Cyware Weekly Threat Intelligence - July 15–19

Weekly Threat Briefing • Jul 19, 2019
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Weekly Threat Briefing • Jul 19, 2019
The Good
Let’s welcome the weekend by revisiting all that happened in the cyberspace over the week. Before delving into the security incidents and the new threats, let’s first take a look at all the positive events. Samsung Electronics, South Korean telcos, and banks formed a consortium to build a blockchain network to deploy mobile authentication services. The U.S. government announced plans to implement new DNS security measures for all .gov domains. Meanwhile, MIT researchers have analyzed the dark web operations via the value chain model and have discovered new strategies to combat them.
Samsung Electronics, South Korean telcos, and banks formed a consortium to build a blockchain network to deploy mobile authentication services. The South Korean telecom companies and banks who are a part of the consortium are SK Telecom, KT, LG Uplus, KEB Hana Bank, and Woori Bank.
The U.S. government announced plans to implement new DNS security measures for all .gov domains to mitigate risks associated with future DNS hijacking attacks. This new initiative was prompted by a global DNS hijacking campaign alert issued by the National Cybersecurity and Communications Integration Center (NCCIC).
Microsoft demonstrated a new technology named ElectionGuard at Aspen Security Forum, which is designed to secure modern electronic voting machines. Microsoft said that it will release the software behind ElectionGuard on GitHub. The tech giant confirmed that they have no plans in releasing commercial voting machines under their brand.
The National Science Foundation awards the University of Arkansas with $4.63 million for recruiting, educating and training the next generation of cybersecurity professionals. The program named “Cyber-Centric Multidisciplinary Security Workforce Development” aims at addressing the shortage of highly skilled cybersecurity professionals.
MIT Sloan Management Review published a report on how cybercriminals operate through a value chain approach. The analysis revealed that when the value chain model is applied to cybercrime, the dark web facilitates criminal activities while remaining hidden through standard web browsers. Based on the analysis, they have also come up with strategies to combat malicious activities.
The Bad
Several data breaches and security incidents were witnessed in this week. An American telecommunications company, Sprint had its customer accounts breached via Samsung’s 'add a line' website. Hackers stole almost 110 databases containing the private data of millions of Bulgarians from the NRA’s network and leaked 57 databases to local news publications. The number of exposed users in Evite data breach is much larger than what was previously stated. Earlier, it was reported that the data breach impacted 10 million users, however, now it has come to light it impacted around 101 million users.
Hackers gained unauthorized access into Sprint customer accounts using their account credentials via Samsung’s 'add a line' website. The compromised information includes customers’ names, phone numbers, billing addresses, device types, device IDs, monthly recurring charges, subscriber IDs, account numbers, account creation dates, upgrade eligibility, and add-on services.
An unauthorized access into AMCA’s systems between August 1, 2018, and March 30, 2019, impacted almost 13000 Penobscot Community Health Center (PCHC) patients whose information were stored in AMCA systems. The compromised information included patients’ names, dates of birth, names of referring medical provider, and other medical information related to services received at PCHC.
The LaPorte County in Indiana which suffered a ransomware attack on July 06, 2019, paid the attackers $130,000 in order to recover the encrypted files. The county’s decision to pay the attackers was taken after the decryption keys from the FBI failed to restore the encrypted files. Out of the $130,000 paid, $100,000 is covered by the insurance provider.
A database dump added to Have I Been Pwned website had contained data of almost 101 million Evite users who had their information exposed in a data breach earlier this year. At that time, it was believed that approximately 10 million users had their information exposed, however, the number of exposed users is much larger.
A hacker gained access into MyDashWallet system between May 13, 2019, and July 12, 2019, and obtained the private keys to any wallet during that period. A Dash.org administrator who goes under the name Tungfa explained that MyDashWallet was modified on April 18, 2019, to download an external script from Greasy Fork. The Greasy Fork account was then compromised on May 13, 2019, with the hacker adding code to send the user’s private keys to an external server.
Hackers stole almost 110 databases containing the private data of millions of Bulgarians from the NRA’s network and leaked 57 databases to local news publications via emails containing download links. The leaked information contained personal identification numbers (PINs), names, home addresses and financial earnings of Bulgarians. Most of the information available in the databases dated back as far as 2007.
An unprotected Elasticsearch database belonging to AavGo exposed eight million entries of company data, client information, and guest details. The database included booking information, guest details, complaints from guests, invoices, work orders, memos and messages between staff, images of hotel rooms, and images of broken equipment. The database also included hotel admin login details including the username and password for admin panel, reservation system, and internal database.
AMCA data breach impacts over 2.2 million Clinical Pathological Laboratories (CPL) patients whose information were stored in AMCA systems. AMCA sent notification letters to 34,500 CPL patients informing them about the data breach. While CPL’s investigation is ongoing, based on the information provided by AMCA, CPL estimates another 2.2 million patients to be impacted by the incident.
An unprotected Elasticsearch database exposed the personal information, financial data, mobile device information, and billing information of Chinese citizens who used loan apps. The company behind the leaky database is currently unknown. However, the database leaked data of more than 100 loan-related apps, suggesting that the owner might most likely be a marketing agency for mobile apps.
The Town of Collierville in Tennessee suffered a ransomware attack after attackers infected the town’s computers and servers with Ryuk ransomware. The infection crippled computer systems and encrypted some of the computer files, blocking access to those files. The attack also impacted public services like permit requests, public records requests, and business services. However, emergency services were operational.
**New Threats **
This week also witnessed the occurrence of several new malware strains and vulnerabilities. Turla APT group was spotted using a new malware dubbed ‘Topinambour’ in its recent campaign. WhatsApp and Telegram were found to be impacted by a new flaw named ‘Media File Jacking’. Last but not least, researchers suspect the developers of GandCrab to be behind the Sodinokibi ransomware.