Cyware Weekly Threat Intelligence, June 22 - 26, 2020

Weekly Threat Briefing • June 26, 2020
Weekly Threat Briefing • June 26, 2020
The Good
Here’s the scoop of good things that happened in cyberspace, this week. The US government has announced its plan for implementing HTTPS on all .gov sites. The plan will come into action from September 1, 2020, and aims to protect online users from unwanted cyberattacks. Additionally, researchers have come up with a new technique, called Void, to safeguard people from vishing attacks.
The Bad
Along with the favorable news, the week noticed some disappointing breaches and attacks. Frost & Sullivan suffered a major data breach after several of its databases were put up for sale on dark web forums. Maze, CLOP, and Nefilim ransomware operators made headlines for targeting LG Electronics, INDIABULLS, and organizations in New Zealand respectively.
New Threats
Among the new threats discovered this week, security researchers discovered two new malware - NitroHack and Lucifer - in different attack campaigns. While NitroHack modifies the Discord client for Windows into an infostealing trojan, Lucifer includes cryptomining currency and DDoS capabilities.
In a new study, researchers have found that around 80,000 printers are exposed online via the IPP port on a daily basis. This indicates that attackers can collect printers’ names, locations, models, and even organization names just scanning the IPP port.
Three new ransomware - Hackbit, WastedLocker, and CryCryptor - were noticed by security experts. While Hackbit targeted mid-level executives across Austria, Switzerland, and Germany, WasteLocker is a creation of the EvilCorp hacker group. The CryCryptor ransomware was used to target Android users in Canada.
Operators of Sodinokibi ransomware were found scanning the networks of targets for PoS data in their latest attack campaign. The campaign targeted healthcare, services, and food sectors, among other victims.
Attackers abused Google Analytics in new web skimming attacks. Several websites around the service have been registered with an intent to steal credit card details from retail websites.
Security researchers discovered two new malware - NitroHack and Lucifer - in different attack campaigns. While NitroHack modifies the Discord client for Windows into an infostealing trojan, Lucifer includes cryptocurrency and DDoS capabilities.
Researchers detected a malicious Docker Hub account, azurenql, that is active since October 2019. The account was used for hosting six malicious images intended to mine cryptocurrency. The images hosted on this account were pulled more than two million times.
Security researchers detected new variants of XORDDoS and Kaiji botnets targeting exposed Docker servers. For this, the attackers are actively scanning Docker servers that are exposed through port 2375.
The full impact of the newly discovered Ripple20 vulnerability, which arises due to a total of 19 flaws in the TCP/IP protocol from Treck, remains unclear. However, researchers believe that the healthcare industry is particularly affected by the flaw. It has been found that there are six times more vulnerable equipment used in healthcare than in other sectors.
An unidentified Advanced Persistent Threat (APT) group was found targeting entities based in Myanmar (Burma). The attack campaign leveraged spearphishing to target victims.
Group-IB highlighted that the infamous Fxmsp hacker sold access to 135 companies in the last three years. Last year, it was in the news for selling network access to three antivirus companies.