| Cyware Weekly Cyber Threat Intelligence | March 05 - 09, 2018
Weekly Threat Briefing • Mar 9, 2018
The Good
Researchers have developed new techniques that help us work towards a cyber-secure future. The C++ homomorphic encryption technique has been modified to make it operate at 75 times faster rate. Also, a new facial recognition system, called Face Flashing, has been designed ensure secure authentication. In other news, prominent Telecommunication companies have joined forces to launch Mobile Authentication Task Force--to improve security solutions for devices.
-
Researchers at IBM have remodified the C++ homomorphic encryption technique which is now said to be operating at a 75 times faster rate. The technique allows users to operate on encrypted data sans decryption, thus enabling a secure operation. For instance, companies could use the technique to encrypt their cloud-based database and work on them without decoding the text. The first version of HElib C++ library was released by IBM three years ago.
-
Academics have come up with a new facial recognition system, named Face Flashing. The design works on two important factors viz. the light patterns that get reflected off a human face and the speed with which the system interprets the reflected light to detect any forgery attempt. The technique works with cameras and in connection with an LCD screen on computers, phones, and authentication panels.
-
Last year, prominent Telecommunication companies - AT&T, Verzion, Sprint and T-Mobile had joined hands to launch Mobile Authentication Task Force. The focus was to create an improved security solution for their devices. The Telecom companies seem to have arrived at the solution that will now undergo further trials in coming weeks and would likely be available for adoption by the year end.
The Bad
This week registered the largest DDoS attack the world has ever seen! Memcached-based DDoS attacks have affected a number of victims. Network problems in a Danish Telecom company affected at least 450,000 customers. Researchers have also discovered several attacks and malware infections: Be it 50,000 websites identified to have been infected with crypto-jacking scripts, or PoS (Point-of-Sale) systems of more than 160 Applebee's restaurants across the US being affected by an anonymous malware.
-
The Memcached-based DDoS attacks have taken the entire security world by surprise. After GitHub, another company was targeted by the hackers. In a blog post, Arbor Networks uncovered a massive 1.7 Tbps DDoS attack targeting customers of a US based internet service provider. The attack was carried out using the same technique that was used in the 1.35 Tbps attack on GitHub. The number of affected victims has not been disclosed yet.
-
Danish Telecom company TDC's recently reported about network problem which could potentially affect their customers in Denmark, Sweden, and Norway. Due to the network failure, at least 450,000 of their customers who are predicted to be affected, were unable to make or receive any call. The problem is yet to be identified.
-
A security researcher has managed to identify nearly 50,000 websites which have been infected with crypto-jacking scripts. These websites include government and public service agency portals. Atleast, 7,368 of these compromised sites are powered by WordPress. However, some these sites have already been cleared away with the malware. According to the researcher, Coinhive continues to be the most widespread crypto-jacking script out there, accounting for close to 40,000 infected websites – a stunning 81 percent of all recorded cases.
-
RMH Franchise Holdings disclosed that more than 160 Applebee's restaurants across the US were affected by an anonymous malware that was found on point-of-sale (PoS) systems. The malware was designed to extract details such as names, credit/debit card number, expiration dates and card verification codes, though it did not impact payments made online or using self-pay tabletop devices. In majority of cases, the malware was present in PoS systems since December 6, 2017, while in some cases the malware has been active since November 23 or December 5, 2017.
New Threats
As new threats emerge each week, this week has been particularly daunting. Researchers have uncovered a new cryptocurrency miner, vulnerabilities, new version of a previously released malware, and a new attack method. CryptoJack, a new cryptocurrency miner has been spotted targeting online wallets. Several new vulnerabilities have been uncovered in the core protocols that power 4G LTE mobile networks. A new version of the GandCrab ransomware, dubbed GandCrab 2, has been noticed. A new attack method that can bypass Microsoft’s Code Integrity Guard (CIG) is being used by hackers.
- A new variety of cryptocurrency miner, named “CryptoJack”, that targets other cryptocurrencies and online wallets, has been spotted by security researchers recently. The malware works by replacing clipboard addresses with an attacker-controlled address which sends funds into the attacker’s wallet. This technique relies on victims not checking the destination wallet prior to finalizing a transaction. It includes a 'kill list' feature that disables the processes of other coin miners and infects the targeted computer to mine currency only for itself. In 2017, CryptoShuffler was the first malware to work on the same tactics.
- Academics from the leading university of Iowa and Purdue University have uncovered new vulnerabilities in the core protocols that power 4G LTE mobile networks across the world. The vulnerabilities affect the attach, detach, and paging procedures that are part of Long-Term Evolution (LTE), a standard for high-speed wireless communication for mobile devices. An attacker could connect to a 4G LTE network using another user's identity, send messages on behalf of another user, intercept messages meant for that user, spoof the location of a mobile device, and even force other devices to disconnect from a mobile network.
- Researchers have unearthed a new version of the GandCrab ransomware. Dubbed GandCrab 2, the version is supposedly more secure with a significant difference from the original one. The new version has been released just after the decryption key for the original version was released by the security researchers. The GandCrab version 2 comes with different hostnames for the C&C servers at the back-end. Interestingly, one of the hostnames is politiaromana.bit, names in honor of the Romanian police which was instrumental in recovering decryption keys for the original version.
- Security researchers have discovered a new attack method that allows hackers to bypass Microsoft’s Code Integrity Guard (CIG) and inject a malicious code into protected processes, including Microsoft Edge. CIGslip bypasses CIG's security mechanisms while mimicking natural Windows DLL loading from the disk. The technique abuses a non-CIG enabled process, the most popular form of process on Windows, to inject code into a CIG-protected target process. This serves as an entry point for an attacker to load any kind of code, malicious or benign, into Microsoft Edge.