Go to listing page

Cyware Weekly Threat Intelligence, October 21 - 25, 2019

Cyware Weekly Threat Intelligence, October 21 -  25, 2019

Share Blog Post

The Good

Before we get ready to wrap up for the week, let’s glance through the weekly updates in the world of cybersecurity. We’ll begin with the positive developments. Twelve cybersecurity service and software providers have formed the Operational Technology Cyber Security Alliance (OTCSA) with the aim of protecting operational technology in critical and industrial infrastructure from cyberthreats. The Federal Bureau of Investigation (FBI) has expanded its tools and resources to assist in protecting the U.S. elections from cyber attacks. Meanwhile, researchers have developed an open-source tool called VisibleV8, which can detect malicious programs that evade existing malware detection systems.

  • Twelve cybersecurity service and software providers have come together to form a global alliance called Operational Technology Cyber Security Alliance (OTCSA). This alliance will focus on protecting the operational technology in critical and industrial infrastructure from cyber threats. The membership is said to be open to any company that works with OT systems or critical infrastructure.
  • The Federal Bureau of Investigation (FBI) has updated its resources and tools to help protect the U.S. elections from cyberattacks. The FBI along with the Department of Homeland Security (DHS) and the Director of National Intelligence (DNI) has released a number of short videos. These online tutorials highlight social engineering and foreign influence cybersecurity measures for political campaigns.
  • Researchers from North Carolina State University have developed an open-source tool called VisibleV8 that can track and record JavaScript program behavior without alerting websites that run the programs. This tool runs in the Chrome browser and can detect malicious programs, that may not be detected by malware detection systems. This tool is said to contain only 600 lines of code.
  • The Federal Trade Commission (FTC) has released an article promoting the International Charity Fraud Awareness Week (ICFAW). This year’s ICFAW is from October 21 to 25. Key participants of this coordinated campaign include the British Council, Chartered Accountants Worldwide, Australian Charities and Not-for-profits Commission, and New Zealand Charities Service, among others.
  • The Governor of Indiana, Eric J. Holcomb has announced that Indiana would host the country’s fifth National Guard cyber battalion. The event is expected to include almost 100 soldiers who focus on cybersecurity. They will be provided access to the U.S. Department of Defense’s live cyber range that has realistic simulators for cyber warfare testing and training.

The Bad

With two cybersecurity firms disclosing the details of security compromises they fell victim to, this week has all of us on our toes. Cybersecurity software provider Avast disclosed a security breach that was similar to the 2017 CCleaner incident. In similar news, VPN service provider NordVPN disclosed a breach that affected one of its data centers in March 2018. Meanwhile, a distributed denial-of-service (DDoS) attack hit Amazon Web Services and lasted for almost 8 hours.

  • Internet security software provider Avast disclosed that a security breach was detected on September 23, 2019. The attackers compromised an employee’s VPN credentials to gain access to an account that was not protected using a multi-factor authentication solution. The attack is said to be similar in nature to the infamous CCleaner 2017 incident.
  • NordVPN disclosed a data breach that affected one of its data centers in March 2018. The company said that the breach happened because of poor configuration on a third-party data center. No other servers or user credentials are said to be impacted.
  • Amazon Web Services was hit by a distributed denial-of-service (DDoS) attack that lasted for around 8 hours. The attack primarily impacted the company's Router 53 DNS web service. This caused service outages for many websites and parts of AWS being taken off the internet.
  • Personal and travel information of thousands of users, including the U.S. government and military personnel, was exposed due to a leaky database belonging to reservations management system Autoclerk. This database was reportedly hosted by AWS in the U.S. with over 179GB of data. The exposed data includes full names, dates of birth, home addresses, phone numbers, unencrypted login credentials, dates and costs of travel, and masked credit card details.
  • A misconfigured MongoDB database with around 2.8 million records of customer data was found exposed. The database belongs to communications and IT services firm CenturyLink. Compromised information includes customer names, email addresses, phone numbers, and addresses.
  • Researchers have observed a trojanized Tor Browser version that steals bitcoins from darknet market users. It is distributed through two fake websites that claim to distribute the official Russian language version of the Tor Browser. Using this Browser, malicious actors have stolen 4.8 bitcoin that is worth more than $40,000, from three darknet markets
  • Nine unsecured medical databases were found to be exposing millions of patient data. The exposed information includes full names, addresses, Social Security Numbers, prescriptions, medical observations, and lab visits. These databases belong to Biosoft, ClearDent, DeepThink Health, Essilor, Naiis, Stella Technology, Tsinghua University, VScript, and Sichuan Lianhao Technology.
  • German automation technology provider Pilz disclosed that it fell victim to a cyberattack that impacted all server and PC workstations of the company. The firm has disconnected all computer systems from the network and blocked access to the corporate network as a precautionary measure. The website is said to be partially functional currently.
  • Financial services provider Billtrust suffered a ransomware attack that impacted some of its computing systems. The company said that no customer data was compromised as a result of this attack. Billtrust is in the final stage of bringing all its systems online from backups.
  • Canada Post disclosed that some online customer accounts had recorded unauthorized access. Due to this, the company is resetting the passwords of all online accounts. The company said that there was no data breach, and the credentials were stolen from other data breaches, and customers were reusing the same credentials for their Canada Post account.
  • Kalispell Regional Healthcare (KRH) was the victim of a targeted phishing attack that compromised the login credentials of several employees. This may have potentially led to the exposure of personal information of the patients including name, date of birth, address, Social Security Number, medical record number, telephone number, and more. Although officials have not found any indication of the data misuse yet, notification letters were mailed to potentially impacted patients.
  • Johnson City in Tennessee suffered a ransomware attack that affected some of the municipality’s computer systems. The ransom note asked city officials to get in touch with an email address for payment instructions and claimed to have encrypted the government’s backups. The municipality has refused to pay the fine and is working on restoring the impacted systems.
  • A scripting error on the National Neurology Registry’s website is said to have made the private information of over 17,000 patients vulnerable to exposure. It may have potentially allowed unauthorized access to a confidential database that contains phone numbers and addresses. The Health Ministry, along with the National Cyber Security Agency (NACSA), Malaysia Communications and Multimedia Commission (MCMC), and Cybersecurity Malaysia are working on investigating this incident.
  • A new phishing campaign that has targeted various humanitarian organizations around the world, including the Red Cross, the United Nations, and UNICEF has been discovered. The infrastructure network behind this campaign is believed to be active since March 2019. This mobile-aware campaign employs techniques to harvest credentials by logging keystrokes.
  • Certain Geisinger Health Plan members had their personal health data exposed due to a suspected phishing attack on one of its business associates, Magellan NIA. Although Geisinger Health Plan believes that the attack was aimed at spamming and not data theft, the possibility of data theft could not be ruled out. The number of members affected by this incident is not yet available.

New Threats

This week witnessed the rise of several malware strains and vulnerabilities. The United States Federal Bureau of Investigation (FBI) has issued a warning about Magecart attacks for SMBs and government agencies that accept online card payments. The National Security Agency (NSA) and the UK’s National Cyber Security Centre (NCSC) have released a joint statement that Russian threat actor Turla compromised an Iranian threat group and launched cyberattacks on various countries. In other news, a Linux security flaw that potentially allows the compromise of machines has been disclosed.

  • The US Federal Bureau of Investigation (FBI) has issued a warning about Magecart or web-skimming attacks. This warning is specifically for small and medium-sized businesses and government agencies that accept card payments online. Recommendations and mitigations also accompanied this warning.
  • The National Security Agency (NSA) and the UK’s National Cyber Security Centre (NCSC) have released a joint statement about Turla, the Russian threat actor compromising the infrastructure of an Iranian threat group to launch cyberattacks on several countries. Turla is believed to have exfiltrated data including directory listings and files, keylogger output that contains operational activity and connections to Iranian C2 domains from the Iranian APT.
  • A Linux security flaw in the ‘rtlwifi’ (Realtek WiFi) driver has been disclosed.  Tracked as CVE-2019-17666, this bug potentially allows attackers to entirely compromise the machines. The Linux team has developed a patch that is under revision and is yet to be incorporated.
  • Researchers have identified a new campaign that delivers a new variant of Remcos RAT. The campaign starts with a phishing email disguising as a payment advisory from a valid domain. The malware collects several information from the infected machines, including user name, location, device running time, and physical memory capacity. 
  • Companies have been found to be exposing data unintentionally by misusing Alphabet’s virus scanner. Thousands of files belonging to companies across various sectors have been found exposed by researchers. The files contain information including blueprints and building entry points.
  • The Gustuff banking trojan was spotted with an updated set of features in a new campaign. This new version does not have the commands and code related to the socks server or proxy, unlike the previous version. However, security experts say that there is no difference in the way the campaign is run.
  • A new class of web cache poisoning attacks named ‘Cache-Poisoned Denial of Service (CPDoS)’ has been outlined by researchers. It can block and disable any web resource that is distributed through Content Distribution Networks (CDNs) via an HTTP request with a malicious header. Web Application Firewalls (WAF) are recommended to mitigate this attack.
  • Analyzing the domains and activities of Magecart Group 5 has led researchers to the conclusion that there are connections with the Carbanak group and Dridex phishing campaigns. Dridex is a banking trojan and Carbanak is a sophisticated threat group that targets banks.
  • Researchers have uncovered a new ransomware dubbed MedusaLocker. This malware is still under analysis and details such as distribution methods are not yet known. It has been observed to leave ransom notes in each folder that has an encrypted file.
  • A new malware dubbed Spidey Bot has been seen to be targeting Discord users. The Windows Discord client is modified to an information-stealing backdoor. Discord user token, screen resolution, victim's local IP address, username, and email address are among the harvested information.


federal bureau of investigations
turla group
operational technology cyber security alliance
amazon web services

Posted on: October 25, 2019

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.