Cyware Weekly Threat Intelligence, October 12 - 16, 2020

Share Blog post

The Good

The network router is an easy target for cybercriminals who are looking for ways to breach home networks. Following the rise in cybersecurity incidents due to vulnerable routers, the Singapore government has published a list of new security protocols for new home routers. The new mandate will come into action from April 13, 2021. Meanwhile, North Carolina has launched a cybercrime hotline owing to the rise in losses due to COVID-19 scams.

  • North Carolina started a cybercrime hotline following the rise in financial losses owing to COVID-19 related cyber scams. State residents have reported COVID-19- related fraud losses of over $4 million since March, according to FTC data.
  • The U.S. Government Accountability Office (GAO) called out the Federal Aviation Administration to take action to protect modern commercial airplanes from cyberattacks. The agency warned that if avionics systems are not properly protected, they could be at risk of a variety of cyberthreats. 
  • The U.K. government announced plans to implement advanced offensive and defensive cyber capabilities to disrupt the critical infrastructure of adversaries. This initiative will be primarily steered by GCHQ.
  • The Singapore government introduced a new list of security requirements for home routers that will come into action from April 13 next year. The enhanced requirements include unique login credentials for each device, minimum password strength, disabling of system services, and download of firmware updates.   

The Bad

Several large data leak incidents made headlines this week, out of which a major portion of the data was leaked by Broadvoice VoIP provider. The firm had leaked more than 350 million customer records due to a misconfigured Elasticsearch database. In another incident, cybercriminals made away with over $22 million funds from the Electrum wallet app after tricking users into a fake wallet update message.

  • Ransomware attacks continued to freeze their targets’ operations by encrypting their systems. This week, the affected organizations include the names of Ubisoft, Crytek, Software AG, and Seyfarth Shaw.
  • A cyberattack on Barnes and Noble’s Nook services disrupted users’ ability to access Nook libraries, their previous purchases, and more. Malware infection on POS systems was claimed to be the reason behind the attack.
  • Several government agencies across the globe also came under attack in different incidents. The targeted agencies include the foreign ministry in Norway, Hackney Council in London, and two government departments in Iran.
  • The week also witnessed several unsecured database instances, exposing a wide range of sensitive data belonging to different firms. The impacted organizations were teamDigital, Intcomex, Broadvoice, and Panion.
  • Cybercriminals stole more than $22 million in user funds in multiple campaigns targeting Electrum wallet app for more than two years. The attack was carried out through a social engineering technique, wherein users received a false message for updating their wallets.  
  • A threat actor group named Spectre123, allegedly leaked sensitive data from NATO and Havelsan online. The documents included work files, proposals, contracts, 3D designs, resumes, excel sheets containing raw materials information, and financial statements.
  • Joker’s Stash dark market forum was abuzz after a hacker dumped card details for 3 million Dickey’s Barbecue Pit users. The data, which was compromised between July 2019 and August 2020, was sold for a median price of $17 per card.

New Threats

The week grabbed the attention of security experts due to the rise of the TrickBot trojan from ashes. Despite the takedown of its backend infrastructure, the trojan made its comeback in a new form by replacing the affected domains with fresh ones. That’s not all, the gang also enhanced the capabilities of BazarLoader backdoor to distribute Ryuk ransomware onto victims’ machines.

  • The use of fake Windows themes is becoming popular among malicious hackers. The week witnessed two cybersecurity incidents where boobytrapped Windows updates and fake Windows Defender Antivirus themes were used to spread Emotet and QBot, respectively.
  • The Mirai botnet emerged this week in the form of four new variants. Additionally, researchers observed that the botnet was exploiting two new command injection vulnerabilities in the wild.
  • A new framework, named SolarSys, was observed to be actively used in Brazil. The framework was primarily used to distribute trojans.
  • Researchers came across a complex cryptomining campaign that marked the return of Lemon Duck malware. It stole computer resources to mine the Monero currency. The malware was propagated through RTF files using email, psexec, WMI, and SMB exploits.
  • Despite a major takedown attempt, the TrickBot trojan made a comeback after its operators replaced its disrupted backend infrastructure with a new one. The gang also revamped the BazarLoader malware to deploy Ryuk ransomware on high-value targets.
  • After going through several attack patterns, researchers claimed Thanos ransomware to be a creation of the MuddyWater threat actor group.
  • The Silent Librarian is back in action, targeting universities across the globe in a massive spearphishing campaign. The group’s primary focus is on universities in the U.S., the U.K., Canada, Australia, and the Netherlands.
  • Researchers noticed a new financially-motivated hacking group, FIN11, that was behind pharmaceutical companies and other healthcare targets during the COVID-19. The group’s tactics and techniques overlap with the group known as TA505.
  • A new report highlights that ransomware operators are buying network access credentials, vulnerable endpoints, and compromised employee accounts to simplify their attack process. Access to these entities is priced between $300 and $10,000.

 Tags

slient librarian
broadvoice voip provider
electrum wallet app
lemon duck malware
fin11 group
jokers stash
us government accountability office gao
north carolina

Posted on: October 16, 2020

Get the Weekly Threat Briefing delivered to your email!


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.


Join Thousands of Other Cyware Followers!