Cyware Weekly Threat Intelligence, May 04 - 08, 2020

Share Blog post

The Good

The week comes to an end on a positive note with several governments making advances in tackling COVID-19 related cyberattacks. The OCR released a set of cyber threat resources for healthcare providers to deal with privacy and security threats. Meanwhile, Singapore’s government intensified its monitoring of local e-commerce platforms to remove fake products purporting to treat the disease.

  • Europol arrested five Polish hackers who were part of the Infinity Black hacking group. The group, formed in late 2018, was primarily known for stealing and selling users’ credentials.
  • Researchers announced a decryption key for GoGoogle ransomware that was first spotted in April 2020. The malware, which is written in Go language, generates encrypted files with the .google extension.
  • Singapore’s government scraped more than 1,700 fake COVID-19 related products from e-commerce sites. The purpose was to prevent users from falling victim to false and misleading claims about the disease.
  • The Office for Civil  Rights (OCR) issued a list of COVID-19 related cyber threat resources to help healthcare providers prevent, detect, respond, and recover from privacy and security threats. The initiative was taken due to an increase in targeted attacks against the healthcare sector.

The Bad

Coming to data leaks, Tokopedia, StorEnvy, and Unacademy lost control of their users’ personal data after threat actors gained unauthorized access to their databases. The leaked data included names, birth dates, email addresses, and other confidential details of their customers.

  • Threat actors exploited a Salt software vulnerability to hack into several companies. Some of the impacted ones included the Ghost blogging platform, Lineage OS, and Xen Orchestra.
  • GoDaddy reported a security breach that occurred in October 2019. The incident took place after an unauthorized individual accessed some users’ web hosting accounts via SSH.
  • CAM4 exposed over 4TB of PII of its users due to a misconfigured database. The exposed PII included names, private conversations, and IP addresses of users.
  • An unprotected database potentially exposed over 10,000 legal documents containing sensitive details of commercial property owners. The cache of documents included owners’ house property transaction forms with other authentication details.
  • French floor surfaces company, Tarkett, fell victim to a cyberattack, resulting in a disruption in its operations. The attack occurred on April 29, 2020.
  • Threat actors leaked details of around 91 million Tokopedia users online. The exposed data included names, emails, and birth dates of users.
  • Hackers sold records of 22 million Unacademy users after gaining access to their database. The database was put for sale at a price of $2000.
  • Nintendo was hit by a data leak wherein the source code, demos, videos, and other content for Wii, N64, and GameCube gaming consoles were found on the internet. The details were leaked on Dexerto and later on 4Chan.
  • Taiwan’s Formosa Petrochemical gas stations were hit by a malware attack. In another incident, a newly discovered ColdLock ransomware ransacked several organizations in Taiwan.
  • Details of 44 million Pakistani mobile users were put leaked online this week. The records included customers’ full names, home addresses, phone numbers, and National Identification Numbers.
  • Attackers breached StorEnvy’s database to steal and leak personal details of over 1.5 million customers and merchants. The data contained emails, passwords, full names, usernames, IP addresses, city, gender, and links to social media profiles.
  • Maze ransomware operators claimed that they hacked and stole data from a Minnesota-based egg supplier, Sparboe. The operators broke into the company on May 1, 2020.
  • Shiny Hunters group, who previously offered databases of the Tokopedia, Unacademy, and Microsoft’s GitHub repositories for sale, also sold user records stolen from HomeChef, ChatBooks, and Chronicle.com.

New threats

Talking of new threats reported this week, malicious actors leveraged the wide usage of video-conferencing apps like Zoom and Cisco Webex to launch attacks. While a fake Zoom installer distributed RevCode WebMonitor RAT, a fake Cisco Webex phishing email tricked victims into sharing their credentials.

  • Nearly one million WordPress sites were targeted by exploiting Cross-Site Scripting (XSS) vulnerabilities in plugins and themes. Threat actors aimed at redirecting visitors to malvertising sites.
  • Several new malware like Poulight, LockBit ransomware, Kaiji botnet, and Vcrypt ransomware made their appearance in different attack campaigns this week. While Poulight harvested information from infected systems, LockBit ransomware generated .lockbit extensions for encrypted files. On the other hand, the Kaiji botnet targeted Linux-based servers and IoT devices, and VCrypt ransomware locked files in password-protected 7Zip archives.
  • Cisco Webex and Zoom Installers were exploited by malicious actors to target remote workers. While fake cert errors for Webex were designed to steal users’ credentials, fake Zoom installers downloaded RevCode WebMonitor RAT.
  • 11 malicious extensions designed to steal crypto wallet credentials were identified in Chrome Web Store. While Google removed eight of these extensions, actions are yet to be taken on the remaining three.
  • A new variant of the SLocker Android malware infected users by disguising as ‘About Coronavirus’ app. On the other hand, threat actors updated the evasion capabilities of EVILNUM trojan that targeted the financial sector.
  • Snake ransomware appeared in a large-scale attack campaign targeting numerous businesses and healthcare organizations over the last few days. One of the victims in this campaign was the Fresenius Group.
  • An attack campaign, dubbed Mockingbird, was found exploiting a deserialization vulnerability (CVE-2019-18935) in the ASP.NET open-source web framework to deploy the XMRig Monero-mining payload on Windows systems. The campaign, which started in December 2019, lasted till April 2020.

 Tags

formosa petrochemical corporation
godaddy
cisco webex
tarkett
xen orchestra
maze ransomware
tokopedia
infinity black hacking group

Posted on: May 08, 2020

Get the Weekly Threat Briefing delivered to your email!


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.


Join Thousands of Other Cyware Followers!