Cyware Weekly Threat Intelligence, March 16-20, 2020

Share Blog post

The Good

Hope you all had a healthy and safe week. Here is a dose of good things that happened this week in cybersecurity. The UK’s National Cyber Security Center (NCSC) has started hunting down phishing websites that are linked to COVID-19 scams. The initiative has been taken to protect people across Europe from losing money and sensitive data to scams. Meanwhile, the creators of some prominent ransomware have taken the decision of not targeting health organizations amid this Coronavirus pandemic.

  • The UK’s National Cyber Security Center (NCSC) has stepped in to remove malicious and phishing websites linked to COVID-19 scams. The initiative has been taken following the rise in attacks that have led to the loss of victims’ money and sensitive data across Europe.
  • Members of the IT and cybersecurity communities have successfully obtained a password key for CovidLock Android ransomware that comes disguised as an app. The app threatens to erase data from a user’s phone if a ransom of $100 in bitcoin is not paid within 48 hours.
  • The National Institute of Standards and Technology (NIST) has published the draft for SP 800-53 (revision 5). This publication, titled “Security and Privacy Controls for Information Systems and Organizations,” reflects the major changes to the security landscape over the last few years. The publication intends to protect organizational operations and assets from cyberattacks.
  • Operators of some prominent ransomware like DoppelPaymer and Maze have stated that they will no longer target health and medical organizations during the COVID-19 pandemic. DoppelPaymer’s operators have further asserted that they will decrypt the files for free if they have inadvertently attacked any hospital or nursing home.

The Bad

Meanwhile, several organizations inadvertently exposed millions of records in different data leak incidents reported this week. Misconfigured S3 buckets became a major reason for data leaks at MCA Wizard and Doxzoo. Also, a UK-based research firm had come under the scanner for exposing 5 billion records on different security incidents due to an unguarded Elasticsearch database.

  • An unprotected Elasticsearch database exposed over 5 billion records collected by a UK-based research firm between 2012 and 2019. The leaky database contained extensive information on the breaches including domains, sources, contact email addresses, and passwords.
  • Cybercriminals launched a DDoS attack against German food delivery service Takeaway.com (Liefrando), demanding two bitcoins to stop the flood of malicious traffic. The company announced that its systems had entered maintenance mode to ensure data security amidst such attacks.
  • Approximately 500,000 documents related to the MCA Wizard app were exposed due to a misconfigured AWS S3 bucket. The documents included credit reports, bank statements, contracts, legal reports, driver’s license copies, purchase orders, tax returns, and social security numbers.
  • A data leak at Doxzoo affected over 270,000 records belonging to more than 100,000 users. The incident occurred due to a leaky S3 bucket. The leaked data included print jobs for many high-profile clientele - such as elite universities, Fortune 500 companies and more.
  • Canadian ISP Rogers Communications notified its customers about a data breach that took place in February 2020. The incident had exposed personal information such as addresses, account numbers, email addresses, and telephone numbers of some of its customers.
  • Websites of NutriBullet and TrueFire suffered Magecart-like attacks, allowing attackers to steal payment card details of customers. While the attack on NutriBullet was conducted using skimmer code, TrueFire reported the attack due to unauthorized access to its website.

New threats

The week also saw various malware attack campaigns leveraging the pandemic COVID-19 crisis. The malware used in these campaigns were BlackWater backdoor, Trickbot trojan, Crimson RAT and SpyMax. Apart from this, researchers also came across two new malware - dubbed CrazyCoin virus and Nefilim ransomware - that are active in the wild.

  • Many Intel CPU processors were found to be affected by a new Snoop-assisted L1D Sampling vulnerability. The flaw is a variant of domain-bypass transient execution attack and it takes advantage of CPU mechanisms like cache levels, cache coherence, and bus snooping.
  • Researchers discovered a new CrazyCoin virus that spreads through the EternalBlue exploit kit. The virus includes mining, hacking and backdoor capabilities. Once launched, the virus unleashes both mining and information-stealing modules to carry out its malicious activities further.
  • Attacks from a new variant of Pysa ransomware and a newly discovered Nefilim ransomware were also discovered this week. While the latest Pysa ransomware variant uses the .newversion file extension at the end of each encrypted file, the new Nefilim ransomware uses a combination of the AES-128 and RSA-2048 algorithms to encrypt victims’ files.
  • A new version of TrickBot trojan that includes an RDP bruteforcing module targeted telecommunication services in the U.S. and Hong Kong. The variant first appeared on January 30, 2020 and uses a C2 server located in Russia.
  • The notorious Ursnif trojan was also spotted this week targeting people in Italy. The attacker made use of a compromised website that acts as a DropURL.
  • Stantinko botnet has evolved to include a new cryptomining module and various obfuscation techniques. Out of these techniques, the most notable ones are obfuscation of strings and control-flow obfuscation.
  • Malware authors leveraged fake news stories on Coronavirus to distribute Emotet and Trickbot trojan. In a different incident, threat actors impersonated the World Health Organization (WHO) to send a fake e-book as a lure to trick users into downloading GuLoader. The fake e-book came in the form of an attachment in the email that provided guidance on staying safe from Coronavirus threat.
  • A new backdoor named BlackWater infected systems by pretending to provide updates on Coronavirus disease. The main purpose of the backdoor is to abuse Cloudflare Workers so that it can be used as an interface to communicate with attackers.
  • Two malicious apps pretending to provide updated information on COVID-19 disease were also used to steal users’ sensitive information. While the ‘CovidLock’ app demanded an extortion fee of $100 in bitcoin to prevent data from being erased from the user's phone, the ‘corona live 1.1’ app was used to spy people in Libya.
  • The prolific TA505 threat actor group has been targeting businesses in Germany through malicious CVs. The campaign has been operating since April 2018 and the trojanized curriculum vitae files are sent through phishing emails.
  • A Pakistan-based APT36 threat actor group deployed the Crimson Remote Administration Tool (RAT) onto the systems via a spear phishing campaign using Coronavirus-themed documents as bait. The campaign exploited a remote code execution vulnerability in Microsoft Office to distribute the RAT.
  • Sodinokibi ransomware operators published over 12 GB of stolen data belonging to a company named Brooks International for not paying the ransom. The exposed data includes usernames and passwords, credit card statements, tax information, and much more.

 Tags

doxzoo
national institute of standards and technology nist
snoop assisted l1d sampling vulnerability
crimson remote administration tool rat
ursnif trojan
sodinokibi ransomware
nefilim ransomware
stantinko botnet
blackwater

Posted on: March 20, 2020

Get the Weekly Threat Briefing delivered to your email!


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.


Join Thousands of Other Cyware Followers!