Go to listing page

Cyware Weekly Threat Intelligence, March 4-8, 2019

Cyware Weekly Threat Intelligence, March 4-8, 2019

Share Blog Post

The Good

We’re back with the most interesting threat intel of the week. Before getting into the cyberattacks and new threats, lets first acknowledge all the positive events that occurred over the past week. National Security Agency has announced its cybersecurity tool ‘Ghidra’ as an open-source offering. World Wide Web Consortium has approved the WebAuthn API. Meanwhile, Singapore has proposed new guidelines for Technology Risk Management (TRM) and Business Continuity Management (BCM).

  • National Security Agency has announced its cybersecurity tool ‘Ghidra’ as an open-source offering to the public at the RSA conference. Ghidra allows security researchers to analyze malicious code and malware thoroughly with reverse engineering tasks such as disassembly, assembly, decompilation, graphing, scripting, and more.
  • World Wide Web Consortium has approved the WebAuthn API on March 4, 2019. WebAuthn is a new way of logging into websites without the need for passwords. Instead, it requires biometrics such as fingerprint/face recognition or hardware security tokens for authentication.
  • Singapore has proposed new guidelines for Technology Risk Management (TRM) and Business Continuity Management (BCM). The new changes to the guidelines will help finance organizations to implement more security measures to enhance their operational resilience.

The Bad

In the past week, we witnessed several data breaches and massive cyber attacks. A security researcher detected almost 18 unprotected MongoDB databases that contained social services related data. Wolverine Solution Group suffered a ransom attack impacting nearly 700 healthcare centers. In the meantime, hackers defaced multiple Israeli webpages with the words ‘Jerusalem is the capital of Palestine’.
  • A security researcher uncovered 18 MongoDB servers that were publicly available without any password protection. The open MongoDB databases contained data that are a part of a Chinese surveillance program. The exposed information included online social services related data such as profile names, ID numbers, photos, public and private conversations, file transfers, GPS location, and more.
  • Wolverine Group Solutions suffered a ransomware attack that impacted nearly 700 healthcare organizations as these organizations use Wolverine Solutions Group for their billing and mailing services. The healthcare organizations affected by the breach include Mary Free Bed Rehabilitation Hospital, the Health Alliance Plan, North Ottawa Community Health System, Three Rivers Health and more. The data breach has compromised personal information of almost 1.2 million patients.
  • Attackers attempted ransomware attack against Israeli webpages on March 2, 2019, which failed miserably due to a coding error. However, the attackers managed to deface multiple web pages with the words ‘Jerusalem is the capital of Palestine’. What went wrong was that the variable was set only to ‘Windows’ but the browser user agent strings also include Windows version number such as ‘Windows 10’, and ‘Windows 7’.
  • Security researchers detected an unprotected MongoDB belonging to Dalil, a caller ID app for Saudi Arabia. The open database contained the app’s entire data including users’ personal details and activity logs such as users’ mobile numbers, names, email addresses, Viber account, gender, call details, and number searches. It also included device details such as model number, serial number, IMEI, MAC address, SIM number, OS version, etc, telecom operator details, and GPS coordinates.
  • Chinese hackers targeted more than two dozens of universities across the world to steal maritime military secrets. The attack campaign targeted almost 27 universities via spear-phishing emails. The emails purported to come from partnered universities and included malicious attachments. The targeted universities include Massachusetts Institute of Technology, the University of Washington, and other colleges in Canada and Southeast Asia.
  • Sharecare Health Data Services (SHDS) suffered a network hack compromising patients data of AltaMed Health Services Corporation and Blue Shield of California. The exposed data included patients’ names, addresses, dates of birth, unique identification numbers, names and addresses of clinics, names of health care providers, medical record numbers, and internal SHDS processing notes.
  • Researchers detected an unprotected MongoDB database belonging to an email marketing firm Verifications. The open MongoDB exposed almost 809 million records online. The leaky database contained three folders with different records. The first folder had over 790 million unique email addresses, the second folder contained 4,150,600 records that included both email addresses and users’ phone numbers, while the third folder contained 6 million business lead records.

New Threats
Several new malware, vulnerabilities, and ransomware were discovered over the past week. Researchers detected a new variant of the GarrantyDecrypt ransomware that pretends to be the security team for Proton technologies. Almost 19 zero-day vulnerabilities were detected in 5 visitor management systems. Last but not least, a new Ransomware as a Service (RaaS) ‘Jokeroo’ has been promoted in the underground hacking forum.
  • Researcher spotted a new variant of the GarrantyDecrypt that pretends to be the security team for Proton technologies. The ransom note purporting to be from Proton security team claims that the victim’s server has been attacked by an outsider and demands a service fee of $780 for decrypting the files.
  • Necurs botnet made a comeback in the cyberspace with new capabilities. The botnet leveraged a new technique to evade detection while adding more bots to its web. Researchers detected that the Necurs botnet’s latest campaign had new payloads to make itself invisible to detection by antivirus programs.
  • Researchers detected almost 19 zer0-day vulnerabilities across 5 visitor management systems including Lobby Track Desktop, EasyLobby Solo, eVisitorPass, Envoy Passport, and The Receptionist system. These vulnerabilities if exploited could allow attackers to access visitor logs, visitors’ contact information, corporate data, and more.
  • Adwind RAT which was active in 2017 has resurfaced again targeting platforms compatible with Java applications and running the Java Runtime Environment. It is distributed via phishing emails that include a malicious JAR file attachment. Once the JAR file runs in the system, Adwind RAT gets installed and communicates with a remote server to conduct other malicious activities.
  • Researchers have detected a new variant of the Cryptomix ransomware that appends the encrypted files with .clop or .ciop extension. This new variant is distributed via executables that have been code-signed with a digital signature. It targets entire networks rather than individual computers.
  • Cybercriminals are targeting vulnerable and exposed Docker containers to deploy cryptojacking campaigns. They are targeting exposed Docker hosts impacted with the CVE-2019-5736 runc vulnerability to mine cryptocurrency illicitly. Researchers noted that almost 3,822 Docker hosts with remote APIs were found to be exposed.
  • A new Ransomware-as-a-Service (RaaS) named ‘Jokeroo’ is being promoted on the underground hacking forums and via Twitter. The RaaS has been offered in multiple membership packages ranging from $90 to $300 and $600. In the basic package, a member earns 85% of the ransom payments.
  • Researchers detected a vulnerability named ‘SPOILER’ that takes advantage of speculative execution in order to reveal memory layout data. The vulnerability impacts all Intel processors. Researchers noted that ‘SPOILER’ flaw can be even more dangerous than the infamous Spectre vulnerability.
  • Researchers observed a new campaign that distributes the StealthWorker malware on Windows and Linux systems. In this new campaign, attackers are leveraging the brute-force only approach targeting vulnerable host with weak credentials.
  • Researchers discovered a new vulnerability that impacts the Windows IoT Core Operating System. The vulnerability affects only the Windows IoT Core and Windows IoT OS version devices that run in a single application such as smart devices or control boards and does not impact the Windows IoT Enterprise advanced version.
  • A new malware campaign was spotted distributing the Pirate Matryoshka malware via fake torrents such as The Pirate Bay. If users download files from fake torrents, the Pirate Matryoshka gets installed into the victim’s system. This malware decrypts another installer which displays a phishing web page and asks user’s TPB credentials.
  • Researchers recently uncovered a new backdoor dubbed ‘SLUB’ that propagates via watering hole attacks. The SLUB backdoor achieves persistence by adding a Run key to the Windows Registry. The backdoor also downloads a Gist snippet where the attackers can store the commands required for the malware to execute on compromised computers. The output of every command is sent to a private slack channel using the embedded tokens.


slub backdoor malware
new variant of the cryptomix ransomware
unprotected mongodb databases
adwind rat
jokeroo ransomware as a service
pirate matryoshka
necurs botnet
stealthworker malware
garrantydecrypt ransomware

Posted on: March 08, 2019

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.