Cookie Settings

This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.

Cyware Weekly Threat Intelligence - February 10–14

Cyware Weekly Threat Intelligence - February 10–14 - Featured Image

Weekly Threat Briefing Feb 14, 2020

The Good

In the cybersecurity world, data encryption is often hailed as a necessary security measure to protect sensitive data stored by organizations. The stronger the encryption process, the more secure the data is. Keeping this in mind, a group of scientists have come up with a unique encryption process that uses the process of crystallization to create random strings. On the other hand, researchers at the Berryville Institute of Machine Learning developed a new formal risk framework to guide the development of secure machine-language (ML) systems.

  • For the first time, scientists built a robotic system that uses the process of crystallization to create random strings of numbers and encrypt information. This method offers a good alternative to existing true random number generators as it takes a longer time to crack the algorithm.

  • The Federal School Safety Clearinghouse launched a new website resource to boost cybersecurity efforts for K-12 schools and school districts in collaboration with the DHS, and the departments of Education (DoE), Justice (DoJ), and Health and Human Services (HHS).

  • Researchers at the Berryville Institute of Machine Learning (BIML) developed a formal risk framework to guide development of secure machine-language (ML) systems. Unlike previous work, this model focuses on securing ML systems from a design perspective rather than protecting operational systems and data against particular attacks.

The Bad

Meanwhile, a misconfigured database and a software error exposed millions of records in two different data leak incidents. Estée Lauder Companies Inc. leaked over 440 million records due to an unguarded database. On the other hand, a software error in the Danish government’s TastSelv Borger tax service exposed the personal data of 1.2 million Danish citizens. Apart from these incidents, the US store chain Rutter’s was hit by a malware attack affecting its Point-of-Sale (PoS) systems.

  • Cosmetic giant Estée Lauder Companies Inc. came under fire for leaking over 440 million records publicly due to an unprotected database. The exposed records included emails in plain text, internal documents, Middleware logs and more. It is unknown for how long the data leak existed.

  • A cyberattack on Generate’s online application system affected the photographic identification, tax department numbers, and other personal details of some 26,000 customers. The Auckland-based saving scheme provider told that the incident occurred between December 29, 2019, and January 27, 2020, and is currently working with law enforcement agencies to investigate the cause of the incident.

  • A phishing attack at Altice USA Inc. affected the personal information of some 12,000 current and former employees. The compromised data included Social Security numbers and birth dates of employees. Altice USA, in its breach notification, disclosed that there is no evidence to indicate if the personal information has been misused.

  • A misconfigured Amazon S3 bucket of JailCore exposed 36,077 records of sensitive data belonging to inmates at Florida, Kentucky, Missouri, Tennessee, and West Virginia center. The leaked information included names, mugshots, IDs, booking numbers, activity logs, and a host of personal health information. While the bucket was secured last month, the number of people affected in the leak remains unclear.

  • TastSelv Borger tax portal, managed by the US company DXC Technology, accidentally leaked the personal data of 1.2 million Danish citizens due to a software error. The bug was rectified as soon as DXC became aware of it.

  • Puerto Rico lost over $2.6 million after one of its government agencies transferred the money to a fraudulent account. The scam was carried out through a phishing email that asked for a change of a banking account tied to remittance payments.

  • The American store chain Rutter’s was hit by a malware attack targeting its Point-of-Sale (PoS) systems. A majority of the company’s over 70 store locations in Central Pennsylvania, West Virginia and Maryland were reportedly affected by the incident. The company disclosed that attackers may have gained unauthorized access to some customers’ payment card data.

  • The Institute of International Education (IIE) accidentally exposed thousands of sensitive student records due to an unprotected database. The exposed database contained links to students documents including passport scans, visa documents, medical forms, funding verification details, student dossiers, and more. The institute manages over 200 programmes covering 29,000 international students.

  • The South Africa-based Nedbank was hit by a third-party security breach that impacted the personal details of 1.7 million users. Attackers infiltrated Computer Facilities (Pty) Ltd, a South African company that provided marketing services to the bank. The company took down its systems to prevent further attacks or breach of customer data.

New Threats

New variants of existing malware and never-seen-before vulnerabilities were also uncovered this week. Among the new variants, Emotet and Loda trojans grabbed the spotlight for targeting victims through insecure wireless networks and malicious websites respectively. The newly discovered vulnerabilities included a BlueFrag vulnerability affecting phones running Android 8 Oreo or Android 9 Pie and SweynTooth vulnerabilities impacting Bluetooth Low Energy (BLE) technology on system-on-a-chip (SoC) circuits. Security researchers also discovered the new xHelper Android malware strain that is capable of reinfecting target devices even after factory reset.

  • A notification sent out by the FBI alerted US private organizations about an ongoing hacking campaign that distributes Kwampirs malware. The campaign is similar to a supply chain attack that was reported by Symantec in 2018. Now, the campaign appears to have evolved to target companies in the ICS sector.

  • Two new vulnerabilities affecting Bluetooth technology made headlines this week. The first one is called BlueFrag vulnerability that impacts phones running Android 8 Oreo or Android 9 Pie. The second is a collection of bugs called SwyneTooth that affects the implementation of Bluetooth Low Energy technology on multiple system-on-a-chip (SoC) circuits.

  • The newly discovered KBOT virus is claimed to be the first ‘living’ virus spotted in the wild. The malware penetrates into a user’s computer via the web, the local network, or an infected piece of external media. Once launched, the malware gains a foothold on the system by writing itself to Startup and the Task Scheduler. The virus then performs a web injection attack to steal a user’s personal and banking data. It also makes an attempt to load additional stealer modules designed to steal a user’s logins, cryptocurrency wallet data, and other information.

  • Security researchers have disclosed a dozen flaws in the implementation of the Bluetooth Low Energy technology on multiple system-on-a-chip (SoC) circuits that are used by at least 480 devices from different vendors. Collectively named SweynTooth, the vulnerabilities can be abused by attackers within Bluetooth range to crash affected devices, force a reboot, or bypass the secure BLE pairing mode.

  • Researchers discovered the Ragnar Locker ransomware which has an enhanced capability of using remote management software (RMM) as a channel for propagation. The malware did a couple of checks before proceeding with its infection process.

  • Emotet trojan appeared in one of the cyberespionage campaigns that made use of its newly added ‘WiFi spreader’ module. The purpose of this new variant was to spread across insecure wireless networks and infect as many new users as possible.

  • Security researchers observed a new malware campaign that utilized websites to host a new variant of Loda RAT. The campaign targeted organizations in South America and Central America. The RAT’s capabilities include stealing usernames, passwords, and cookies saved within browsers.

  • A remote access trojan (RAT) named Parallax was found to be widely distributed through malicious spam campaigns. When installed, it allows attackers to gain full control over an infected system. The malware was being offered for as low as $65 a month on underground forums.

  • A researcher from Malwarebytes spotted the new xHelper Android malware strain targeting US-based phones. The malware is capable of reinfecting target devices even after factory reset by leveraging a malware dropper hidden inside certain Android directories.

  • Security experts at Venafi observed that the malware used in attacks targeting Ukrainian power utilities is now being deployed widely to steal SSH keys. By compromising a single SSH key, attackers could gain undetected root access to mission critical systems to spread malware or sabotage processes, as per the researchers.

  • Google removed more than 500 malicious Chrome extensions with millions of downloads from the Chrome Web Store. These extensions were found uploading private browsing data to attacker-controlled servers. Google removed the extensions due to violation of user privacy.

  • Researchers at Emsisoft spotted a new ransomware strain dubbed Ransomwared that demands victims’ private photos to send a decryption tool to unlock all the encrypted data. However, the researchers indicate that ransomware strain is not very sophisticated in its design.

  • MIT researchers identified multiple security vulnerabilities in the mobile voting app called Voatz that was used during the 2018 midterm elections in West Virginia. The researchers found that an adversary with remote access to a target device could potentially alter or see a user’s vote, and that the app server could potentially be hacked to change users’ votes.

Related Threat Briefings

Feb 7, 2025

Cyware Weekly Threat Intelligence, February 03–07, 2025

PyPI is taking a "dead but not gone" approach to abandoned software with Project Archival, a new system that flags inactive projects while keeping them accessible. Developers will see warnings about outdated dependencies, helping them make smarter security choices and avoid relying on unmaintained code. The U.K is bringing earthquake-style metrics to cybersecurity with its new Cyber Monitoring Centre, designed to track digital disasters as precisely as natural ones. Inspired by the Richter scale, the CMC will quantify cyber incidents based on financial impact and affected users, offering clearer insights for national security planning. Kimsuky is back with another phishing trick, this time using fake Office and PDF files to sneak forceCopy malware onto victims' systems. Its latest campaign delivers PEBBLEDASH and RDP Wrapper by disguising malware as harmless shortcuts, ultimately hijacking browser credentials and sensitive data. Hackers have found a new way to skim credit card data - by hiding malware inside Google Tag Manager scripts. CISA is flagging major security holes in Microsoft Outlook and Sophos XG Firewall, urging agencies to patch them before February 27. One flaw allows remote code execution in Outlook, while another exposes firewall users to serious risks. Bitcoin scammers are switching tactics, swapping static images for video attachments in MMS to make their schemes more convincing. A recent case involved a tiny .3gp video luring victims into WhatsApp groups where scammers apply pressure to extract money or personal data. XE Group has shifted from credit card skimming to zero-day exploitation, now targeting manufacturing and distribution companies. A new version of ValleyRAT is making the rounds, using stealthy techniques to infiltrate systems. Morphisec found the malware being spread through fake Chrome downloads from a fraudulent Chinese telecom site.

Jan 10, 2025

Cyware Weekly Threat Intelligence, January 06–10, 2025

The U.K is fortifying its digital defenses with the launch of Cyber Local, a £1.9 million initiative to bridge cyber skills gaps and secure the digital economy. Spanning 30 projects across England and Northern Ireland, the scheme emphasizes local business resilience, neurodiverse talent, and cybersecurity careers for youth. Across the Atlantic, the White House introduced the U.S. Cyber Trust Mark, a consumer-friendly cybersecurity labeling program for smart devices. Overseen by the FCC, the initiative tests products like baby monitors and security systems for compliance with rigorous cybersecurity standards, ensuring Americans can make safer choices for their connected homes. China-linked threat actor RedDelta has ramped up its cyber-espionage activities across Asia, targeting nations such as Mongolia, Taiwan, Myanmar, and Vietnam with a modified PlugX backdoor. Cybercriminals have weaponized trust by deploying a fake PoC exploit tied to a patched Microsoft Windows LDAP vulnerability. CrowdStrike reported a phishing operation impersonating the company, using fake job offers to lure victims into downloading a fraudulent CRM application. Once installed, the malware deploys a Monero cryptocurrency miner. A new Mirai-based botnet, dubbed Gayfemboy, has emerged as a formidable threat, leveraging zero-day exploits in industrial routers and smart home devices. With 15,000 active bot nodes daily across China, the U.S., and Russia, the botnet executes high-intensity DDoS attacks exceeding 100 Gbps. In the Middle East, fraudsters are posing as government officials in a social engineering scheme targeting disgruntled customers. Cybercriminals have weaponized WordPress with a malicious plugin named PhishWP to create realistic fake payment pages mimicking services like Stripe. The plugin not only captures payment details in real time but also sends fake confirmation emails to delay detection.

Dec 20, 2024

Cyware Weekly Threat Intelligence, December 16–20, 2024

In a digital age where borders are blurred, governments are sharpening their strategies to outpace cyber adversaries. The draft update to the National Cyber Incident Response Plan (NCIRP) introduces a comprehensive framework for managing nationwide cyberattacks that impact critical infrastructure and the economy. Meanwhile, the fiscal year 2025 defense policy bill, recently approved by the Senate, emphasizes strengthening cybersecurity measures both at home and abroad. A deceptive health app on the Amazon Appstore turned out to be a Trojan horse for spyware. Masquerading as BMI CalculationVsn, the app recorded device screens, intercepted SMS messages, and scanned for installed apps to steal sensitive data. Malicious extensions targeting developers and cryptocurrency projects have infiltrated the VSCode marketplace and NPM. Disguised as productivity tools, these extensions employed downloader functionality to deliver obfuscated PowerShell payloads. The BADBOX botnet has resurfaced, compromising over 192,000 Android devices, including high-end smartphones and smart TVs, directly from the supply chain. Industrial control systems are facing heightened risks as malware like Ramnit and Chaya_003 targets engineering workstations from Mitsubishi and Siemens. Both malware families exploit legitimate services, complicating detection and mitigation efforts in ICS environments. The Chinese hacking group Winnti has been leveraging a PHP backdoor called Glutton, targeting organizations in China and the U.S. This modular ELF-based malware facilitates tailored attacks across industries and even embeds itself into software packages to compromise other cybercriminals. A tax-themed phishing campaign, dubbed FLUX#CONSOLE, is deploying backdoor payloads to compromise systems in Pakistan. Threat actors employ phishing emails with double-extension files masquerading as PDFs.

Dec 13, 2024

Cyware Weekly Threat Intelligence, December 09–13, 2024

Cybercrime’s web of deception unraveled in South Korea as authorities dismantled a fraud network responsible for extorting $6.3 million through fake online trading platforms. Dubbed Operation Midas, the effort led to the arrest of 32 individuals and the seizure of 20 servers. In a significant move to combat surveillance abuses, the U.S. defense policy bill for 2025 introduced measures to shield military and diplomatic personnel from commercial spyware threats. The legislation calls for stringent cybersecurity standards, a review of spyware incidents, and regular reporting to Congress. The subtle art of deception found a new stage with a Microsoft Teams call, as attackers used social engineering to manipulate victims into granting remote access. By convincing users to install AnyDesk, they gained control of systems, executing commands to download the DarkGate malware. Russian APT Secret Blizzard has resurfaced and used the Amadey bot to infiltrate Ukrainian military devices and deploy their Tavdig backdoor. In a phishing spree dubbed "Aggressive Inventory Zombies (AIZ)," scammers impersonated brands like Etsy, Amazon, and Binance to target retail and crypto audiences. Surveillance has reached unsettling new depths with the discovery of BoneSpy and PlainGnome, two spyware families linked to the Russian group Gamaredon. Designed for extensive espionage, these Android malware tools track GPS, capture audio, and harvest data. A new Android banking trojan has already caused havoc among Indian users, masquerading as utility and banking apps to steal sensitive financial information. With 419 devices compromised, the malware intercepts SMS messages, exfiltrates personal data via Supabase, and even tricks victims into entering details under the pretense of bill payment. Iranian threat actors have set their sights on critical infrastructure, deploying IOCONTROL malware to infiltrate IoT and OT/SCADA systems in Israel and the U.S.

Dec 6, 2024

Cyware Weekly Threat Intelligence, December 02–06, 2024

NIST sharpened the tools for organizations to measure their cybersecurity readiness, addressing both technical and leadership challenges. The two-volume guidance blends data-driven assessments with managerial insights, emphasizing the critical role of leadership in applying findings. The Manson Market, a notorious hub for phishing networks, fell in a sweeping Europol-led takedown. With over 50 servers seized and 200TB of stolen data recovered, the operation spanned multiple countries, including Germany and Austria. Russian APT group BlueAlpha leveraged Cloudflare Tunnels to cloak its GammaDrop malware campaign from prying eyes. The group deployed HTML smuggling and DNS fast-fluxing to bypass detection, targeting Ukrainian organizations with precision. Earth Minotaur intensified its surveillance operations against Tibetan and Uyghur communities through the MOONSHINE exploit kit. The kit, now updated with newer exploits, enables the installation of the DarkNimbus backdoor on Android and Windows devices. Cloudflare Pages became an unwitting ally in the sharp rise of phishing campaigns, with a staggering 198% increase in abuse cases. Cybercriminals exploited the platform's infrastructure to host malicious pages, fueling a surge from 460 incidents in 2023 to over 1,370 by October 2024. DroidBot has quietly infiltrated over 77 cryptocurrency exchanges and banking apps, building a web of theft across Europe. Active since June 2024, this Android malware operates as a MaaS platform, enabling affiliates to tailor attacks. Rockstar 2FA, a phishing platform targeting Microsoft 365 users, has set the stage for large-scale credential theft. With over 5,000 phishing domains launched, the platform is marketed on Telegram. The Gafgyt malware is shifting gears, targeting exposed Docker Remote API servers through legitimate Docker images, creating botnets capable of launching DDoS attacks.