUs were impacted by a new LVI-LFB (Load Value Injection in the Line Fill Buffers) vulnerability. The vulnerability is described as a reverse Meltdown-type attack and can allow malicious software installed on a device to gain access to potentially sensitive information.
  • Just like the previous week, ransomware authors were at work developing new strains of malware or enhancing the capabilities of existing ones. PXJ aka XVFXGW is a new ransomware that begins its encryption process after deleting shadow copies from a victim’s system. A new variant of Paradise ransomware was also spotted targeting users through malicious IQY files. Amidst all these, a decryptor for a recently discovered PwndLocker was also released to help victims decrypt files encrypted by the ransomware.
  • A group of hackers residing in Vietnam infected hacking tools of fellow hackers with a version of the njRAT trojan. The widespread hacking campaign was aimed at hijacking hackers’ machines to conduct DDoS attacks and steal sensitive data.
  • Cybercriminals are leveraging the ongoing ‘COVID-19’ threat as a weapon to dupe users into downloading malware. In one incident observed this week, cybercriminals used a fake ‘COVID-19 Map’ app to distribute the infamous AZORult trojan to target users. FormBook information-stealing trojan also returned in a phishing email campaign that pretended to provide new updates on the disease. Apart from this, a new ransomware called CoronaVirus was also found to be distributed through a fake website that promoted malicious system optimization software and utilities for WiseCleaner.
  • Capabilities of four notorious trojans’ - AZORult, KPot, Raccoon, and Redline - were enhanced to bypass new security features introduced in Chrome 80. With this new enhancement, authors of these trojans can now easily steal a user’s cookies and passwords stored in the browser.
  • Researchers uncovered a new variant of the TrickBot trojan that spreads via Microsoft Word documents. The Word document prompts the victims to click on the ‘Enable Content’ button which, in turn, unleashes malicious macros that initiate the download of the trojan.
  • Japanese online banking users have been targeted in a new campaign called ‘Operation Overtrap’. The campaign which is active since April 2019, is carried out via spam emails and makes use of the Bottle exploit kit and a new Cinobi trojan.


 Tags

azorult
whisper app
university of kentucky
cinobi trojan
usb keystroke injection protection
paradise ransomware
formbook info stealer
rowhammer attack
operation overtrap campaign

Posted on: March 13, 2020



More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.