Cyware Weekly Threat Intelligence, March 23-27, 2020

Share Blog post

The Good

The last weekend of March 2020 is almost here and in the pandemonium caused by Coronavirus, there is some news to cheer us up. The DHS’s CISA along with NIST has published guidelines for federal workers and contractors on how to secure their data and systems while working remotely during the current epidemic. The guide aims at boosting telecommunication security from external threats. On the other hand, academics have introduced a project that utilizes AI to identify deepfake videos, false information, and morphed images.  

  • Academics at the University of Notre Dame have come up with a project that utilizes artificial intelligence to identify deepfake videos, disinformation online and manipulated images. The project aims at protecting online users from spreading inaccurate information that can be harmful.
  • The Australian Cyber Security Center (ASCS) has issued a new update to increase awareness around coronavirus-themed malicious cyber activities. The Center has received more than 100 reports related to COVID-19 scams in the last three months. Reported scams include those pretending to be from Australia Post, international health organizations and programs offering financial assistance.  
  • Amid the Coronavirus epidemic, the Cybersecurity and Infrastructure Security Agency (CISA) and National Institute of Standards and Technology (NIST) have issued guidelines for federal workers and contractors working remotely to prevent cyberattacks on their networks. The measures include adhering to telework security policy, using multi-factor authentication for enterprise access and implementing validated encryption technologies to protect communications and data stored on the client devices.      

The Bad

The week also saw some major tech giants - General Electric (GE) and AMD - falling victim to data breaches due to unauthorized access. While GE saw the PII of current and former employees being affected, AMD reported that a hacker had gained access to several confidential source code of its graphics products. Weibo also witnessed a major backlash after the personal data of 538 million users were put up for sale on the dark web.      

  • Personal data of 538 million Weibo users were put up for sale on the dark web this week. The stolen data were priced at $250 as it did not include passwords. Among the personal data exposed, it included the real names, site usernames, gender and locations of users. 
  • Finastra, a leading financial technology service provider in the UK, took its servers offline following a ransomware attack. Officials reported that they do not have any evidence of customer or employed data being accessed or exfiltrated.
  • Maze ransomware operators appeared in two different incidents this week. The first case occurred after they published the data stolen from Hammersmith Medicines Research online. The second case came to light after they attacked a cyber insurance company Chubb.  
  • A leading free web hosting provider for dark web services, Daniel’s Hosting suffered an attack for the second time in 16 months. The incident occurred on March 10, after an attacker deleted the web hosting portal’s entire database. This had affected almost 7,600 dark web portals.
  • General Electric (GE) suffered a data breach, affecting the PII of current and former employees as well as beneficiaries. The information exposed in the breach included direct deposit forms, driver’s licenses, passports, birth certificates, marriage certificates, tax withholding forms, Social Security numbers, and more.
  • The University of Utah Health had disclosed a security incident that occurred between January 7 and February 21, 2020. The incident occurred after hackers gained unauthorized access to some employees’ email accounts. 
  • Data Deposit Box exposed over 270,000 consumer files due to an unsecured Amazon S3 bucket. The leaked data included IP addresses, email addresses, and GUIDs of users. 
  • AMD confirmed that a hacker had stolen files related to its current and future graphics products. The stolen files included source code for the Navi 10 architecture, which is used in some Radeon RX 5000-series graphics cards, the upcoming Navi 21, and Arden.      

New threats

Talking about new threats, the notorious TrickBot trojan made a comeback, disguised as a malicious TrickMo app to bypass 2FA protection. In a different incident, a new version of Android banking trojan Ginp leveraged a fake ‘Coronavirus Finder’ website to target online banking users in the U.K and Spain. 

  • Researchers discovered a new version of Ginp Android trojan that targeted online banking users in Spain and the U.K. The operators were found sending a special command that opened a fake website called ‘Coronavirus Finder’.
  • Threat actors lured victims to install fake Corona antivirus with an aim to infect their computers with BlackNET RAT. The fake antivirus was distributed via two websites.
  • Attackers hijacked D-Link and Linksys’ DNS settings to propagate the Oski information-stealing malware. Once the attacker gained access to the router and changed the DNS settings, the victims were displayed with a fake COVID-19 alert that distributed the malware.
  • The TrickBot gang used a malicious Android application called TrickMo to bypass 2FA protection and infect Android devices. The campaign was used against German users. 
  • Malicious actors were found pushing Raccoon information-stealer through an HHS.gov open redirect to unsuspecting victims’ systems. They leveraged Coronavirus-themed phishing emails to push the phishing page that dispatched the malware.
  • In a widespread attack campaign, the APT41 threat actor group exploited vulnerabilities in Cisco routers, Citrix ADC and Zoho ManageEngine to infect several organizations across the US, the UK, France, Italy, Japan, Saudi Arabia, and Switzerland. 
  • Researchers uncovered a new malicious campaign distributing a new trojan called Milum. The attack was carried out by a newly discovered WildPressure APT group and targeted organizations in the Middle East.
  • Google removed 56 malicious apps from its Play Store for distributing auto-clicker malware. These apps had more than a million installs across Android devices.
  • A cyberespionage campaign called Operation Poison News was uncovered targeting iOS users in Hong Kong. The campaign used links posted on multiple forums that supposedly lead to various news sites. While these links led users to the actual news sites, they silently deployed malicious hidden iframe onto victims’ systems.
  • Certain online news blog websites of corporates were compromised to redirect users to a website that promoted fake Chrome updates. These updates were used to distribute malware onto victims’ computers.  
  • At least European companies in the pharmaceutical and manufacturing industries were attacked by Silence and TA505 threat actor groups. These organizations were affected by Silence.ProxyBot and updated versions of Silence.MainModule.    

 Tags

university of utah health
australian cyber security center ascs
weibo
general electric ge
milum trojan
fake corona antivirus
apt41 threat actor group
2fa protection
trickmo

Posted on: March 27, 2020

Get the Weekly Threat Briefing delivered to your email!



More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.



Join Thousands of Other Cyware Followers!