Cyware Weekly Threat Intelligence, July 20 - 24, 2020
Weekly Threat Briefing • Jul 24, 2020
The Good
The proliferation of security mishaps has pushed IT giants to rethink the security capabilities of their products to protect their customers from cyberattacks. Taking a step in this direction, Microsoft has added a Data Loss Prevention (DLP) feature in Office 365 to prevent data leaks and inappropriate data sharing. Furthermore, Google’s G Suite products have been enhanced with 11 new security features to help administrators secure their devices against unwanted intrusions.
-
Microsoft Office 365 now includes a Data Loss Prevention (DLP) feature, making it easier for organizations to prevent data leaks, inappropriate data sharing, and other similar risks. The new extension will protect sensitive data and items on Windows 10 devices.
-
Google Cloud has announced 11 new G Suite security features to help IT administrators more effectively manage and secure their devices. The updates also apply to other GSuite products: Gmail, Chat, and Meet.
-
The industry advisory panel, created as a part of Australia’s upcoming 2020 Cyber Security Strategy, has provided 60 recommendations to boost the nation’s cybersecurity. One of these recommendations is aimed at increasing the ability of the Australian Cyber Security Centre (ACSC) to disrupt cybercriminal activities on the dark web through offensive cyber operations.
The Bad
Talking about data breaches, five e-learning platforms leaked nearly one million records due to unsecured databases. Apart from this, hackers sold the sensitive data associated with CouchSurfing and Instacart on different hacker forums. The compromised data included personal information of their customers.
-
A group of hacktivists that goes by the online name of Ghost Squad Hackers defaced a site of the European Space Agency (ESA) for the second time in a week. The group managed to pull it off by exploiting a server-side request forgery vulnerability in the agency’s server.
-
Four misconfigured AWS S3 buckets and one unsecured Elasticsearch database belonging to five e-learning platforms leaked nearly one million records of online students. The five affected platforms were Okoo, Square Panda, Playground Sessions, MyTopDog, and Escola Digital.
-
Telecom Argentina fell victim to a ransomware attack, following which the attackers demanded a ransom of $7.5 million to unlock unencrypted files. However, the firm denied the ransom demand and sought to regain control of nearly 18,000 infected computers.
-
The week saw cases of cyberattacks on many healthcare service providers. While Lorien Health Services announced being attacked by ransomware in early June, GEDmatch confirmed a security breach that affected its website. In addition, a breach at the Delaware Department of Health and Social Services resulted in the compromise of private data of disabled Delawareans.
-
Many software providers also came under the scanner due to different security incidents this week. Cloud computing provider, Blackbaud, admitted paying a ransom to cybercriminals to regain control of data that was affected in a ransomware attack in May 2020. In addition to this, the Family Tree Maker software exposed 25GB of its users’ data due to a misconfigured Elasticsearch server. Also, smartwatch and wearable maker, Garmin, shut down its several services on July 23 to deal with a ransomware attack that encrypted its internal network and some production systems.
-
DeepSource notified all its users about a Sawfish phishing campaign that collected victims’ GitHub credentials and 2FA codes. The firm learned about the incident after one of its employees’ accounts was compromised and its GitHub app credentials were stolen.
-
An investigation into Twitter’s largest breach revealed that the perpetrators manipulated a small number of employees and used their credentials to log into internal tools and turn over access to 45 accounts. It is further postulated that the hackers could have also read direct messages to and from 36 accounts.
-
The week also witnessed the dumping of several sensitive data troves — stolen from different organizations — on the dark web. Over 270,000 accounts associated with Instacart customers were sold on two dark web forums. On the contrary, 17,000 Slack credentials stolen from roughly 12,000 Slack workspaces made to various hacker forums. CouchSurfing also disclosed a breach after hackers sold the details of 17 million users on Telegram channels and hacking forums. The data was sold at a price of $700.
-
An unsecured Amazon S3 bucket leaked nearly 1 million records of sensitive data belonging to students registered on CaptainU’s platform. The bucket contained GPA scores, ACT, SAT and PSAT scores, parents’ names, email addresses, home addresses, and phone numbers.
-
A popular Asian poker site, GGPoker, took its systems offline after it suffered a DDoS attack. The firm admitted to not shielding the server with DDoS protection after migrating to a new cloud data center.
-
Twilio suffered a security breach after miscreants sneaked into its unsecured AWS S3 bucket and altered the TaskRouter v1.20 SDK to include non-malicious code.
-
The Sodinokibi ransomware group targeted Administrador de Infraestructuras Ferroviarias (ADIF) and stole 800GB of data that included correspondence, contracts, and other accounting details.
New Threats
The week also saw the discovery of some new and sophisticated attack methods such as Shadow, Meow, and Bad Power. While the Shadow attack leverages vulnerable PDF viewer applications, the Meow attack wiped data from over 1800 unsecured databases to highlight the underlying security issues. Meanwhile, the Bad Power attack can be used to melt components or even set devices on fire.
- Researchers exposed a malicious cyber-operation that was carried out by 29 fake photo editing apps. These apps, downloaded 3.5 million times in total from the Google Play store, enabled their operators to compromise devices as a part of a nefarious cyber scheme named Chartreuse Blur.
- The latest intel on Dacls trojan, which Kaspersky refers to as MATA, revealed that the trojan is capable of distributing VHD ransomware and exfiltrating data from databases. The malware is associated with the Lazarus threat actor group and has been employed against users in Poland, Germany, Turkey, Korea, Japan, and India.
- Researchers demonstrated a new Shadow attack that affected 15 vulnerable desktop PDF viewer applications. The attack can allow threat actors to modify content in digitally signed PDF files.
- The OilRig threat actor group returned with a new version of the RDAT backdoor. The new variant was used to target a telecom company in the Middle East.
- The notorious Emotet trojan returned after a five-month gap to deliver QBot trojan to victims’ devices. The campaign is executed via phishing emails and is spotted targeting users in the U.S., U.K, Canada, Austria, Germany, Brazil, Italy, and Spain.
- Researchers discovered a cryptocurrency mining malware, dubbed Prometei, that uses several techniques to spread across networks. Its primary purpose is to mine Monero cryptocurrency from the infected devices.
- Newly discovered Meow attack wiped over 1800 unsecured Elasticsearch and MongoDB databases without leaving any explanation or even a ransom note. The operators behind the attack intend to give administrators a hard lesson in security by destroying the unsecured data.
- A newly discovered BadPower attack can allow attackers to alter the firmware of fast charger devices to deliver extra voltage and damage connected equipment. It can further be used to melt components or even set devices on fire.
- An analysis of over 5 million IoT, IoMT, and unmanaged devices revealed a host of security risks in them. These devices are used across a range of sectors, including healthcare, life sciences, manufacturing, and retail, and are vulnerable to ransomware and other malicious attacks.