Cyware Monthly Cyber Threat Intelligence

Monthly Threat Briefing • Mar 1, 2019
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Monthly Threat Briefing • Mar 1, 2019
The Good
As we gear up to a new month of the year, let’s quickly glance through all that happened over the past month. Before we get into the cybersecurity incidents and the new threats, let’s first acknowledge all the positive events that happened over the past month. Google has released a Chrome extension named ‘Password Checkup’ to protect accounts from data breaches. Google and FIDO Alliance has announced that the Android operating system is now FIDO2 certified. Meanwhile, Sectigo has released Zero-Touch deployment email encryption and digital signing solution to increase compliance with government regulations and reduce cybersecurity risks.
Google has released a Chrome extension named ‘Password Checkup’ on the Safer Internet Day (February 5, 2019). This extension checks if usernames and passwords combinations entered in login pages are one of over 4 billion credentials that Google knows to have been previously compromised in data breaches.
Google has developed a new Chrome feature that fights against DOM-based XSS attacks. This new feature is a browser API called ‘Trusted Types’ that helps Chrome fight against certain cross-site scripting XSS vulnerabilities. The feature adds another level of protection at the browser level to protect users from cross-site scripting vulnerabilities such as DOM-based XSS.
SK Telecom has announced to launch its Quantum Security Gateway solution to prevent hacking in self-driving cars. The solution is an integrated security device that will be installed inside cars and protects various electronic units and networks in the cars. The gateway solution once installed inside cars, monitors various devices for Vehicle-2-Everything (V2X), Bluetooth, radar, smart keys, and driver assistance systems.
Google and FIDO Alliance has announced that the Android operating system is now FIDO2 certified which indicates that password authentication could be eradicated from the mobile ecosystem. Now that Android is FIDO2 certified, this enables over a billion Android devices to implement passwordless authentication standards.
SSL Certificate Authority Sectigo has released Zero-Touch deployment email encryption and digital signing solution to increase compliance with government regulations and reduce cybersecurity risks. This enables email gateways to scan encrypted traffic in order to detect malware as well as sign an email on behalf of the sender.
Google is working to advance the cyber-security model known as ‘confidential computing’ with the Asylo project to protect the integrity of workloads. The confidential computing approach provides an additional layer of protection against malicious insiders, vulnerabilities and compromised operating systems.
Mitsubishi Electric has developed a sensor-security technology that detects inconsistencies in sensor measurements when drones, vehicles, or robots are under attack. Mitsubishi plans to commercialize the product next year by offering the technology to manufacturers of cars, drones, etc.
Google has made new updates to its Google Play Protect to protect Android users from potentially harmful applications (PHA). Now, Google Play Protect comes as a default built-in feature of every Android device, instead of users manually enabling the feature
The Bad
February witnessed several data breaches and cyber attacks that saw the exposure of millions of people's personal information across the globe. South Africa’s electricity provider Eskom was hit with a double security breach. The Australian Federal Parliament’s computer network has been hacked. In the meantime, Cybercriminals have put up two new databases that contain a total of 69,186 Pakistani banks’ cards for sale on the Joker’s Stash underground forum.
South Africa’s primary electricity provider Eskom was hit by not just one, but two security breaches. One was due to an unsecured database that leaked customer data online. The second breach came along with AZORult malware infection disguised as a downloader for The Sims 4 game.
The Australian Federal Parliament’s computer network has been hacked. Parliament’s presiding officers, Speaker of the House of Representatives MP Tony Smith and President of the Senate MP Scott Ryan confirmed that there is no evidence that any data has been accessed at this point of time. However, Australian security agencies are suspecting China to be behind this attack.
British MPs were targeted by an attempt to access their contacts list and send texts and emails to all their private contacts. Deputy Chief Whip Christopher Pincher warned MPs to be aware of the text messages and emails asking them to provide overseas contact details or to download a secure message app.
Almost 620 million account credentials stolen from 16 companies were put up for sale on the Dark Web by a seller named ‘gnosticplayers’. The stolen accounts belonged to 16 websites including Dubsmash, MyFitnessPal, MyHeritage, Animoto, 8fit, 500px, Armor Games, CoffeeMeetsBagel and Artsy. The highest number of account credentials were stolen from Dubsmash, recording a total of 162 million.
Followed by the first batch of 620 million accounts stolen from 16 companies, a second batch containing 127 million stolen accounts was made available for sale on the Dark Web by ‘gnosticplayers’ who quoted $14,500 in bitcoin for the collection. The stolen accounts belonged to 8 companies including Ixigo, Houzz, YouNow, Coinmama, Petflow, Ge.tt, Roll20.net, and StrongHoldKingdoms.
The seller ‘gnosticplayers’ was back again with a collection of 93 million stolen account credentials from 8 companies. This is the third batch made available for sale by gnosticplayers in the Dream Market marketplace which is worth 2.6249 bitcoin amounting to $9,400.
Attackers compromised North Country Business Products (NCBP) IT systems and planted malware on its clients’ Point-of-Sale (POS) systems. The attack has impacted nearly 140 food chains such as coffee shops, restaurants, bars, standalone hotels, and various food chain franchises. The impacted food chains included Dunn Brothers Coffee, Someburros, Zipps Sports Grill, and more.
A storage server containing real-time call recordings made to the 1177 Swedish Healthcare Guide helpline for health care information was found publicly available without any password protection. The unprotected server which was left open without a password exposed almost 2.7 million health-related call recordings that dated back to 2013.
Researchers observed a new Ad fraud campaign dubbed ‘DrainerBot’ which plays invisible ad videos in Android devices via infected apps. The DrainerBot ad fraud scheme uses malicious codes in Android apps to deliver ad videos to mobile devices that have installed the infected apps. The ad fraud scheme has been distributed via infected Android applications that have almost 10 million downloads.
A new phishing attack dubbed ‘NoRelationship’ was observed recently that bypasses Microsoft’s Exchange Online Protection (EOP) URL filters which scans Microsoft Office documents such as Word (.docx), Excel (.xlsx), and PowerPoint (.pptx). The attackers behind the ‘NoRelationship’ phishing campaign deleted external links from a relationship (xml.rels) file which is a legitimate file that lists all links included in an attachment. This lead to Microsoft’s Exchange Online Protection filters not detecting the malicious URL.
Dow Jones Watchlist’s database was publicly available without any password protection thereby exposing almost 2.4 million records. Upon learning the incident, Dow Jones immediately disabled the leaky Elasticsearch database.
Cybercriminals have put up two new databases that contain a total of 69,186 Pakistani banks’ cards for sale on the Joker’s Stash underground forum which is estimated to be approximately $3.5 million. Researchers noted that the price of a single card detail ranged between $10 and $40, and the cards with PIN codes were priced at $50.
New Threats
Several new malware, ransomware, vulnerabilities, and threat groups emerged over the past month. Researchers spotted a new backdoor trojan dubbed ‘Speakup’ that infects Linux and MacOS systems. A Monero cryptocurrency-mining malware variant has been found using a combination of RADMIN and MIMIKATZ exploit tools to spread across networks. Last but not least, New vulnerabilities dubbed ‘Zombie POODLE’ and ‘GOLDENDOODLE’ were spotted affecting the HTTPS.