Cyware Weekly Threat Intelligence, January 13 - 17, 2020

Weekly Threat Briefing • January 17, 2020
Weekly Threat Briefing • January 17, 2020
The Good
With the weekend around the corner, let’s glance through all the good, bad, and new threats in cyberspace that many in the industry talked about this week. Starting with the good, a UK-based business, Veridium sprang a new technology that could validate the identity of a user with its phone device by monitoring its habits. Further, Google’s latest update enables iPhone users to use their phone as a physical 2FA security key to log into Google accounts. Also, CSA announced a new global event ‘SECtember’ that focuses on educating the industry on the crossroads of cloud and cybersecurity.
The Bad
This week, breaches and ransomware incidents turned awry for organizations and authorities. Canadian online pharmacy PlanetDrug spilled the personal and financial data of an undisclosed number of customers. In other news, Australia's P&N bank had its customer relationship management system raided by hackers and putting personal information of some 96,000 members on risk. Also, scammers siphoned off the Manor Independent School District of Texas of $2.3 million in three different transactions.
New Threats
Several new threats and vulnerabilities were discovered this week. Researchers found a new ransomware dubbed Ako that uses span to infect its victims. Meanwhile, Oski, a new malware, was spotted targeting browser data, and crypto-wallets in the U.S. Also, a group of researchers reported 'Cable Haunt' modem flaw in Broadcom chips affecting hundreds of millions of users.
Ako, a new breed of ransomware, was discovered and reported this week. However, it was unclear how the ransomware spreads. It is now found that the ransomware is distributed via malicious spam emails that pretend to be a request agreement such as ‘Agreement 2020 #1775505’. The email usually includes a password-protected zip file named agreement.zip with the password ‘2020’ being given in the email.
More than 800 computers of a medical firm got compromised in a cyber incident starting October 14, 2019. Threat actors reportedly exploited the WAV audio files to hide the malware modules and later distributed it to vulnerable Windows 7 machines via EternalBlue. The purpose of the infection was to mine cryptocurrencies.
Microsoft issued security patches for 49 vulnerabilities, out of which 7 were classified as ‘Critical’ and 41 as ‘Important’ and 1 as ‘Moderate’. One of the critical vulnerabilities termed as CryptoAPI Spoofing flaw was discovered and reported by the NSA. It could allow attackers to spoof digital certificates to perform MITM attacks.
A group tracked as Ancient Tortoise was found impersonating a company’s CFO in an attempt to collect aging reports from accounts receiving specialists. The group could use the collected—and updated—reports to conduct scams in later attack stages. (Aging reports are track report of outstanding invoices of customers who haven’t yet paid for goods or services they bought on credit.)
The infamous Emotet trojan came back after a three-week hiatus. The trojan was found targeting over eighty countries with malicious spam campaigns. The campaign leverages phishing emails that pretend to be proof-of-delivery documents, reports, agreements, and statements. These emails include either attached documents or links that can be used to download them.
Some 5,000 Android phones were reported to be infected by the new version Faketoken Android trojan. The trojan is used to drain its victims’ bank accounts to fuel offensive mass text campaigns targeting mobile devices from all over the world. Once installed on the victim’s device, Faketoken first checks if their bank accounts have enough money. It will then use the stolen payment cards to add credit to the victim’s mobile account.
At least 200 million Broadcom-based cable modems were affected by the new Cable Haunt flaw. The flaw allowed attackers to compromise a modem and gain full control over the inbound and outbound traffic. The attackers could also eavesdrop on browsing activity, re-route traffic to malicious domains, or even zombify devices to use them in botnet attacks.
A new malware dubbed Oski Stealer was spotted targeting browser data and crypto-wallets in the U.S. Being advertised in underground cyber-forums, including several Russian forums, the malware’s capabilities include gathering sensitive information such as credentials, credit card numbers, wallet accounts and more. It has already managed to steal over 50,000 passwords so far.
Proof-of-concept for the critical Citrix bug was published on GitHub, making future attacks trivial for most attackers. The vulnerability tracked as CVE-2019-19781 affects Citrix’s NetScaler ADC and NetScaler Gateway servers. It was estimated that more than 80,000 organizations could be running flawed Citrix instances.
Scammers were reported exploiting Remote Desktop tools to conduct SIM swapping attacks. The technique involved convincing an employee in a telecom company’s customer support center to run or install RDP software. Once the RDP software gets activated, the scammers again convince the employee to provide credentials to RDP service to remotely control the machine and reach into the company’s software to SIM swap individuals.