Cyware Weekly Threat Intelligence, December 02 - 06, 2019
Weekly Threat Briefing • Dec 6, 2019
The Good
Before we begin planning for a happening weekend, let’s make sure our systems and networks are safe against imminent threats. While the week saw a mix of good and bad incidents, it also saw some threat actors coming back to haunt us. Let’s start with all the positive events in the cybersecurity space. Researchers have achieved a new crypto-cracking feat with the factoring of the largest RSA key size ever computed. Also, CISA released a fresh directive for all federal agencies to report bugs through a defined procedure. In other news, the global law enforcement team brought down the empire of Imminent Monitor RAT.
-
The Cybersecurity and Infrastructure Security Agency (CISA) released a fresh directive that directs all federal agencies to develop and publish a vulnerability disclosure policy, allowing ethical hackers to report bugs through a defined procedure. The directive touches on various other logistics of vulnerability disclosure reports, including its handling procedures, as well as reporting requirements and metrics.
-
Researchers achieved a new crypto-cracking record with the factoring of the largest RSA key size ever computed and a matching computation of the largest-ever integer discrete logarithm. The new record includes the factoring of RSA-240, an RSA key that has 240 decimal digits and a size of 795 bits. Also, it’s the first time that records for integer factorization and discrete logarithm have been broken together.
-
The global law enforcement authorities have dismantled the infrastructure behind a remote access tool (RAT). Since first appearing in 2012, it was dubbed as the fastest remote administration tool ever created using new—and never used before—socket technology. According to Europol, the tool had more than 14,500 buyers across 124 countries and had been used to infect tens of thousands of victims.
-
The National Science Foundation has awarded a planning grant to the researchers from the University of Kansas to design a multi-institutional Center for High-Assurance Secure Systems and IoT (CHASSI). The research center would partner with private firms in the country to enhance the security of IoT products and systems in use across sectors.
-
IBM and the University of Ottawa announced the launch of a uOttawa hub to strengthen Canada’s posture towards cyber threats and attacks. The hub will pair IBM’s technology expertise in data analytics, deep learning, software, and systems with uOttawa’s research, training, and teaching strengths to meet critical cybersecurity goals.
The Bad
The week also witnessed multiple breach incidents being reported. In an incident with Mixcloud, an online music streaming service, 21 million user accounts were compromised and were put up for sale on a dark web forum. Also, TrueDialog, a business SMS solution provider, mistakenly left tens of millions of private text messages on an unsecured server. Meanwhile, Chinese hackers managed to steal $1 million in an amount transfer hack from a VC firm to a start-up.
-
Online music streaming service Mixcloud suffered a data breach exposing information of over 21 million user accounts. The exposed data was put up for sale for $4,000, or about 0.5 bitcoin, on a dark web forum. The data contained usernames, email addresses, and passwords that were hashed and salted using the SHA-2 algorithm.
-
Tens of millions of private text messages (SMS) were left open online for an extended period of time by TrueDialog. The company currently works with over 990 cell phone operators and has more than 5 billion subscribers. Security researchers from vpnMentor found the exposed database as part of their internet scanning efforts.
-
CyrusOne, one of the biggest data center providers in the U.S., became a victim of a ransomware attack. It was attacked with a version of the REvil (aka Sodinokibi) ransomware. The same ransomware family had hit several managed service providers in June, over 20 Texas local governments in early August, and 400+ US dentist offices in late August.
-
A Sprint contractor left thousands of U.S. customers’ cell phone bills of AT&T, Verizon, and T-Mobile on an unprotected cloud server. The storage bucket, hosted on Amazon Web Services (AWS), contained more than 261,300 documents. Besides bills, there were other sensitive documents on the server, some of which contained credentials in it.
-
Chinese hackers managed to steal $1 million that was being wired from a Chinese VC firm to an Israeli startup. The stolen funds were part of an upcoming multi-million dollar seeding fund for the startup. The hacker reportedly sent a total of 18 emails to the Chinese VC firm and 14 to the Israeli startup ahead of the compromised bank transfer.
-
An unprotected cloud server was left open by mattress and bedding giant Tuft & Needle exposing hundreds of thousands of FedEx shipping labels. More than 236,400 shipping labels were found on an Amazon Web Services (AWS) storage bucket without a password. However, it’s not known for how long the storage bucket was left open.
-
A data breach exposed personal data of nearly 6,000 students of Montgomery County, Maryland. Initially, what looked like a security incident affecting 1,344 accounts at one school, was later found to be affecting nearly 6,000 accounts, during multiple hack attempts involving more schools. The suspect reportedly performed a brute force attack.
-
Upon analyzing a database of 3 billion leaked credentials, the Microsoft threat research team found that 44 million accounts were still using breached passwords. Microsoft told that the leaked credentials came from multiple sources, including law enforcement and publicly accessible databases.
New Threats
This week’s highlights include a number of vulnerabilities and malware strains, while some returing in their newer versions. Proofpoint researchers came across Buer, a new modular loader, with robust geotargeting, system profiling, and anti-analysis features. In the next news, IBM X-Force published a report on a new iranian malware ‘wiper’ used in a destructive attack against companies in the Middle East. Another group of researcher disclosed the details of two new vulnerabilities in GoAhead web server which had puts hundreds of millions of IoT devices under threat.
- The U.S. State Department, Justice Department, and the FBI have jointly announced a $5 million bounty for leads on the Russian hacking group Evil Corp. The crew had stolen tens of millions from multiple organizations including Bank of America, Key Bank, GenLabs, and United Dairy. Downloadable copies of the IOCs are also available in CSV and STIX formats.
- Proofpoint researchers, while tracking the development and sale of a new modular loader, came across Buer which bears highly competitive features as Smoke Loader. The new loader has robust geotargeting, system profiling, and anti-analysis features. It is being actively sold in popular underground marketplaces and is intended for use actors seeking a turn-key, off-the-shelf solution.
- Researchers uncovered the details of two new vulnerabilities in GoAhead web server which puts hundreds of millions of Internet-connected smart devices under threat. The two code execution flaws, assigned CVE-2019-5096 and CVE-2019-5097, affected GoAhead Web Server versions v5.0.1, v.4.1.1, and v3.6.5, while the latter could lead to denial-of-service attacks as well.
- The Lazarus group, one of North Korea's notorious state-sponsored hacking groups, came back with new techniques to infect macOS machines. The new malware used by the group has C&C capabilities and can gather information about the infected system. The seconday payload of the malware performs its function in-memory, thereby requiring no further installations of any files on the target system.
- This week, Microsoft issued guidance regarding Windows Hello for Business (WHfB) public keys that persist even after the devices they are tied to are removed from Active Directory. Dubbed as orphaned keys, these are often not deleted from AD even when the devices they were created on are no longer present. By exploiting this, an attacker could pose as the user and authenticate within the domain using Public Key Cryptography for Initial Authentication (PKINIT).
- IBM X-Force published a report on a new form of "wiper" malware connected to threat groups in Iran and used in a destructive attack against companies in the Middle East. The malware, named as ZeroCleare, was used to target specific organizations where it used brute-force password attacks to gain access to network resources. In addition to it, the attackers exploited a SharePoint vulnerability to drop web shells on a SharePoint server.
- A large number of vulnerable servers of small and mid-size enterprises (SMEs) across APAC (primarily Vietnam, India, Indonesia, Australia, China, and Japan) were found to be under attack by Emotet actors. Researchers found the majority of these compromised domains running WordPress. More importantly, they lacked latest updates and patches on their web servers.
- A security researcher discovered the new Clop ransomware that attempts to remove Malwarebytes and other security products running on the infected systems. The malicious code, a variant of the CryptoMix ransomware, also attempted to disable Windows Defender by configuring the registry values associated with this security feature.
- A serious vulnerability was uncovered by the researchers of Immersive Labs which affects Aviatrix VPN. The vulnerability would have allowed an attacker who already had access to a target machine to escalate privileges and achieve anything they wanted; for example, gaining access to files, folders and network services that the user would not have previously been able to access.