Cyware Weekly Threat Intelligence, October 05 - 09, 2020

Share Blog post

The Good

With the rise in sophistication of cyberattacks, several government agencies have come up with different cybersecurity strategies to protect organizations and individuals. Acting in this direction, Singapore has decided to form a panel consisting of global experts to tackle cyberattacks against OT systems. On the other hand, DHS’ Science and Technology Directorate (S&T) has invented a new technology called TrustMS to protect apps against manipulation, buffer overflows, and execution of unintended code.  

  • Singapore is planning to form a panel of global experts to tackle cyberattacks against OT systems. Additionally, it has unveiled a cybersecurity blueprint —based on 2016’s cybersecurity strategy —to focus on digital infrastructures and cyber activities. 
  • The DHS’ Science and Technology Directorate (S&T) has designed a new technology called Trusted Mobile System (TrustMS) to secure apps from cyberattacks. It provides protection against exploits such as stack manipulation, buffer overflows, execution of unintended code, and even execution of an app’s code in incorrect order.
  • The NIST has launched a crowdsourcing challenge that aims to protect individual’s data privacy. The objective of this challenge is to safeguard the integrity of data when shared with vendors.  

The Bad

Data leak incidents made headlines this week. Some of the victim organizations included Airline International UAE, SEPTA, and Chowbus. In addition to this, threat actors leveraged legacy software—Magento 1.x and PHP version 5.6.40—to compromise online stores in different skimming attacks. 

  • A threat actor shared sensitive data of Airline International UAE for free on the dark web. The data was stolen from a misconfigured server that contained 60 directories with approximately 5,000 files each. 
  • The Southeastern Pennsylvania Transportation Authority (SEPTA) struggles with the restoration process after falling victim to a ransomware attack in August. Post-attack, the employees were unable to access their emails and riders stopped receiving real-time travel information. 
  • Food delivery service, Chowbus, exposed 800,000 user records after hackers gained unauthorized access to systems. The compromised data includes names, phone numbers, and email addresses of users. In another data leak incident, Snewpit exposed close to 80,000 user records due to an unsecured bucket. 
  • Fraudsters siphoned off $15 million from a U.S. company in a well-planned BEC attack that lasted for about two months. They used Microsoft Office 365 email services as part of the evasion strategy. 
  • The Fullz House threat actor group comprised the Boom! Mobile website and injected skimmer code into its checkout page to steal payment details of users. Researchers found that the website was compromised due to the use of an old version of PHP that is no longer supported. In another credit card skimming attack, threat actors targeted Playback Now customer sites with an aim to steal personal and financial details of users.     
  • The insurance company, Ardonagh Group, was forced to suspend 200 internal accounts with admin privileges following a ransomware attack that occurred last week. 
  • Philadelphia-based eResearchTechnology, which provides clinical trial oversight software to drug makers and testing firms, was recently hit by a variant of Ryuk ransomware. This limited the operations of clinical trials in testing firms. 
  • Threat actors extorted about 20 Israeli cryptocurrency executives after hacking into their phones, Telegram accounts, and email accounts. The hack took place in September.    
  • Several schools suffered cyberattacks in one form or another. Threat actors hacked several Swiss universities in a massive spearphishing attack to pilfer employee salary payments. Besides, Gulf Coast State College notified its students and employees about a data breach incident that took place between March 31 and June 3.  The Springfield Public Schools district in Massachusetts was forced to shut its schools after a ransomware attack on October 8.
  •  Wisepay, a Hampshire-based cashless school payments firm, pulled its website offline after spotting a miscreant trying to spoof its card payment systems. The intruder intended to steal customer payment card details.  
  • Sam’s Club issued a breach notification to customers who were hacked in credential stuffing attacks. The activity was first detected in September.    

New Threats

Talking about new threats, experts demonstrated a new fileless technique called Kraken that abuses Windows Error Reporting (WER) service as a defense evasion mechanism. Making headway, security researchers developed a new jailbreaking technique by combining checkm8 exploit and Blackbird vulnerability. 

  • A collection of 240 fraudulent Android apps, masquerading as retro game emulators, were removed from Google Play Store. The ultimate goal of these apps was to deploy adware on targeted phones. 
  • Researchers came across a new Android ransomware that locks access to the phone rather than encrypting data on the device before leaving a ransom note for the victim. 
  • A new toolset, dubbed MontysThree, played a major role in a targeted industrial espionage attack, back in 2018. The toolset relied on RAR self-extracting archives (SFX) for distribution. 
  • A new phishing email attack that pretended to offer updates on the U.S.President’s health was used to distribute BazarLoader backdoor trojan. The email included a link that redirected victims to a malicious webpage, from where the malware got downloaded in the background. 
  • A massive cyberespionage campaign, propagating  Waterbear Loader, was unearthed by security experts. The campaign, which dates back to April 2020, was targeted against Taiwanese government agencies and used a Heaven’s Gate technique to trick security solutions. 
  • The week witnessed the discovery of several new botnets—HEH, Demonbot, Scarface, and Ttint. While the HEH botnet is capable of wiping all the data from IoT devices, Demonbot and Scarface are built to target Hadoop and IoT devices respectively. The Ttint is a new form of botnet that includes remote access tools-like features. 
  • Experts demonstrated a new fileless technique called Kraken that abuses the Windows Error Reporting (WER) service as a defense evasion mechanism. In another development, security researchers built a new jailbreaking technique by combining checkm8 exploit and Blackbird vulnerability.  
  • A new version of PoetRAT was used against Azerbaijan public sector and other prominent organizations. The actors leveraged Microsoft Word documents to spread the trojan. The notorious TeamTNT group was also found using a new variant of Black-T malware in its latest cryptomining attacks against vulnerable Dockers.  
  • The first cyberattack incident associated with the exploitation of the Zerologon flaw also came to light this week. The campaign was carried out by the MuddyWater threat actor group.      

 Tags

checkm8 exploit
chowbus
eresearchtechnology
wisepay
trustms
kraken
swiss universities
boom mobile
airline international uae

Posted on: October 09, 2020

Get the Weekly Threat Briefing delivered to your email!


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.


Join Thousands of Other Cyware Followers!