Cyware Weekly Threat Intelligence, September 28 - October 02, 2020

Share Blog Post

The Good

With another week coming to an end, let’s take a quick glance at all the good developments that happened this week. America’s top law enforcement agencies plan to work with intelligence agencies to fight against foreign hackers. On the other hand, the Western Australian government has decided to come up with a new cybersecurity center that will provide further support to existing cybersecurity efforts across government.

  • America’s top law enforcement and intelligence agencies will work together as part of a new federal strategy to fight foreign hackers. The effort will improve targeting and prosecution of hackers who attack American organizations.
  • The Western Australian government has dedicated AU$1.8 million (~US$ 1.3 million) to establish a whole-of-government cybersecurity operations centre. It will provide further support to existing cybersecurity efforts across government and the dedicated cybersecurity team within the Office of Digital Government.
  • Researchers from CSIRO’s Data61 and the Monash Blockchain Technology Centre claimed to have developed the world’s most efficient blockchain protocol that is both secure against quantum computers and protects the privacy of its users and their transactions. The technology can be applied beyond cryptocurrencies, such as digital health, banking, finance and government services.

The Bad
It’s raining ransomware and this week’s targeted victim companies include the names of United Health Services (UHS)Arthur J.Gallagher & Co. and CMA CGM. In other news, the FBI is investigating an ongoing BEC campaign in which $15 million have been stolen from at least 150 victims.

  • Two popular flight tracking websites, Flightradar24 and PlaneFinder, had their services disrupted following multiple attacks. In a different incident, Swatch Group was also forced to shut down some of its operations due to a cyberattack. It is unclear which threat actor groups were behind these attacks and which malware was used to infect the systems.
  • A European fashion retailer, BrandBQ, exposed seven million customer records due to a misconfigured Elasticsearch server. The compromised data included full names, home addresses, dates of birth, phone numbers, and payment records of individuals.
  • In another incident, Kylie Cosmetics reported a data breach due to the security incident at Shopify Inc. According to Shopify, the compromised data included basic contact details such as email, name, and address, as well as order details.
  • A technical issue in Airbnb service on desktop and mobile web platforms caused the leak of a limited amount of data. The exposed information included personally identifiable information, such as addresses of hosts and details of Airbnb properties. 
  • REvil operators deposited $1 million in a hacker forum as part of their recruitment drive. The deposit illustrates the amount of money that attackers are generating from ransomware operations.
  • Meanwhile, the Ryuk ransomware claimed its attack on United Health Services (UHS). The attack, which occurred on Monday, affected IT networks at UHS facilities across the U.S. French shipping giant CMA CGM was also affected in a different ransomware attack, where the attackers encrypted some of the company’s files and demanded a ransom for the decryption key.
  • The U.S.-based Arthur J.Gallagher & Co. and the Ashtabula County Medical Center were also targeted in different ransomware attacks. While the malware used in the attacks is unknown, the firms took concrete steps to contain the spread.
  • The FBI is investigating an ongoing BEC campaign in which $15 million have been stolen from at least 150 victims. The campaign uses social engineering techniques to impersonate senior executives using Microsoft Office 365 email services. So far, a majority of these attacks have targeted organizations in the U.S.

New Threats

In new threats, researchers discovered new variants of the InterPlanetary Storm botnet and Android/SpyC23.A. While the new version of InterPlanetary Storm botnet uses brute-force attacks to get into systems, the new variant of Android/SpyC23.A spyware is distributed  via a fake app store in the form of AndroidUpdate, Threema and Telegram apps.

  • LokiBot trojan returned in a new phishing attack campaign that used a unique obfuscation technique of adding random texts in shortened URLs. This enabled the phishing emails sent by threat actors to bypass email security checks. 
  • Variants of Android/SpyC23.A and InterPlanetary Storm botnet were observed wreaking havoc on devices in different attack campaigns. While the new version of InterPlanetary Storm botnet uses brute force attacks to get into systems, the new variant of Android/SpyC23.A spyware is distributed via a fake app store in the form of AndroidUpdate, Threema and Telegram apps. 
  • Google removed a fresh set of 17 malicious apps that were responsible for distributing the Joker malware. Once installed, the Joker-infested apps could steal SMS messages, contact lists, and device information from infected devices.
  • New UN Security Council report reveals that a North Korea-based Kimsuky hacker group was behind a series of spear-phishing attacks launched between March and April this year. The purpose was to target officials associated with the UN Security Council. 
  • A newly discovered Linkury adware campaign was found distributing a browser hijacker, SafeFinder widget, that is designed to spread malware. The widget was advertised as a way to perform safe searches on the internet to trick users. The campaign leveraged Chrome, Firefox, and Safari to launch the browser hijacker.
  • An ongoing phishing attack campaign from the threat actor group, TA2552, is leveraging Netflix and Amazon brands as lures to target Microsoft 365 users in Spain. The campaign has been active since July 2020 and uses phishing emails that include a link to a fake Office 365 login page.
  • A new espionage campaign linked to the BlackTech APT group was found by researchers. The campaign targeted media, construction, engineering, electronics, and finance sectors in Japan, Taiwan, the U.S., and China.
  • Over 247,000 Microsoft Exchange Servers vulnerable to CVE-2020-0688, a remote code execution flaw, are exposed to attacks. A patch for the flaw that exists in the control panel of the Exchange Server was issued in February. However, several firms have failed to apply the update on time, making them a potential target for cyberattacks.


airbnb service
united health services uhs
western australian government
revil operators
interplanetary storm botnet
arthur jgallagher co

Posted on: October 02, 2020

Get the Weekly Threat Briefing delivered to your email!

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

Join Thousands of Other Cyware Followers!