Cyware Weekly Threat Intelligence, November 16 - 20, 2020

Share Blog Post

The Good

Fighting with the ever-evolving cyber threat landscape requires a proactive defensive approach. Keeping this in mind, Google has planned to launch a new Cloud Armor Adaptive security technology that will protect cloud data and applications from application layer DDoS attacks. Moreover, a group of academic researchers has devised a new and advanced IDS/IPS system —called Pigasus —to inspect internet traffic for malicious activities.

  • Starting next year, Chrome’s ‘Privacy practices’ button will enable users to view the type of data being collected by extensions added to their browsers. The new section, which is set to go into effect from January 18, 2021, will also disclose what the extension developers plan to do with the collected data.
  • Researchers at Carnegie Mellon University’s CyLab developed the fastest open-source intrusion detection and prevention system (IDS/IPS) using a single five-processor core server and a field-programmable gate array (FPGA). Named Pigasus, the system is designed to demonstrate a more cost-effective approach to inspect internet traffic for malicious activities.
  • Google launched a new Cloud Armor Adaptive Protection networking security technology that aims to help customers protect data and applications in the cloud. The technology uses machine learning to protect against application layer DDoS attacks.
  • The U.S Senate took a step forward on IoT security by passing the long-pending IoT Cybersecurity Improvement Act. The bill, once signed by the president, will require government agencies to only procure devices that meet minimum information security requirements.
  • Researchers uncovered the decryption key for Nibiru ransomware that uses the Rijndael-256 algorithm to encrypt files. The decryptor program leverages the weakness to decrypt files encrypted by the ransomware.
  • The U.K. government declared a new offensive unit—known as the National Cyber Force  —that aims to disrupt activity by hostile states or cybercriminals.

The Bad

Just like previous weeks, ransomware continued to wreak havoc on organizations, stealing a huge amount of data before encrypting it. The victims include American Bank Systems (ABS), Managed.com, and Cencosud. Security incidents were also reported at two cryptocurrency exchange platforms—Liquid and Origin Protocol—resulting in the loss of personal data of customers and funds, respectively.

  • The operators of Egregor ransomware used a unique approach to threaten their latest target, Cencosud, to pay the ransom. The approach involved repeatedly printing ransom notes from all available network and local printers after an attack.
  • The cryptocurrency exchange platform, Liquid, disclosed a data breach that affected the personal data of its users. The intrusion occurred after a hacker managed to breach some of its employee email accounts.
  • TronicsXchange exposed over 2.6 million files due to a misconfigured Amazon S3 bucket. The database included full names, dates of birth, home addresses, height, and weight of customers.
  • The San Francisco-based Origin Protocol is struggling to recover $7 million worth of Origin Dollar which was stolen by hackers on November 17. The firm had immediately disabled deposits to the vault after detecting the attack.
  • A micropayments platform, Coil, accidentally exposed some of its users’ email addresses in a mass email announcement which was actually related to the company’s privacy policy update. The incident affected at least 1,000 emails.
  • This week, American Bank Systems (ABS) and Managed.com were targeted in different ransomware attacks. While the attack on ABS resulted in the compromise of around 53GB of data, the attack on Managed.com impacted a limited number of customer sites.
  • Researchers discovered a class of AWS APIs that could be abused to leak the AWS Identity and Access Management (IAM) users and roles in arbitrary accounts. In total, there are 22 vulnerable APIs across 16 different AWS services that include Amazon Simple Storage Service (S3), Amazon Key Management Service (KMS), and Amazon Simple Queue Service (SQS).

New Threats

New attack techniques also grabbed the attention of researchers this week. One such attack method demonstrated by academics—called VoltPillager—targets the cryptographic algorithms inside the Intel Software Guard Extensions (SGX). The other attack method, dubbed LidarPhone, involves the exploitation of the built-in LiDAR laser-based navigational component in the vacuum cleaner.

  • Ever since its discovery, Emotet has evolved into a modular trojan for distributing other kinds of malware. To maintain its threat operations,, the trojan is continually evolving  to improve stealthiness, persistence, and spying capabilities.
  • Threat actors are now abusing Google’s free productivity tools and services as part of their phishing campaigns to steal credentials or trick users into installing malware. Some of these tools are Google Forms, Google Firebase, and Google Sites.
  • The U.S. Secret Service revealed that cybercriminals are heavily relying on Venmo, Cash App, Zelle, and PayPal to launder illegally obtained funds meant for COVID-19 relief. These apps are used to hide the source of their stolen funds.
  • Two new skimming malware—a new variant of Grelos and a malware impersonating Sucuri—were found targeting e-commerce sites with an aim to steal the personal and financial information of customers. The malware were injected into the checkout page of the site. Apart from these, experts  spotted a new skimmer attack that used a fake credit card forum and WebSockets to steal data.
  • The DarkSide ransomware operators announced a plan to offer a distributed storage platform for stolen files. This will make it easier for cybercriminals to access the data compared to downloading files through Tor.
  • A massive campaign that exploits the recently discovered ZeroLogon vulnerability is underway around the globe. The campaign, which is thought to be the work of the Cloud Hopper APT group, also uses DLL side-loading attack method and is targeted against automotive, pharmaceutical, engineering, and MSP industries.
  • A new malware strain, dubbed Chaes, was used against MercadoLivre’s e-commerce platform to target Brazilian customers. The malware’s capabilities include pilfering sensitive information from Chrome browser sessions and exfiltrating financial information.
  • The threat landscape also witnessed the emergence of new Jupyter malware that stole information from its victims. The capabilities of the malware include collecting data from multiple applications such as popular web browsers and installing backdoors on targeted systems.
  • As a part of the expansion process, ransomware operators are now partnering with newbie hackers to attack high-profile organizations. The newly added crews, which include the likes of Exorcist, Gothmog, Lolkek, Nemty, Wally, XINOF, and Zeoticus, hardly have any noteworthy accomplishments.
  • Hackers were found scanning the Internet for WordPress sites with Epsilon Framework themes installed to launch function injection attacks. The vulnerable themes are estimated to be installed on over 150,000 sites.
  • After the discovery of the Platypus attack last week, researchers have now come across a new hardware-based voltage manipulation attack against Intel CPUs. Named VoltPillager, the attack targets the cryptographic algorithms inside the SGX.
  • Despite the availability of security patches, it is found that there are still more than 245,000 Windows systems that are vulnerable to a year-old BlueKeep vulnerability. Similarly, more than 103,000 Windows systems also remain vulnerable to SMGGhost.
  • Researchers discovered a new Chinese APT group called ‘FunnyDream’ that targeted more than 200 systems across Southeast Asia. The group combined three malware payloads—Chinoxy, PCShare, and FunnyDream to infect systems.
  • The Lazarus group is believed to be behind a spate of supply chain attacks that leveraged WIZVERA VeraPort software to deploy malware in devices of South Korean users. The attackers also abused legitimate security software and digital certificates stolen from two different companies as part of the attack.
  • Threat actors behind Malsmoke appear to be using social engineering schemes instead of exploit kit delivery chains to launch attacks against online users. One such campaign involved the use of a fake Java update that tricked users into visiting adult sites.
  • A team of academics detailed a new attack method that converted a smart vacuum cleaner into a microphone capable of recording nearby conversations. Named LidarPhone, the technique works by leveraging the vacuum’s built-in LiDAR laser-based navigational component.

 Tags

voltpillager
darkside ransomware
wizvera veraport software
egregor ransomware
liquid
american bank systems abs
pigasus
coil
lidarphone attack
cloud armor adaptive security technology
chaes

Posted on: November 20, 2020

Get the Weekly Threat Briefing delivered to your email!


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.


Join Thousands of Other Cyware Followers!