Cyware Weekly Threat Intelligence - March 02–06

Weekly Threat Briefing • March 6, 2020
Weekly Threat Briefing • March 6, 2020
The Good
With another weekend coming to an end, let’s take a quick glance at all the good developments that happened this week. In a major announcement, four largest browser vendors - Mozilla, Google, Apple, and Microsoft - have taken a decision to block over 850,000 websites that still use the legacy TLS protocols by the end of this month. On the other hand, the FCC has proposed fines of over $200 million against four major wireless carriers for improperly selling customers’ location data.
The Bad
This week, there were also some major data breaches reported by different organizations. One had occurred at the supermarket giant Tesco, following which it had reissued 620,000 new Clubcard numbers and the other victim was Walgreens - that exposed the personal details of some of its users due to a bug in its mobile app. Meanwhile, an unprotected database hosted on Google Cloud had exposed over 200 million records belonging to US residents.
New threats
Among the new threats discovered this week, thirty vulnerabilities uncovered in file upload mechanisms of 23 open-source web apps, CMSes, and forums could be abused to plant malicious files on a victim’s servers. On the other hand, a new ransomware called PwndLocker demanded a ransom of over $650,000 from victim organizations in the U.S.
North Korean APT group Kimsuky was found using new malware implants to conduct a cyberespionage campaign. The group leveraged a shorter attack chain that involved the use of a ‘.scr’ extension file in order to bypass AV detection.
Researchers detected a malicious Chrome extension named Ledger Live that is targeting the owners of Ledger cryptocurrency wallets. The extension, which is still available through the official Chrome Web Store, allows attackers to gain access to users’ accounts and steal their funds.
Thirty vulnerabilities discovered in the file upload mechanisms of open-source web apps, CMSes and forums could be abused to plant malicious files on a victim’s servers. These vulnerabilities were uncovered using a FUSE, a new automated penetration testing toolkit.
A new version of MTK-su rootkit that can be used to exploit a vulnerability CVE-2020-0069 was detected this week. The rootkit can be used against various models from Alcatel, Amazon, ASUS, Blackview, Huawei, LG, Meizu, Nokia, Motorola, OPPO, Sony, Realme, Xiaomi, and ZTE. The flaw exists in all of MediaTek’s 64-bit chips.
Ransomware operators continued to dominate the threat landscape with their newly adopted ‘naming-and-shaming’ technique. This week, the authors of Nemty ransomware launched a website to disclose the data and files of victims that refused to pay ransoms. Apart from this, there was also a discovery of a new ransomware called PwndLocker targeting the US businesses and local government with ransom demands over $650,000.
A MalBus attack that involved the use of four popular Korean-language transit apps were compromised to target military and political data. These applications, all related to bus information, were available for more than five years on the Google Play Store.
Cybercriminals were found using fake security certificate update requests to infect potential victims with a Mokes backdoor and a Buerak trojan. These fake certificate requests were available on compromised websites.
New encryption flaws found in Toyota, Hyundai and Kia’s chip-enabled mechanical keys can allow hackers to clone similar keys and steal the cars. Some affected models are Toyota Camry, Corolla, and RAV4; the Kia Optima, Soul, and Rio; and the Hyundai I10, I20, and I40.