Cyware Weekly Threat Intelligence, October 26 - 30, 2020

Share Blog Post

The Good

The week comes to an end on a positive note with different government agencies across the globe making good strides toward addressing cyber threats. The U.S. Federal Trade Commission (FTC) launched a new cyber-fraud reporting platform to protect users from frauds and scams. On a tangent, the New South Wales government made a decision to form a dedicated cyber and privacy resilience group to enhance the security of customers’ data. Furthermore, the Australian Department of Home Affairs proposed national security laws to protect critical infrastructure against cyberattacks.

  • The Norwegian government seeks to develop a robust IT infrastructure to thwart malicious attacks from cyberspace. The initiative was taken following the repercussions of a high-profile cyberattack on the Norwegian parliament on August 4.
  • The New South Wales government made a decision to form a dedicated cyber and privacy resilience group to enhance the security of residents’ data. The task force will focus on cyber resiliency and privacy risks across the government.
  • Researchers at CMU’s CyLab Security and Privacy Institute found that their neural networks model can help users pick more secure passwords. To claim the research, a series of different machine-generated password recommendations was evaluated..
  • The Australian Department of Home Affairs proposed national security laws to protect critical infrastructure against cyberattacks. The proposed laws will grant federal government agencies the power to take direct action against cyberattacks and obtain information from critical infrastructure entities of national interest.
  • The U.S. FTC launched a new cyber-fraud reporting platform, ReportFraud.ftc.gov, to help consumers easily report fraud, scams, or bad business practices.

The Bad

Data breach incidents continued to inflict woes on organizations globally. This week, Nitro PDF came under the scanner after malicious actors gained unauthorized access to the company’s database, potentially impacting several of its clients such as Microsoft, Google, Apple, and Citibank. In a disturbing revelation, REvil operators claimed to accrue over $100 million in a year by extorting victims.

  • More than 100 smart irrigation systems deployed worldwide were installed without changing the default password, making them vulnerable to malicious attacks. Discovered by researchers, these irrigation systems were found to be visible on the open internet across Israel, South Korea, the U.S., Switzerland, and France, with more than half of the systems in Israel.
  • This week, Nando’s customers suffered credential-stuffing attacks. The hackers hijacked the customers’ accounts to place large fraudulent orders.
  • Fragomen, Del Rey, Bernsen & Loewy, LLP, an immigration law firm, suffered a data breach exposing the personal information of current and former Google employees via their Form I-9. Talking about data breaches, Nitro PDF services underwent a humongous data breach that could potentially affect Microsoft, Google, Apple, Citibank, and other major firms. The stolen data is on sale in a private auction, with a starting price of $80,000.
  • PagoFX, an international money transfer service backed by Santander, underwent a data breach incident. Database schemas, digital risk assessments, and infrastructure docs, among others, amounting to 2GB of files were compromised. In another data breach incident, Swedish security company Gunnebo disclosed suffering a data breach incident in August that resulted in the loss of 19GB of information and 38,000 files.
  • Cryptocurrency is all the rage now and cybercriminals are doing their best to steal whatever they can. In one such instance, a hacker stole cryptocurrency assets, including $13 million worth of USD Coin and $11 million worth of Tether from Harvest Finance, a decentralized financial service.
  • Isentia, a media monitoring organization, allegedly suffered a ransomware attack that disrupted its online services. Another furniture making giant, Steelcase, reportedly fell victim to a ransomware attack. Besides, Enel Group, a multinational energy company, underwent a ransomware attack for the second time this year. The attack was conducted by the Netwalker gang who demanded a ransom of $14 million for the decryption key.
  • Insider threats cannot be overlooked anymore. Amazon terminated few employees who were found violating company policies by leaking customer data to an unaffiliated third-party.
  • More than 2 petabytes of unprotected medical data, including 13 million medical exams of around 3.5 million U.S. patients, were found on PACS servers. In another sphere, Germany’s Robert Koch Institute for infectious disease control was hit by a DDoS attack, knocking its website offline for two hours. In addition to this, two more hospitals in New York and Oregon were targeted by ransomware attacks, disrupting systems and forcing the rerouting of ambulances carrying sick patients.
  • A new phishing document was found targeting the staff at the University of British Columbia with a fake COVID-19 survey.
  • A social networking app, True, ended up exposing one of its servers, resulting in the exposure of private user data on the open internet. In a different camp, Home Depot Canada sent out hundreds of order details of strangers to customers. This is alarming as the orders were not associated with the Home Depot accounts that received the emails.
  • Recently, the Russia-linked Turla APT group hacked an undisclosed European government organization using a combination of RATs and backdoors such as HyperStack.
  • REvil ransomware attackers claimed to have made more than $100 million in a year by extorting large businesses across the world.

New Threats

Among new threats discovered this week, researchers discovered new variants of TrickBot and Mirai botnet. While the TrickBot operators moved a portion of trojan code to Linux called Anchor_Linux in an attempt to widen the scope of attacks, the new version of Mirai, dubbed Katana, came with enhanced modules such as layer 7 DDoS, unique encryption keys, fast self-replication, and secure C2 server. Meanwhile, Apple accidentally approved six malicious apps for the second time in six weeks as part of the notarization process.

  • Vulnerable systems remained a hotspot for cyberattacks this week. In one instance, threat actors were found scanning the internet for Oracle WebLogic server affected by a critical remote code execution vulnerability and, in another, researchers uncovered over 100,000 Windows systems still vulnerable to the previously known SMBGhost flaw.
  • Researchers tracked several loaders and backdoor campaigns that led to the deployment of ransomware. The backdoors include KEGTAP/BEERBOT, SINGLEMALT/STILLBOT, and WINEKEY/CORKBOT. The campaigns were targeted against hospitals, retirement communities, and medical centers.
  • Emotet’s activity got a facelift with new delivery methods. Researchers observed that the trojan had increased its activities since August and the latest delivery method included hiding itself within a fake Microsoft Office request.
  • During the investigation of a Ryuk attack in September 2020, actors used a malware dropper called Buer, instead of Emotet and TrickBot, to deliver the ransomware.
  • Variants of TrickBot and Mirai disrupted the critical infrastructure of several organizations. While the TrickBot’s operators moved a portion of trojan code to Linux called Anchor_Linux in an attempt to widen the scope of attacks, the new version of Mirai, dubbed Katana, came with enhanced modules such as layer 7 DDoS, unique encryption keys, fast self-replication, and secure C2 server.
  • Google removed 21 malicious Android apps from the Play Store that were used to distribute HiddenAds malware and a trojan. The group behind the operation relied on social media channels to lure users into downloading the apps.
  • Abaddon is the first RAT that uses the freeware instant messaging and VoIP app and digital distribution platform, Discord, as a C2 server. The RAT’s capabilities include stealing multiple data from the infected host, including Chrome cookies, saved credit cards, and Steam credentials.
  • For the second time in six weeks, Apple accidentally approved six malicious apps as part of the notarization process. These apps posed as Adobe Flash Player installers.
  • The Iranian hacking group, named Phosphorus, was held responsible for targeting Munich Security conference attendees. The attack was carried out through spearphishing emails.
  • Security issues in link previews of LINE, Slack, Twitter, Facebook, Zoom, Linkedin, and many other chat apps can possibly cause the leakage of user data. This can also expose IP addresses and links shared in end-to-end encrypted chats.

 Tags

turla apt group
abaddon rat
netwalker gang
microsoft it
phosphorus
nitro pdf
singlemalt
citibank
anchor linux

Posted on: October 30, 2020

Get the Weekly Threat Briefing delivered to your email!


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.


Join Thousands of Other Cyware Followers!