Cyware Weekly Threat Intelligence, October 07 - October 11, 2019

See All
The Good

Before we get ready to welcome the weekend, let’s explore all the cybersecurity happenings this week. We’ll start by looking at the positive advancements and then move to security compromises and threats. Researchers are working on a new technology called Cyber Anomaly Detection System that can warn pilots when there is a cyber attack. On the other hand, delegates from nearly 50 countries participated in the Warsaw Process cybersecurity group discussions in Seoul. Meanwhile, a new cybersecurity method inspired by the human body is being developed to predict cyber attacks.

  • Researchers are working on a new technology called Cyber Anomaly Detection System that can detect cyber intrusion on drones and military helicopters. This new warning system can detect attacks as of now. Future versions are expected to fight against attacks and possibly repair the damage.
  • The Warsaw Process cybersecurity group convened in Seoul on October 7 and 8. Nearly 50 countries participated in this meeting co-chaired by the Republic of Korea, Poland, and the United States. The delegates discussed promoting cyberspace stability, preventing malicious cyber activity, combating cybercrime, and safeguarding critical infrastructure.
  • Researchers are developing a new cybersecurity method that is inspired by the human body. Using machine learning, the system would be taught to recognize various cyber threats. This method is expected to predict an attack before it happens by observing changes in the environment.
  • A new machine-learning model that can detect serial hijackers before the attack, is being developed by researchers. The system can identify Autonomous Systems (ASes) that exhibit characteristics similar to that of serial hijackers. This will help proactively prevent hijackers from launching an attack.
  • The Australian Cyber Security Center (ACSC) has published a cybersecurity guide for small businesses. The guide provides information about the common cyber threats and ways to prevent them. It also outlines various software considerations and recommendations in terms of people and procedures that businesses can adopt.

The Bad

Several data breaches and incidents were reported this week. The website of T? Ora Compass Health was hit by a cyberattack possibly compromising the medical data of a million New Zealanders. The data of 8.7 million customers is being sold online after Beeline, the Russian internet service provider suffered a data breach. In other news, more than 6,500 firms were affected because of a cyber attack on eCommerce software company Volusion.

  • The T? Ora Compass Health notified of a cyber attack on its website that put the medical data of a million New Zealanders at risk. The possibly compromised information includes names, dates of birth, ethnicity, addresses, National Health Index Number, and enrolment information at medical centers. The attack occurred in August and officials were unable to confirm if any information was accessed.
  • Russian internet service Beeline fell victim to a data breach that resulted in the data of 8.7 million customers being sold online. The data contains personal information including names, phone numbers, and addresses. Beeline said that the compromised data belonged to Russian customers who opted for home broadband connections before November 2016.
  • Attackers launched a cyber attack on Volusion, an eCommerce software firm, impacting more than 6,500 firms. The attack involved delivering malicious code to harvest payment card details entered by users online. The attack was launched after the hackers gained unauthorized access to Volusion's Google Cloud infrastructure and injected malicious code to harvest payment details.
  • An unsecured cloud database belonging to Freedom Healthcare Staffing exposed over 957,000 healthcare records. The exposed data includes employee marital status, job seeker and recruiter data, and internal communication records among others. The database is now secured with a password and the data is encrypted with an algorithm.
  • UAB Medical’s payroll department was hit with a phishing attack that compromised the health information of 19,557 patients. Patient names, treatment information, dates of birth, diagnosis and certain patients’ social security numbers were among the compromised records. The medical center is sending out notifications to the affected patients.
  • An unauthorized access to TransUnion Canada web portal caused the leakage of consumer credit files. Credentials were stolen from a TransUnion customer with access to the web portal to launch the attack. With the right search query, credit files with name, date of birth, current and previous addresses, and credit information will be accessible to the attackers.
  • Malaysian firm Hibiscus Petroleum announced that it was hit by a cyber attack. Certain parts of the system that were affected were isolated and partially shut down. The firm said that the systems were being restored and production was not affected.
  • Methodist Hospitals in Indiana disclosed a possible exposure of data belonging to 68,039 individuals because of a phishing attack. Although there is no evidence yet of misuse of the information, officials have not ruled out the possibility. The exposed information includes names, usernames and passwords, Social Security Numbers, and dates of birth apart from other information.

New Threats

This week, a number of new threats were discovered. A decryptor for the Nemty ransomware that recovers impacted files has been published. In other news, a BitPaymer ransomware campaign exploiting a zero-day vulnerability in iTunes for Windows was reported. The United Kingdom NCSC issued a warning about APT groups leveraging vulnerabilities in certain enterprise VPNs.

  • Researchers have published a decryptor for the Nemty ransomware that allows victims to recover files at no cost. The decryptor currently works only for certain file types such as AVI, GIF, and MP4 among others. The generation of the decryption key is done on the researchers’ servers to prevent hackers from analyzing the decryptor.
  • A BitPaymer ransomware campaign that exploits a zero-day vulnerability in the iTunes for Windows has been observed. Researchers found the campaign targets public and private sectors in the U.S. The security flaw is in the Bonjour Updater that delivers updates.
  • The United Kingdom’s National Cyber Security Centre (NCSC) has issued a warning that Advanced Persistent Threat (APT) groups are exploiting recently disclosed vulnerabilities in VPN products from Fortinet, Palo Alto Networks, and Pulse Secure. The vulnerabilities potentially allow attackers to retrieve files containing sensitive data including authentication credentials.
  • A major security flaw was discovered in the Indian local search app Justdial. Hackers could exploit the vulnerability to log in to the accounts of any of the 156 million users. The company said that there was no loss of data and that the bug was patched.
  • An old Twitter API used by many iOS apps was discovered to be vulnerable to man-in-the-middle attacks. It could potentially allow hackers to take over Twitter accounts and third-party apps with the ‘Login with Twitter’ feature. The vulnerability is due to a flawed TwitterKit library that was replaced by Twitter.
  • Security researchers discovered a vulnerability in Ghidra, the reverse engineering tool developed by the NSA. The vulnerability can allow hackers to execute arbitrary code in the affected application. However, it can only be exploited when experimental mode in Ghidra is enabled.
  • A new zero-day kernel privilege bug that can compromise certain Android devices has been reported. The flaw can be exploited via the Chrome sandbox. It is said that a patch will be released along with the October operating system update.
  • Researchers have discovered a new spy platform named Attor with GSM fingerprinting abilities. Attacks using this cyber-espionage platform targeted government and diplomatic entities in the Eastern parts of Europe. It was observed targeting specific processes including those associated with Russian social networks.
  • Researchers have disclosed a remote code execution vulnerability in certain models of D-Link routers. Since the affected products have been discontinued, there will be no security patch released for the vulnerability. It is considered a critical vulnerability as it can be exploited remotely without authentication.
  • A remote code execution vulnerability that was already patched, was discovered being used in various cyber-attacks. Dubbed Drupalgeddon2, the bug affects the open-source Drupal content management system. Researchers said that it can be exploited through malicious GIF files.
  • The FBI issued a security advisory about an increasing number of social engineering and technical attacks that could bypass multifactor authentication. The advisory also warned about SIM swapping, vulnerabilities in online pages handling MFA operations, and the use of tools such as NecroBrowser. FBI urged private industry partners to consider the warning as a precaution and recommended the use of MFA.
  • Threat actors responsible for the RobbinHood ransomware have changed their language in the ransom note. The ransom message indicates that the files cannot be decrypted for free. It also warns not to contact any security organization, turn off the system, or rename files




  • Share this blog:
Previous
Cyware Weekly Threat Intelligence, October 14 - October 18, 2019
Next
Cyware Weekly Threat Intelligence, September 30 - October 04, 2019
To enhance your experience on our website, we use cookies to help us understand how you interact with our website. By continuing navigating through Cyware’s website and its products, you are accepting the placement and use of cookies. You can also choose to disable your web browser’s ability to accept cookies and how they are set. For more information, please see our Privacy Policy.