Cyware Monthly Threat Intelligence

The Good

User privacy remained at the forefront of cutting-edge cyber innovations in the month of October. For instance, security experts from CSIRO's Data61 and Monash University claimed to have developed the world’s most efficient blockchain protocol, promising both utmost security and privacy. Meanwhile, another research group spurred hopes with their new method of distributing secret cryptographic keys and ensuring user privacy using optical framed knots. In other news, Microsoft collaborated with other firms for the release of a new framework called Adversarial ML Threat Matrix to protect ML systems from cybercriminals.

Researchers from CSIRO’s Data61 and Monash Blockchain Technology Centre claimed to have developed the world’s most efficient blockchain protocol that is both secure against quantum computers and protects the privacy of its users and their transactions. The technology can be applied beyond cryptocurrencies, such as digital health, banking, finance, and government services.
The DHS Science and Technology Directorate (S&T) has designed a new technology called Trusted Mobile System (TrustMS) to secure apps from cyberattacks. It provides protection against exploits, such as stack manipulation, buffer overflows, execution of unintended code, and even execution of an app’s code in incorrect order.
Researchers from the Ben-Gurion University of the Negev and Bar-Ilan University devised a new method of distributing secret cryptographic keys that can be used to encrypt and decrypt data, ensure secure communication, and protect private information. This is possible using optical framed knots.
Researchers at CMU’s CyLab Security and Privacy Institute discovered a neural network model that can help users pick more secure passwords. To claim the research, a series of different machine-generated password recommendations was evaluated.
Microsoft, in collaboration with MITRE, IBM, NVIDIA, and Bosch, released Adversarial ML Threat Matrix—a new open framework to help security analysts detect, respond to, and remediate adversarial attacks against ML systems. The framework is vetted to protect ML systems.

The Bad

However, threat actors maintained their grip on the cyberspace, acting as a roadblock in the path of development. Exempli gratia, Harvest Finance, a decentralized finance service was hit with a $24 million cryptocurrency heist in a hack operation that lasted only seven minutes. Further, a global corporate immigration law firm disclosed sensitive information of employees at tech giants, including Microsoft and Google, in a breach incident. Some attackers also targeted healthcare facilities and providers in DDoS and ransomware attacks.

A hacker stole cryptocurrency assets, including $13 million worth of USD Coin and $11 million worth of Tether from Harvest Finance, a decentralized financial service. Two minutes after the attack, the hacker also returned $2.5 million back to the platform. The company announced offering a $400,000 bounty for anyone who can help recover the stolen funds.
Fragomen, Del Rey, Bernsen & Loewy, LLP, an immigration law firm, suffered a data breach exposing the personal information of current and former Google employees via their Form I-9. Talking about data breaches, Nitro PDF services underwent a humongous data breach that could potentially affect Microsoft, Google, Apple, Citibank, and other major firms. The stolen data is on sale in a private auction, with a starting price of $80,000.
The month didn’t end well for hospitals and healthcare providers: more than 2PB of medical data was found exposing around 3.5 million U.S. patients via PACS servers; Germany’s Robert Koch Institute for infectious disease control was hit by a DDoS attack, knocking its website offline for two hours; and hospitals in New York and Oregon were targeted by ransomware attacks, disrupting systems and forcing reroute ambulances.
Cyber adversaries swindled 19GB of sensitive data from Gunnebo, a Swedish security company. The leaked data include floor plans of bank vaults and shops, monitoring and alarm equipment, and security functions for ATMs. The records were first used to try to blackmail the company but then emails demanding ransoms were sent directly to patients.
Several giants including media monitoring organization Isentia, furniture making company Steelcase, and multinational energy firm Enel Group suffered ransomware attacks by various groups in the last month disrupting its online services. The Netwalker gang reportedly demanded a ransom of $14 million from the Enel Group.
Malicious actors hacked the Signaling System (SS7) network to gain access to Telegram accounts and email data of high-profile individuals in the cryptocurrency business. Occurring in September, the attack targeted at least 20 subscribers of the Partner Communications Company.
Cybercriminals stole more than $22 million in user funds in multiple campaigns targeting Electrum wallet app for more than two years. The attack was carried out through a social engineering technique, wherein users received a false message for updating their wallets.
Cybercriminals exfiltrated and published nearly 9GB of sensitive data belonging to Toledo Public Schools (TPS). The exposed information included names, addresses, dates of birth, phone numbers, and social security numbers of staff and students.
A threat actor group named Spectre123 allegedly leaked sensitive data from NATO and Havelsan online. The documents included work files, proposals, contracts, 3D designs, resumes, excel sheets containing raw materials information, and financial statements.
Joker’s Stash dark market forum was abuzz after a hacker dumped card details for 3 million Dickey’s Barbecue Pit users. The data, which was compromised between July 2019 and August 2020, was sold for a median price of $17 per card.
Fraudsters siphoned off $15 million from a U.S. company in a well-planned BEC attack that lasted for about two months. They used Microsoft Office 365 email services as part of the evasion strategy. Experts suggest that dozens of businesses in construction, legal sectors, retail, and finance could be on their list of targets.

New Threats

Moreover, the month manifested a sea of diverse vulnerable systems that make an attractive hotspot for cyberattacks. Over a hundred smart irrigation systems designed by Mottech Water Management were found to be deployed with lax security measures. Separately, researchers reported variants of TrickBot and Mirai Botnet suffocating critical infrastructures in the U.S. Additionally, the Silent Librarian hacker group made a comeback as schools and universities began to reopen.

More than 100 smart irrigation systems deployed worldwide were installed without changing the default password, making them vulnerable to malicious attacks. Discovered by researchers, these irrigation systems were found to be visible on the open internet across Israel, South Korea, the U.S., Switzerland, and France, with more than half of the systems in Israel.
Variants of TrickBot and Mirai disrupted the critical infrastructure of several organizations. While TrickBot’s operators moved a portion of trojan code to Linux called Anchor_Linux in an attempt to widen the scope of attacks, the new version of Mirai, dubbed Katana, came with enhanced modules such as layer 7 DDoS, unique encryption keys, fast self-replication, and secure C2 server.
According to researchers, over 100,000 Windows systems are still vulnerable to the previously known SMBGhost flaw that could allow malware to spread malware across machines without any need for user interaction. Most of the vulnerable machines are located in Taiwan (22%), followed by Japan (20%), and Russia (11%).
The Silent Librarian returned targeting universities across the globe in a massive spearphishing campaign. The group’s primary focus is on universities in the U.S., the U.K, Canada, Australia, and the Netherlands.
Abaddon becomes the first RAT that uses the freeware instant messaging and VoIP app and digital distribution platform, Discord, as a C2 server. The RAT’s capabilities include stealing multiple data from the infected host, including Chrome cookies, saved credit cards, and Steam credentials.
Threat actors were found scanning the internet for Oracle WebLogic server affected by a critical remote code execution vulnerability, allowing attackers to achieve RCE on a vulnerable WebLogic Server by sending an HTTP GET request.
The NSA published a list of 25 highly-exploited vulnerabilities by Chinese actors worldwide. In these attacks, criminals typically first identify their target, gather technical data, look for vulnerabilities linked to the target, develop or reuse an exploit, and then launch their attack operation.
In a series of recent attacks, Sophos researchers found that LockBit ransomware used automated tools such as using renamed copies of PowerShell and Windows VBScript to move laterally across networks and evade detection.
Seven mobile browsers—Apple Safari, Opera Touch, Opera Mini, Bolt, RITS, UC Browser, and Yandex Browser—affected by an address bar spoofing vulnerability could allow malicious actors to spoof legitimate sites. While some of these browsers have received a security patch, few are yet to be fixed.
A new report highlights that ransomware operators are buying network access credentials, vulnerable endpoints, and compromised employee accounts to simplify their attack process. Access to these entities is priced between $300 and $10,000.
A new phishing email attack that pretended to offer updates on the U.S. President Donald Trump’s health was used to distribute BazarLoader backdoor. The email included a link that redirected victims to a malicious webpage, from where the malware got downloaded in the background.

Related Threat Briefings