Cyware Weekly Threat Intelligence, September 14 - 18, 2020

Share Blog post

The Good

The rise in malware attacks against organizations calls for stricter cybersecurity measures. Taking steps in this direction, the NCSC updated its incident response plans against malware attacks. Furthermore, the agency released a set of guidelines under ‘The Vulnerability Disclosure Toolkit’ to improve the cybersecurity posture of organizations.

  • The NCSC updated its incident response plan to mitigate malware attacks. The latest guidelines, which are released following the rise in ransomware attacks, are based on the experiences gained by the NCSC from resolving such threats over the course of the year.
  • Additionally, the agency released a list of guidelines under ‘The Vulnerability Disclosure Toolkit’ in an effort to improve the cybersecurity posture of companies. It is divided into three sections describing the approach to identify and mitigate vulnerabilities.
  • The General Services Administration’s (GSA) 18F digital services unit issued a field guide for federal agencies to help them mitigate cyber risks in their systems. The guide covers various topics related to cyber strategy development, including planning, acquisition, and execution.
  • The U.S. House of Representatives passed the IoT cybersecurity Improvement Bill to improve the security of IoT devices. First introduced in 2017 and reintroduced in 2019, the Act has been drafted to combat threats arising from insecure IoT devices.
  • The NSA introduced guidelines on the Unified Extensible Firmware Interface (UEFI) Secure Boot feature to minimize the risk of firmware exploitation. UEFI is used across multiple architectures and provides options for higher performance and improved security.
  • The Office of the National Coordinator (ONC), in collaboration with the Office of Civil Rights (OCR), released an update to the Services Security Risk Assessment Tool to support small- and medium-sized healthcare providers.

The Bad

Unauthorized access to personal data continued to make headlines this week as well. While University Hospital New Jersey (UHNJ) suffered a loss of 240GB data due to an attack from SunCrypt ransomware, Magecart actors made away with several credit card data following attacks on Magento-based e-commerce stores. An online application managed by Veteran Affairs’ Financial Services Center (FSC) was hit in a cyberattack that affected the personal details of 46,000 veterans.

  • A cyberattack on the Quebec Department of Justice (DoJ) enabled attackers to access and infect 14 email addresses between August 11 and 12. For the attack, threat actors had used a version of the Emotet trojan that stole the personal information of approximately 300 active and inactive employees.
  • University Hospital New Jersey (UHNJ) suffered an attack from SunCrypt ransomware. The attackers stole 240GB of data, of which 1.7GB containing 48,000 documents was posted online.
  • Düsseldorf University Hospital (UKD) was forced to push its medical operations after a ransomware attack on September 11. The hospital is working along with law enforcement authorities to restore its affected systems.
  • The China-linked RedDelta threat actor group was held responsible for a five-month-long cyberattack campaign against the Vatican and other Catholic Church-related organizations. Attacks came in the form of spearphishing emails laced with PlugX RAT as the payload.
  • The German shopping giant Windeln.de exposed 882GB data from 70 dating and e-commerce sites due to a misconfigured Elasticsearch database. The leaked data included invoices, full names, IP addresses, phone numbers, email addresses, and home addresses.
  • Artech Information Systems was hit for the second time in nine months. This time, the attack was carried out by Maze ransomware operators who later announced the same by uploading a zip file of data stolen from the firm.
  • Children’s Minnesota, a children’s healthcare organization, announced that the personal information of over 160,000 patients was compromised due to the ransomware attack on Blackbaud. The compromised data included names, ages, addresses, medical records, dates of treatments, and medical insurance information.
  • Researchers found almost 800,000 access keys and secrets from repositories and files uploaded to GitHub, GitLab, and Pastebin. Over 40% of these keys could grant access to database stores, while 38% to cloud environments, such as AWS, Google Cloud, and Microsoft Azure.
  • Researchers hacked into Facebook by exploiting three recent vulnerabilities affecting MobileIron’s Mobile Device Management (MDM) system. The flaws were tracked as CVE-2020-15507, CVE-2020-15505, and CVE-2020-15506.
  • A privacy bug in the Vote Joe app spilled personal information of millions of American voters. The leaked data included basic information like a voter’s name, home address, and contact number.
  • Hackers accessed an online application managed by Veteran Affairs’ Financial Services Center (FSC) in a security breach that affected the personal information of around 46,000 veterans. After gaining access, the attackers diverted the VA payments intended for healthcare providers to their accounts.
  • The office retail company, Staples, informed about a data breach that affected the order data of some of its customers. The compromised information included names, addresses, phone numbers, and last four credit card digits of customers.
  • Almost 2,000 Magento-based online stores were compromised in an automated hacking campaign. Hackers injected malicious JavaScript codes into the sites to steal customers’ credit card details.
  • Fairfax County Public Schools (FCPS), Virginia, was targeted by Maze ransomware operators who stole roughly 100MB of data from the institution.

New Threats

Talking about new threats, Maze ransomware operators added a Virtual Machine (VM) based evasion technique, first adopted by Ragnar Locker attackers, to its arsenal. Meanwhile, researchers discovered two new attack techniques—BlindSide and Zerologon—that abused CPU’s speculative execution and Windows’ privilege escalation vulnerability respectively.

  • While conducting an investigation, researchers found that Maze ransomware operators have adopted an evasion technique pioneered by Ragnar Locker ransomware. The technique adopted includes running payload inside a VM to evade detection.
  • The notorious Mozi botnet accounted for nearly 90% of the observed IoT attacks from October 2019 to June 2020. The botnet is capable of launching DDoS attacks, stealing credentials, and sending spams.
  • LockBit became the latest ransomware to launch a new data leak site as part of their double extortion strategy. The data leak site currently contains two victims: an automation parts manufacturer and a shipping company.
  • The CISA released a malware analysis report that includes technical details about web shells employed by Iranian hackers. The malware used by the attackers includes the ChunkyTuna, Tiny, and China Chopper web shells.
  • Billions of IoT devices are vulnerable to new Bluetooth Low Energy Spoofing Attacks (BLESA) that arises due to a reconnection issue between paired devices. Apple has assigned CVE-2020-9770 for the related vulnerability affecting iOS and iPadOS.
  • A hacker group named MbrMiner brute-forced thousands of MSSQL servers with weak passwords and installed crypto-mining malware with the same name. The malware is also capable of targeting Linux servers and ARM-based systems.
  • Researchers devised a technique that exploited Windows’ ‘finger’ command to download malicious payloads and steal files from targeted computers. Two more attack techniques that abused speculative execution and a Windows privilege escalation vulnerability, were also unearthed by researchers. The two attacks are named BlindSide and Zerologon, respectively.
  • Researchers published a report indicating a connection between North Korea’s Lazarus threat actor group and Russian-speaking cybercriminals. The report is curated after an analysis of their attack techniques, malware, and targets.

 Tags

magecart actors
blindside attack
zerologon attack
university hospital new jersey uhnj
staples
mozi botnet
lockbit ransomware
reddelta threat actor group
dusseldorf university hospital ukd

Posted on: September 18, 2020

Get the Weekly Threat Briefing delivered to your email!


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.


Join Thousands of Other Cyware Followers!