Cyware Weekly Threat Intelligence, April 27 - May 01, 2020

Weekly Threat Briefing • May 1, 2020
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Weekly Threat Briefing • May 1, 2020
The Good
The Shade ransomware has finally retired. The operators of the ransomware, also known as Troldesh, have released over 750,000 decryption keys as a goodwill gesture after shutting down their operations. Meanwhile, Microsoft and Google have updated their respective cloud computing services to improve the security of data processing.
The operators of Shade ransomware announced the shut down of their operations by releasing over 750,000 decryption keys. These keys are available in the GitHub repository.
Microsoft and Google announced updates for their respective virtual machine (VM) instances for highly confidential information to be processed in Microsoft Azure and Google Computer Engine.
The Cybersecurity and Infrastructure Security Agency (CISA) issued an update to its Microsoft Office 365 security best practices as part of an alert from the US National Cyber Awareness System. These recommendations addressed Office 365 security configuration errors that could weaken an organization's otherwise sound security strategy.
The Bad
Coming to data leaks, several online services’ and products’ companies leaked email data of their customers to third-party advertising and analytics companies. On the other hand, ExecuPharma and CivicSmart suffered a major blow after being attacked by ransomware.
A new study highlighted that multiple online services’ and products’ companies leaked email data of their users to third-party advertising and analytics companies. The websites included Quibi.com, JetBlue.com, KongHQ.com, NGPVan.com, Mailchimp’s Mandrill.com, WashingtonPost.com, and Wish.com.
Le Figaro exposed 7.4 billion records due to a misconfigured Elasticsearch database. The exposed PII data included full names, emails, home addresses, countries of residence, postcodes, IP addresses, server access tokens, and passwords for new users.
This week, the dark web saw the dumping of confidential data stolen from Huiying Medical and ExecuPharm. While the source code for COVID-19 detection and experimental data belonging to Huiying Medical was sold for 4 BTC, ExecuPharm found the personal data of its employees dumped onto a dark web site.
State-sponsored hackers used a zero-day vulnerability in Mail.ee’s service to hijack some high-profile email accounts that were of interest to a foreign country. The attack was carried out by hiding a malware in emails sent to Mail.ee recipients.
A ransomware attack had disrupted the operations of the smart parking meter company, CivicSmart. The attack was carried out by Sodinokibi ransomware operators. In another incident, Maze ransomware operators took the responsibility of last year’s attack on Banco BCR.
Two Usenet service providers - UseNeXT and Usenet.nl - disclosed that they were affected in security breaches due to vulnerability in a software from a third-party company. Both companies had shut down their websites following the breaches.
Nearly 9 million travel logs belonging to British citizens were exposed due to a glitch in Sheffield City Council’s automatic number-plate recognition (ANPR) system. The exposed records included number plates and travel logs going through Sheffield’s road network. In a different incident, GDPR.EU had also leaked Git data and passwords due to a flaw in the website.
Details about a data breach at Warwick university had emerged this week. The incident, that occurred last year, led to the compromise of personal information of students, staff, and volunteers participating in research studies.
New threats
Several attack campaigns that included an updated version of Aggah malspam, PhantomLance, and PerSwaysion were also witnessed by researchers this week. The purpose of these campaigns was either to distribute malware or to steal credentials from users.