Cyware Weekly Threat Intelligence, November 18 - 22, 2019

See All
The Good

As we gear up to welcome the weekend, let’s quickly glance through the major cybersecurity happenings of the week. The ‘Cybersecurity Protocol for International Arbitration (2020)’, a set of guidelines on cybersecurity measures for individual arbitration matters, was published. The state of Virginia has developed a new model to quantify cybersecurity risks. Meanwhile, several security vendors and non-profits have collaborated on an initiative called ‘Coalition Against Stalkerware’ to fight against stalkerware.

  • The Cybersecurity Protocol for International Arbitration (2020), a detailed guideline set on cybersecurity measures for individual arbitration matters was released as part of New York Arbitration Week. These guidelines were the work of a cybersecurity group including representatives from the New York City Bar Association (City Bar), the International Institute for Conflict Prevention & Resolution (CPR), and the International Council for Commercial Arbitration (ICCA).
  • The state of Virginia has developed a new model for quantifying cybersecurity risk and prioritizing defenses. This model is said to be an adaptation of multiple standards for quantifying risk. The model’s accuracy was tested by comparing the outcomes of past breaches with known variables against the model’s predictions, and numbers were found to be fairly close.
  • Several antivirus vendors and non-profits have collaborated on an initiative called the ‘Coalition Against Stalkerware’. This global initiative is said to be the first of its kind and focuses on fighting against stalkerware. This coalition plans to work on multiple fronts to achieve its goal.
  • The US Cybersecurity and Infrastructure Security Agency (CISA) and the non-profit organization VotingWorks, have released an open-source tool named ‘Arlo’. This tool has been designed for the auditing process after the U.S. elections. The auditing process aims to safeguard the election process against hacked or faulty voting systems.

The Bad

This week witnessed several cybersecurity incidents. Macy’s disclosed that it was the victim of a security breach that possibly compromised customer payment information. T-Mobile suffered a security breach that affected some customers of its prepaid service. In other news, an open AWS database exposed data belonging to thousands of PayMyTab customers.

  • Department store chain Macy’s disclosed the details of a data breach involving malicious scripts that stole customers’ payment information. The website was reportedly hacked on October 7, 2019, and the malicious script was injected into the 'Checkout' and 'My Wallet' pages. Macy’s said that only a small number of customers were impacted by this breach.
  • The U.S. branch of T-Mobile announced a security breach that affected some customers of its prepaid service. The exposed data included customer names, phone numbers, account numbers, billing addresses, rate plans, and plan features. The company said that no sensitive information was compromised.
  • The state of Louisiana suffered a ransomware attack impacting websites and IT systems. As a response to the attack, the state’s cybersecurity team was activated. The extent of damage to the government’s internal system caused by this cyberattack is not clear yet.
  • Just hours after Disney+ video streaming service was launched, cybercriminals reportedly started hacking user accounts. Thousands of user account credentials were said to be available for sale on hacking forums. Many customers said that their accounts’ emails and passwords were changed.
  • An unsecured Amazon Web Services (AWS) S3 bucket exposed data belonging to PayMyTab customers. The leaked information includes customer names, email addresses, telephone numbers, last four digits of payment cards, restaurant visit information, and order details. This leak reportedly impacts thousands of people.
  • The National Veterinary Associates (NVA) fell victim to a cyberattack by the Ryuk ransomware, impacting 400 clinics across the country. Payment systems, practice management software, and patient records were encrypted as a result of this attack. Two security firms have been hired to help the agency recover from the attack.
  • Personal information and account credentials of 1.4 million users of cryptocurrency wallet service GateHub and about 800,000 users of gaming tools provider Epicbot were posted online. The databases contained email addresses and passwords that were hashed.
  • The official Monero cryptocurrency project website was hacked and legitimate Linux and Windows binaries were replaced with malicious versions. The malicious programs were found to be designed to steal users’ wallet seed and share them with an attacker-controlled server. Details about how the website was compromised and how many users were affected are not clear yet.
  • The Rouen University Hospital-Charles Nicolle in France was hit by a ransomware attack that impacted 6,000 computers across all five sites of the hospital complex. The IT systems were closed down to prevent the infection from spreading. Details about the ransomware strain responsible are not yet known.
  • An unsecured database belonging to the Gekko Group leaked more than 1 terabyte of data. This leak impacted citizens from several countries including the United Kingdom, Spain, Italy, Israel, Belgium, and France, among others. The exposed data include names, home addresses, email addresses, PII of children, destination hotels, reservation dates, travel dates, price of stays, and data from other reservation platforms.
  • Security researchers discovered 1.19 billion confidential medical images exposed on the internet along with patient names, dates of birth, ID cards, and reasons for examination. This exposure is believed to be the result of leaky PACS servers.
  • Washington-based Wizards of the Coast, the game developer of ‘Magic: The Gathering,’ disclosed a security breach that impacted the account data of more than 452,000 players. The database contained player names and usernames, date and time of account creation, hashed and salted passwords, and email addresses.

New Threats

Security experts brought several malware and vulnerabilities to light this week. A new phishing campaign that targeted Office 365 administrators was spotted. Cisco’s VoIP adapters were reported to contain 19 security flaws. Meanwhile, millions of devices were found to be impacted by a security vulnerability impacting Google and Samsung devices.

  • Security experts have spotted a new phishing campaign targeting Office 365 administrators. The campaign was observed to use legitimate sender domains to bypass reputation filters. This campaign was found to be targeting admins across several industries and enterprises.
  • Researchers discovered 19 flaws in VoIP adapters from Cisco's SPA100 Series. These flaws potentially allowed malicious actors to eavesdrop on user conversations, infiltrate into the internal network, and initiate fake phone calls. Cisco has issued patches for these vulnerabilities along with their new firmware release.
  • A camera security vulnerability on Google and Samsung devices was found impacting millions of devices. Tracked as CVE-2019-2234, this flaw allows cybercriminals to hijack the phone and take pictures or record videos even on locked devices. Both Google and Samsung have released patches for this issue.
  • An XSS vulnerability in Gmail was addressed by Google this week. This security flaw was in the AMP4Email feature released in July this year. The feature reportedly did not implement a validation system to prevent cross-site scripting (XSS) attacks.
  • A new malware dubbed ACBackdoor was discovered infecting Windows and Linux systems allowing attackers to run malicious code on the compromised systems. The malware was found to be stealing information such as system architecture and MAC addresses of the infected machines.
  • A new keylogger dubbed Phoenix was found attempting to stop more than 80 security products to avoid being detected. This malware has been linked to more than 10,000 infections since its launch in July this year. Researchers noted that this malware was primarily being used to harvest credentials.
  • The Microsoft Security Response Center (MSRC) issued a warning to its customers about the threat of ongoing DoppelPaymer ransomware attacks. It encouraged security administrators to implement best practices to defend against this threat. 
  • Security experts identified a phishing campaign that targeted more than 100,000 people. The phishing emails were disguised to be from the US Internal Revenue Service (IRS) and the fake IRS pages were observed to be hosted on legitimate domains that were compromised. This campaign remained active for 47 days and involved 289 domains as well as 832 URLs.


See Our Products In Action




  • Share this blog:
Previous
Cyware Weekly Threat Intelligence, November 25 - 29, 2019
Next
Cyware Weekly Threat Intelligence, November 11 - 15, 2019
To enhance your experience on our website, we use cookies to help us understand how you interact with our website. By continuing navigating through Cyware’s website and its products, you are accepting the placement and use of cookies. You can also choose to disable your web browser’s ability to accept cookies and how they are set. For more information, please see our Privacy Policy.