Cyware Weekly Threat Intelligence, September 07 - 11, 2020

Share Blog post

The Good

With an uptick in state-sponsored attacks, several government agencies have issued cybersecurity guidelines to protect the critical assets of their countries. In a one of its kind joint advisory, cybersecurity agencies of Australia, Canada, New Zealand, the U.K., and the U.S. have highlighted best practices for incident response and detection of malicious activities. In addition to this, the U.S. has issued a set of cybersecurity principles to protect space systems from cyberattacks.

  • The White House issued a new set of cybersecurity principles to protect the country’s commercial and critical infrastructure investments in space. The guidelines focus on securing information systems, networks, and radio-frequency-dependent wireless communication channels.
  • The U.K. government announced a fund of over $600,000 to boost cybersecurity across small and medium-sized healthcare suppliers and providers. The amount will be spent on consultancy and certification costs needed to gain accreditation for the government’s Cyber Essentials certification.
  • Cybersecurity agencies in Australia, Canada, New Zealand, the U.K., and the U.S. released a joint advisory that focuses on detecting malicious activities and incident response. It includes best practices for incident reporting, technical approaches, and implementation of mitigation steps.
  • A team of scientists from the Quantum Engineering Technology (QET) Labs at the University of Bristol came up with a new technique to secure a multi-user quantum communication network. The technique can make messaging completely safe from interceptions.

The Bad

Meanwhile, ransomware attackers continued to wreak havoc with their non-stop attacks on organizations. The prime victims of such attacks, this week, were several hospitals and companies in Thailand. Apart from these, Equinix, K-Electric, and BancoEstado were among other victim organizations.

  • Several hospitals and companies in Thailand were hit in ransomware attacks that affected their computer systems. Some of these organizations paid the ransom demands (around $32,000) to retrieve their data.
  • SeaChange International, a US-based video delivery software solutions, confirmed that it was attacked by REVil ransomware in the first quarter of 2020. The attackers had posted screenshots of files to claim their attack on the firm. In another incident, NetWalker ransomware claimed its latest attack on Pakistan-based power supplier, K-Electric. The ransomware had also launched an attack against Argentina’s immigration agency, Dirección Nacional de Migraciones.
  • Data center giant Equinix also disclosed a ransomware attack that impacted its internal systems. However, its customer-facing services remained unaffected. On a tangent, Chile’s one of the biggest banks, BancoEstado, was forced to shut down all its branches on September 7 following a ransomware attack that took place over the weekend.
  • Educational institutions—Clark County School District and Hartford Public Schools— also fell victim to ransomware attacks that impacted their internal IT systems and some employee information. Both schools are working on the recovery process. Additionally, Maze ransomware launched its attack on Fairfax County Public Schools and wiped out their entire data from the systems.
  • A bug in United Airlines’ website allowed anyone to access the ticket information of travelers seeking refunds. The exposed information included their ticket numbers and last names.
  • Service NSW revealed that the personal information of 186,000 customers was stolen in a cyberattack that occurred after the compromise of 47 staff email accounts. The incident, which took place earlier this year, affected 738GB of data.
  • Slovakian cryptocurrency exchange platform, ETERBASE, lost over $5 million worth of cryptocurrencies in a targeted attack. The hackers stole the fund from several of its hot wallets.
  • An unsecured Elasticsearch database belonging to Digital Point exposed the data of 800,000 users. The leaked data included names, email addresses, and internal user ID numbers.
  • Inova Health Systems notified customers of a security breach that occurred due to a ransomware attack on Blackbaud. The incident impacted the personal data of patients and donors.
  • Over 50,000 letters sent by Virtual Mail Room on behalf of banks and local agencies, were indexed by Google due to an unprotected database. The letters included names and addresses of thousands of people living in the U.K, the U.S, and Canada. The names, email addresses, and telephone numbers of staff were also visible online.
  • Telmate’s Getting Out app exposed millions of intimate messages of U.S. prison inmates due to a misconfigured Amazon S3 bucket. The leaky bucket also included their relationship status, prescription medication, and religion among others.

New Threats

Among the new threats detected this week, security researchers detected a new Bluetooth vulnerability called BLURtooth that can enable attackers to launch man-in-the-middle (MiTM) attacks. An attack method named Raccoon was also demonstrated by researchers this week,  which could be used to exploit the TLS cryptographic protocol.

  • Attackers are actively exploiting a critical remote code execution vulnerability in the File Manager plugin that has over 600,000 downloads. The flaw can allow unauthorized attackers to upload malicious PHP files and execute arbitrary code on sites.
  • Security researchers warned users about 89 zero-day vulnerabilities in plugins of popular CMSes. These flaws can expose CMS platforms such as Joomla, Drupal, and WordPress to a range of cyber threats.
  • A new piece of Linux malware called CDRThief is designed to target specific VoIP switches to steal call detail records. The targeted switches are VOS2009 and VOS3000 systems from Chinese company Linknat.
  • Zeppelin ransomware returned in August with a newly spotted infection routine. The campaign was carried out through a phishing email containing malicious macros. The macros executed About1.vbs trojan downloader which later downloaded the ransomware onto a victim’s machine.
  • Academics explored new attack methods that leveraged the abuse of Bluetooth technology and TLS cryptographic protocol respectively. While the one that involves the exploitation of BLE is called BLURtooth, the other named Raccoon attack can be used to decrypt HTTPS connection and read sensitive communication. In another demonstration, security experts highlighted that specially-crafted Windows 10 themes and theme packs could lead to the stealing of Windows account credentials.
  • Cybercrime group TeamTNT relied on a legitimate tool, WeaveScope, to gain full control of Docker and Kubernetes platforms. The attackers installed this tool to map the cloud environment of their victim and execute system commands without deploying malicious code on the server.
  • Around 306 popular Android apps are using improper cryptographic code that can result in possible exploitation attempts against app users. A custom-made tool called CRYLOGGER was used to test these popular apps.
  • Cybersecurity agencies in France, Japan, and New Zealand released security alerts about an uptick in Emotet attacks targeting organizations in the respective countries. The alerts include guidelines to prevent attacks from the malware.
  • A newly discovered malware gang, named Epic Manchego, used malicious Excel files to bypass security scanners in an attack campaign targeted against companies across the world. The malicious files were distributed via phishing emails.

 Tags

revil ransomware
service nsw
clark county school district
seachange international
getting out app
equinix
eterbase
teamtnt threat actor group
blurtooth
k electric
zeppelin ransomware

Posted on: September 11, 2020

Get the Weekly Threat Briefing delivered to your email!


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.


Join Thousands of Other Cyware Followers!