Cyware Weekly Threat Intelligence, March 25-29, 2019

See All
The Good

As we’ve come to the end of March, it’s time to end the month with the most interesting threat intel of the week. As is our custom, let’s first begin with all the good that has occurred in the cybersecurity landscape over the past week. Computer scientists from the United States have developed a new email app that can quickly encrypt messages that appear in an email inbox. DHS is awarding $5.9 million to expand a cybersecurity training tool to the energy sector. In the meantime, New Jersey legislators have proposed a bill that would expand data breach notification requirements to alert consumers on data breaches.

  • Computer scientists from the United States have developed a new email app named ‘Easy Email Encryption E3’ that is capable of quickly encrypting messages that appear in an email inbox. The app works with the majority of popular email services such as Gmail, Yahoo, and AOL. This app automatically encrypts emails as soon as you receive emails in your mobile devices or desktops.
  • The Department of Homeland Security (DHS) is awarding $5.9 million to the Norwich University Applied Research Institute to expand a cybersecurity training tool used by the financial services sector to the energy sector. The training tool is designed to help energy sector enhance communication during high-stress incidents.
  • New Jersey legislators proposed a bill to Gov. Phil Murphy that would expand data breach notification requiring companies to alert consumers on data breaches that include personally identifiable information (PII) such as user names, passwords, email addresses, and security questions.
  • Europol has hosted a joint meeting of the EC3 Advisory Groups on financial services, internet security and communication providers gathering almost 70 industry experts to discuss the cyber-threat of phishing. In the two days of the joint meeting, experts came up with recommendations to combat phishing.
  • Microsoft has added tamper protection to its antivirus product Microsoft Defender Advanced Threat Protection (ATP) to prevent malware from disabling antivirus solution on infected systems. The tamper protection also prevents  malware from disabling Microsoft's cloud-based malware detection.

The Bad

Over the past week, several data breaches and massive cyber attacks came to light. A new supply chain attack campaign dubbed ‘Operation ShadowHammer’ impacted over 1 million users who have downloaded the backdoored version of the ASUS Live Update utility on their systems. In another instance, FEMA has inadvertently shared private data of almost 2.3 million disaster victims with one of its contractors. Meanwhile, LockerGoga, the ransomware that hit aluminum giant Norsk Hydro, also infected two other American chemicals companies.

  • The United States Federal Emergency Management Agency (FEMA) has inadvertently shared private data of almost 2.3 million disaster victims with one of its contractors that manages its TSA program. The exposed data include applicants SPII such as street address, city names, zip codes, financial institution names, electronic funds transfer numbers, and bank transit numbers.
  • Researchers observed a campaign dubbed ‘Operation ShadowHammer’ that targets the supply chain by exploiting the backdoored version of ASUS Live Update Software. This campaign has impacted over 1 million users who have downloaded the backdoored version of the ASUS Live Update utility on their systems.
  • LockerGoga, the ransomware that hit aluminum giant Norsk Hydro, also infected two American chemicals companies Hexion and Momentive. The ransomware attack encrypted the Windows systems of these two chemical companies forcing the companies to order hundreds of new computers.
  • Two cryptocurrency exchange platforms DragonEx and CoinBene suffered cyber attacks compromising over $1 million and $45 million respectively. Both crypto portals have gone into maintenance mode to investigate the incident and retrieve back the stolen assets.
  • Researchers observed a new credential harvesting campaign dubbed ‘LUCKY ELEPHANT’ that uses doppelganger webpages to impersonate legitimate entities such as foreign governments, telecommunications, and military. The list of organizations that are impersonated by the attackers includes entities in Pakistan, Bangladesh, Sri Lanka, Maldives, Myanmar, and Nepal.
  • Oregon’s Department of Human Services (DHS) suffered a data breach compromising 2 million email accounts and private data of over 350,000 clients. The breach was a result of attackers gaining access to nine of its employees’ email accounts.
  • A consumer spyware vendor exposed almost 95,000 images and over 25,000 audio recordings online due to a leaky database that was left publicly available without any authentication. Apart from the previous photos and recordings, the leaky database is also exposing the latest pictures and audio recordings that are being uploaded every day.
  • A publicly available MongoDB database belonging to a popular family locator app, React Apps exposed real-time locations of over 238,000 users. The MongoDB instance also contained information such as users’ names, email addresses, profile photos, and plain text passwords.
  • An unprotected ElasticSearch database belonging to a video streaming site Kanopy, exposed users’ API logs and website access logs thereby revealing users’ viewing habits. The access logs included data such as user location, TLS version used, client IP and many more.
  • The computer systems of a parking garage belonging to the Canadian Internet Registration Authority (CIRA) which allows its employees to park their vehicles for free were infected by ransomware. The attack allowed outsiders to enter the parking garage without any security check.

New Threats

Several vulnerabilities and malware strains emerged over the past week. Researchers uncovered a new version of the AZORult data stealer dubbed ‘AZORult++’. Researchers spotted a new Android banking trojan dubbed ‘Gustuff’ which is capable of phishing credentials and stealing funds from over 100 banking apps and 32 cryptocurrency apps. Last but not least, security weaknesses found in the US Treasury Department’s system could pose an increased risk of unauthorized access to the Federal Reserve Bank (FRB) systems.

  • Researchers have uncovered a new version of the AZORult data stealer dubbed ‘AZORult++’ because the files are written in C++ and not Delphi. This new variant is capable of launching an RDP connection by creating a new user account and adding it to the admin’s group.
  • Researchers spotted a new Android banking trojan dubbed ‘Gustuff’ which is capable of phishing credentials and stealing funds from over 100 banking apps and 32 cryptocurrency apps. This trojan uses social engineering techniques to trick device owners into giving access to the Android Accessibility service.
  • Researchers have detected a total of 51 vulnerabilities in the Long-Term Evolution (LTE) protocol. Of these, 36 have been identified as new vulnerabilities. The vulnerabilities could allow attackers to disrupt mobile base stations, block incoming calls and disconnect users from a mobile network.
  • Researchers have observed a new gift-card seeking ransomware dubbed ‘UNNAM3D’ which relies on a WinRAR executable program to archive user files found in the infected system. After infecting systems, the ransomware asks victims’ to purchase $50 Amazon gift cards and send it to the malware developer on Discord.
  • Google has patched a bug in Chrome dubbed ‘evil cursor’ that was exploited by tech support scammers to create an artificial mouse cursor and lock users inside browsers. Partnerstroka threat group exploited this bug by replacing the standard mouse cursor (OS 32-by-32 pixels) with 128 or 256 pixels in size.
  • Researchers uncovered a feature in UC browser that downloads extra app modules and runs executable codes on users’ devices thereby violating Google Play Store policies and exposing its users to Man in the Middle (MitM) attacks. It is to be noted that UC browser has been downloaded by over 500 million users.
  • U.S. Government Accountability Office (GAO) has published a management report stating that the security weaknesses found in the US Treasury Department’s system could pose an increased risk of unauthorized access to the Federal Reserve Bank (FRB) systems.
  • A modified version of the Christchurch attack suspect’s manifesto is circulating online. The modified version contains an obfuscated VBA script code that attempts to download the second stage payload. The payload dubbed ‘Trojan Haka’ overwrites the master boot record (MBR) with a message ‘This is not us!’, which is displayed after the system restarts.
  • Fizz, Facebook’s implementation of the TLS protocol, contained a critical security flaw that could have allowed attackers to execute Denial of Service (DoS) attacks on servers. Facebook has released a patched version to address the Denial-of-Service vulnerability in Fizz.






  • Share this blog:
Previous
Cyware Weekly Threat Intelligence, April 01-05, 2019
Next
Cyware Weekly Threat Intelligence, March 18-22, 2019
To enhance your experience on our website, we use cookies to help us understand how you interact with our website. By continuing navigating through Cyware’s website and its products, you are accepting the placement and use of cookies. You can also choose to disable your web browser’s ability to accept cookies and how they are set. For more information, please see our Privacy Policy.