Cyware Weekly Threat Intelligence, January 13 - 17, 2020

Weekly Threat Briefing • Jan 17, 2020
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Weekly Threat Briefing • Jan 17, 2020
The Good
With the weekend around the corner, let’s glance through all the good, bad, and new threats in cyberspace that many in the industry talked about this week. Starting with the good, a UK-based business, Veridium sprang a new technology that could validate the identity of a user with its phone device by monitoring its habits. Further, Google’s latest update enables iPhone users to use their phone as a physical 2FA security key to log into Google accounts. Also, CSA announced a new global event ‘SECtember’ that focuses on educating the industry on the crossroads of cloud and cybersecurity.
Veridium, a UK-headquartered business, has developed a unique technology that could replace everyday hustle of saving, remembering, and securing passwords while improving security. It comes with the ability to verify users by monitoring the use of your phone, your fingerprint ID, and the way you type or hold your device.
Google has expanded its security feature for iPhone users whereby users can register their smartphones as the two-factor authentication (2FA) method for their Google accounts. Two-factor authentication, unlike Google authenticator’s six-digit verification code, provides an additional layer of security for one’s Google account avoiding remote hacking.
The Ministry of Public Security, Vietnam drafted a decree on personal data protection to formalize the legal rights of individuals and organizations. There were reports of increased cases of personal data theft in the country. Many new services using personal information had raised issues related to national security and social order and safety.
CSA announced a new global event ‘SECtember’ this week to bring focus at educating the industry on key issues and trends faced in cloud and cybersecurity. SECtember will feature in-depth training, networking opportunities and interactive sessions with global experts.
The Bad
This week, breaches and ransomware incidents turned awry for organizations and authorities. Canadian online pharmacy PlanetDrug spilled the personal and financial data of an undisclosed number of customers. In other news, Australia's P&N bank had its customer relationship management system raided by hackers and putting personal information of some 96,000 members on risk. Also, scammers siphoned off the Manor Independent School District of Texas of $2.3 million in three different transactions.
Canadian online pharmacy PlanetDrugsDirect is notifying its customers that their personal and financial information may have been affected in a data security incident. The exposed data includes customers’ names, email addresses, phone numbers, medical information, prescriptions, and payment information. Customers are advised to keep a close eye on their bank account and credit card activity.
Thousands of highly sensitive records, around 19.95 GB of data, of adult models from PussyCash was leaked on the internet in a data breach incident due to an unprotected S3 bucket. The leak has exposed the personal data and likeness of over 4,000 models apart from videos, marketing materials, photographs, clips and screenshots of video chats, and zip files.
P&N Bank of Australia disclosed a cyberattack in which personally identifiable information (PII) and sensitive account information was exposed. The compromised data includes names, addresses, emails, age, customer account numbers, and account balance. As many as 100,000 individuals may have been impacted by the incident that occurred during a server upgrade on December 12, 2019.
A hacker was found selling a huge database of 49 million business contacts on an underground forum that can be used for pitches and sales. The hacker claimed that the data belongs to LimeLeads, a San Francisco-based B2B contact database provider. The hacker managed to steal records as the firm failed to set up a password for an internal server.
Sensitive details including passports of thousands of British users were left exposed for years on an unsecured Amazon S3 bucket. The exposed data included tax documents, job applications, proofs of address, criminal records, and more. While the owner of the database could not be asserted, experts believed that it belonged to CHS Consulting.
Thousands of baby videos and images were left unsecured and exposed to the internet on an Elasticsearch server by Peekaboo Moments. The database contained more than 70 million log files and 100 GB of data. The exposed data included over 80,000 email addresses, detailed device data, and more.
The top blog site Boing Boing disclosed that it was hacked after it was found redirecting visitors to a “dangerous malware” error page. Following the incident, all employees of the firm were asked to change their login credentials. They have also implemented security measures to ensure hackers don’t access the website again.
A school district in Manor, Texas lost $2.3 million within two months in a phishing scam. The amount was transferred to scammers in three separate transactions between November and December. The Federal Bureau of Investigation (FBI) is currently investigating the matter.
A new Magecart attack was reported to be compromised the website collecting donations for the victims of Australia’s bushfires. Crooks planted a malicious script named ATMZOW on the website that was designed to steal the payment information of the donors. The stolen data was then sent to a domain amberlo[.]com under the control of the attackers.
Maze ransomware operators listed out a number of victim companies that have denied paying the ransom. The affected companies include Southwire, RBC, THEONE, Vernay, Groupe, Europe Handling SAS, Auteuil Tour Eiffel, BST & Co and more. The ransomware group has claimed to have exfiltrated 3GB of data from some of these firms.
Facial recognition data from millions of public surveillance cameras were left exposed since the summer of 2019. The leaked data belongs to Chinese AI startup Megvii. It is unclear how many people have been affected by the security lapse.
New Threats
Several new threats and vulnerabilities were discovered this week. Researchers found a new ransomware dubbed Ako that uses span to infect its victims. Meanwhile, Oski, a new malware, was spotted targeting browser data, and crypto-wallets in the U.S. Also, a group of researchers reported 'Cable Haunt' modem flaw in Broadcom chips affecting hundreds of millions of users.
Ako, a new breed of ransomware, was discovered and reported this week. However, it was unclear how the ransomware spreads. It is now found that the ransomware is distributed via malicious spam emails that pretend to be a request agreement such as ‘Agreement 2020 #1775505’. The email usually includes a password-protected zip file named agreement.zip with the password ‘2020’ being given in the email.
More than 800 computers of a medical firm got compromised in a cyber incident starting October 14, 2019. Threat actors reportedly exploited the WAV audio files to hide the malware modules and later distributed it to vulnerable Windows 7 machines via EternalBlue. The purpose of the infection was to mine cryptocurrencies.
Microsoft issued security patches for 49 vulnerabilities, out of which 7 were classified as ‘Critical’ and 41 as ‘Important’ and 1 as ‘Moderate’. One of the critical vulnerabilities termed as CryptoAPI Spoofing flaw was discovered and reported by the NSA. It could allow attackers to spoof digital certificates to perform MITM attacks.
A group tracked as Ancient Tortoise was found impersonating a company’s CFO in an attempt to collect aging reports from accounts receiving specialists. The group could use the collected—and updated—reports to conduct scams in later attack stages. (Aging reports are track report of outstanding invoices of customers who haven’t yet paid for goods or services they bought on credit.)
The infamous Emotet trojan came back after a three-week hiatus. The trojan was found targeting over eighty countries with malicious spam campaigns. The campaign leverages phishing emails that pretend to be proof-of-delivery documents, reports, agreements, and statements. These emails include either attached documents or links that can be used to download them.
Some 5,000 Android phones were reported to be infected by the new version Faketoken Android trojan. The trojan is used to drain its victims’ bank accounts to fuel offensive mass text campaigns targeting mobile devices from all over the world. Once installed on the victim’s device, Faketoken first checks if their bank accounts have enough money. It will then use the stolen payment cards to add credit to the victim’s mobile account.
At least 200 million Broadcom-based cable modems were affected by the new Cable Haunt flaw. The flaw allowed attackers to compromise a modem and gain full control over the inbound and outbound traffic. The attackers could also eavesdrop on browsing activity, re-route traffic to malicious domains, or even zombify devices to use them in botnet attacks.
A new malware dubbed Oski Stealer was spotted targeting browser data and crypto-wallets in the U.S. Being advertised in underground cyber-forums, including several Russian forums, the malware’s capabilities include gathering sensitive information such as credentials, credit card numbers, wallet accounts and more. It has already managed to steal over 50,000 passwords so far.
Proof-of-concept for the critical Citrix bug was published on GitHub, making future attacks trivial for most attackers. The vulnerability tracked as CVE-2019-19781 affects Citrix’s NetScaler ADC and NetScaler Gateway servers. It was estimated that more than 80,000 organizations could be running flawed Citrix instances.
Scammers were reported exploiting Remote Desktop tools to conduct SIM swapping attacks. The technique involved convincing an employee in a telecom company’s customer support center to run or install RDP software. Once the RDP software gets activated, the scammers again convince the employee to provide credentials to RDP service to remotely control the machine and reach into the company’s software to SIM swap individuals.