Cyware Monthly Threat Intelligence

Monthly Threat Briefing • Apr 1, 2019
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Monthly Threat Briefing • Apr 1, 2019
The Good
As we gear up for a new month of the year, let’s quickly glance through all that happened over the past month. Let’s first acknowledge all the positive events that happened over the past month. The National Security Agency has announced its cybersecurity tool ‘Ghidra’ as an open-source offering. Google is planning to block unwanted ‘Drive-by-Downloads’ that are initiated from ad frames without any user interaction. Meanwhile, Apple is working on an anti-snooping technology that will secure iPhone users’ privacy.
The National Security Agency has announced its cybersecurity tool ‘Ghidra’ as an open-source offering to the public at the RSA conference. Ghidra allows security researchers to analyze malicious code and malware thoroughly with reverse engineering tasks such as disassembly, assembly, decompilation, graphing, scripting, and more.
Google is planning to block unwanted ‘Drive-by-Downloads’ that are initiated from within ad frames without any user gesture. This feature will be supported in all six blink platforms - Windows, Mac, Linux, Chrome OS, Android, and Android WebView, except iOS.
Apple is working on an anti-snooping technology that will prevent law enforcement authorities from tracking iPhone users’ location and read their private messages. This technology protects iPhone users’ privacy by encrypting information between an iPhone and a mobile network.
Instagram is testing a new feature that**** automatically locks users’ old usernames for 14 days after switching to a new handle. This ‘username auto-lock’ feature will put an end to hackers who use bots to grab usernames as soon as the users switch to a new handle.
Computer scientists from the United States have developed a new email app named ‘Easy Email Encryption E3’ that is capable of quickly encrypting messages that appear in an email inbox. The app works with the majority of popular email services such as Gmail, Yahoo, and AOL. This app automatically encrypts emails as soon as you receive emails in your mobile devices or desktops.
Microsoft has added tamper protection to its antivirus product Microsoft Defender Advanced Threat Protection (ATP) to prevent malware from disabling antivirus solution on infected systems. The tamper protection also prevents malware from disabling Microsoft's cloud-based malware detection.
New Jersey legislators proposed a bill to Gov. Phil Murphy that would expand data breach notification requiring companies to alert consumers on data breaches that include personally identifiable information (PII) such as user names, passwords, email addresses, and security questions.
Europol has announced the adoption of the new Law Enforcement Emergency Response Protocol that covers malicious and criminal cyber incidents. The new protocol focuses on rapid assessment, sharing of information, and coordination of the international aspects of an investigation.
The Bad
In March, we witnessed several data breaches and cyber attacks that led to the exposure of millions of people's personal information across the globe. The seller Gnosticplayers, who disclosed 800 million profiles, has made a comeback with the fourth batch of stolen data put up for sale in the DreamMarket marketplace. The aluminum giant, Norsk Hydro suffered a cyber attack, forcing it to switch some of its operations to a manual mode. Meanwhile, it was discovered that FEMA inadvertently shared private data of almost 2.3 million disaster victims with one of its contractors.
A security researcher uncovered 18 MongoDB servers that were publicly available without any password protection. The open MongoDB databases contained data from a Chinese surveillance program. The exposed information included online social services related data such as profile names, ID numbers, photos, public and private conversations, file transfers, GPS location, and more.
Wolverine Solutions Group suffered a ransomware attack that impacted nearly 700 healthcare organizations as these organizations use Wolverine Solutions Group for their billing and mailing services. The healthcare organizations affected by the breach include Mary Free Bed Rehabilitation Hospital, the Health Alliance Plan, North Ottawa Community Health System, Three Rivers Health and more. The data breach has compromised personal information of almost 1.2 million patients.
Attackers attempted ransomware attack against Israeli websites on March 2, 2019, which failed miserably due to a coding error. However, the attackers managed to deface multiple web pages with the words ‘Jerusalem is the capital of Palestine’. What went wrong was that the variable was set only to ‘Windows’ but the browser user agent strings also include Windows version number such as ‘Windows 10’, and ‘Windows 7’.
Chinese hackers targeted more than two dozen universities across the world to steal maritime military secrets. The attack campaign targeted almost 27 universities via spear-phishing emails. The emails purported to come from partnered universities and included malicious attachments. The targeted universities include Massachusetts Institute of Technology, the University of Washington, and other colleges in Canada and Southeast Asia.
Researchers detected an unprotected MongoDB database belonging to an email marketing firm Verifications. The open MongoDB instance exposed almost 809 million records online. The leaky database contained three folders with different records. The first folder had over 790 million unique email addresses, the second folder contained 4,150,600 records that included both email addresses and users’ phone numbers, while the third folder contained 6 million business lead records.
Gnosticplayers, who exposed and sold 800 million user records in February 2019, has yet again come out with the fourth batch of 26 million user records put up for sale in the DreamMarket marketplace. The stolen data belongs to customers of six companies across the world such as GameSalad, Estante Virtual, Coubic, LifeBear, Bukalapak, and YouthManual.
Norsk Hydro, one of the world's largest aluminum producers suffered a cyber attack, forcing it to switch some of its operations to a manual mode. The cyber attack has impacted Hydro’s operations and IT systems in most of the business areas across the globe. However, people safety is not affected by the attack.
Magecart threat group targeted the bedding websites MyPillow.com and Amerisleep.com in order to steal customers’ personal information and payment card information. While MyPillow has restored its site after the attack, Amerisleep is yet to respond with a fix.
‘Bad Tidings’ phishing campaign targets Saudi Arabia government agencies and a single Saudi-based financial institution impersonating the Saudi Arabian Ministry of Interior’s e-Service Absher. This campaign leveraged three spoofing techniques including Punycode spoofing, SubDomain spoofing, and Typosquatting.
The social media Giant Facebook revealed that hundreds of millions of users’ passwords were stored in a readable format on its internal data storage systems. However, Facebook confirmed that there has been no evidence of any misuse of user passwords by its employees.
The United States Federal Emergency Management Agency (FEMA) has inadvertently shared private data of almost 2.3 million disaster victims with one of its contractors that manages its TSA program. The exposed data includes applicants’ SPII such as street address, city names, zip codes, financial institution names, electronic funds transfer numbers, and bank transit numbers.
Researchers observed a campaign dubbed ‘Operation ShadowHammer’ that targets the supply chain by spreading a backdoored version of ASUS Live Update Software. This campaign has impacted over 1 million users who have downloaded the backdoored version of the ASUS Live Update utility on their systems.
LockerGoga, the ransomware that hit aluminum giant Norsk Hydro, also infected two American chemicals companies Hexion and Momentive. The ransomware attack encrypted the Windows systems of these two chemical companies, forcing the companies to order hundreds of new computers.
Two cryptocurrency exchange platforms DragonEx and CoinBene suffered cyber attacks compromising over**** $1 million and $45 million respectively. Both crypto portals have gone into maintenance mode to investigate the incident and retrieve back the stolen assets.
Researchers observed a new credential harvesting campaign dubbed ‘LUCKY ELEPHANT’ that uses**** doppelganger webpages to impersonate legitimate entities such as foreign governments, telecommunications, and military. The list of organizations that are impersonated by the attackers includes entities in Pakistan, Bangladesh, Sri Lanka, Maldives, Myanmar, and Nepal.
New Threats
Several new malware, vulnerabilities, and ransomware were discovered over the past month. A new Android Adware ‘SimBad’ was detected in 206 Android apps with almost 150 million installs. Researchers observed a new variant of the Mirai botnet that uses 11 new exploits and targets smart TVs and wireless presentation systems. Last but not least, researchers uncovered a Google photos vulnerability that could allow attackers to infer the metadata of the images stored in Google Photos.