Cyware Weekly Threat Intelligence, August 17 - 21, 2020

Weekly Threat Briefing • Aug 21, 2020
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Weekly Threat Briefing • Aug 21, 2020
The Good
There’s no denying that the threat of the malware landscape is becoming commonplace with every passing day. However, amidst this rising menace, security experts and analysts are continuously making efforts to deflate the risks posed by malware. Talking on this aspect, the week witnessed some exciting discoveries of defensive tools for use against the Emotet trojan, GoldenSpy backdoor, and WannaRen ransomware.
A kill switch called EmoCrash enabled researchers to hold back the spread of Emotet trojan for nearly six months, between February 6 and August 6, 2020. The kill switch was created by incorporating a buffer overflow flaw found in the trojan.
Researchers identified five uninstallers meant to remove the China-linked GoldenSpy backdoor from infected computers. These uninstallers have identical behavior but differ in execution flows and string obfuscation techniques.
A decryption tool that enables victims of WannaRen ransomware to recover their files is publicly available for download. The ransomware bears similarities to the well-known WannaCry ransomware.
The Bad
Along with the favorable news, the week noticed some disappointing ransomware attacks. While the University of Utah paid a huge ransom to prevent the leak of its student data, other organizations such as SnapFulfil, SK Hynix, Konica Minolta, and Carnival Corporation continue to struggle after getting hit by disruptive ransomware attacks.
The University of Utah paid a ransom of over $450,000 to prevent the ransomware gang from leaking student data on the internet. The decision was made by the university to protect the integrity of the data even after it was restored from backups.
In a press release, grocery delivery and pick-up service, Instacart, revealed that the recent data breach affecting the company occurred due to two employees working with a third-party support vendor. The firm notified 2,180 shoppers about the incident via email.
Utah Gun Exchange admitted that its users’ data was compromised and leaked on a public forum which also included data from other sites such as muleyfreak.com and deepjunglekratom.com. Although the leaked data contained personal information of users, there was no evidence of any financial data breach in the incident.
The week was no better when it came to ransomware attacks. This time, the affected organizations included SnapFulfil, SK Hynix, and Carnival Corporation. The Ponca City’s public school district also struggled to cope with a ransomware attack that occurred over the weekend.
Even the Japanese technology giant, Konica Minolta, and the U.S. wine and spirits company, Brown-Forman, were not spared from the terror of ransomware attacks. While the ransomware behind Konica Minolta is still unknown, the attack on Brown-Forman was conducted using the REvil ransomware.
The South African branch of the consumer credit reporting agency, Experian, disclosed a data breach that impacted the personal details of 24 million South Africans and 793,749 local businesses. The incident occurred after the agency handed over the sensitive data to a fraudster posing as a client.
A misconfigured database allowed a data broker to expose the profiles of nearly 235 million users of Instagram, TikTok, and YouTube. Each of these records included profile name, real name, profile picture, account description, age, gender, and more.
About 80 Israel-based gym and sports apps suffered data breaches due to several vulnerabilities in the Fizikal management platform. The flaws could allow hackers to bypass security checks and launch brute-force attacks on app users.
An artificial intelligence company, Cense, leaked 2.5 million records that contained sensitive medical data and Personally Identifiable Information (PII). The breached data was stored directly on the same IP address as that of Cense’s website.
Some 513 emails associated with SANS Institute were inadvertently sent to an unknown email address in a phishing attack. This resulted in the compromise of 28,000 records of the institute.
Nine data leak incidents that caused the compromise of medical data of 200,000 U.S. users came to light after researchers discovered misconfiguration issues in GitHub repositories. The affected entities included Xybion, MedPro Billing, Texas Physician House Calls, VirMedica, MaineCare, Waystar, Shields Health Care Group, and AccQData.
Cooke County, Texas, mailed more than 2,000 letters to inform residents about a ransomware attack that occurred in July. It is believed to have impacted the personal data of some users.
New Threats
Coming to new threats, the week witnessed the discovery of two new and sophisticated malware called BLINDINGCAN and FritzFrog. While BLINDINGCAN was used in attacks on the U.S. defense and aerospace sectors, the FritzFrog botnet is being actively used to target SSH servers.