Cyware Weekly Threat Intelligence - March 16–20

Weekly Threat Briefing • Mar 20, 2020
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Weekly Threat Briefing • Mar 20, 2020
The Good
Hope you all had a healthy and safe week. Here is a dose of good things that happened this week in cybersecurity. The UK’s National Cyber Security Center (NCSC) has started hunting down phishing websites that are linked to COVID-19 scams. The initiative has been taken to protect people across Europe from losing money and sensitive data to scams. Meanwhile, the creators of some prominent ransomware have taken the decision of not targeting health organizations amid this Coronavirus pandemic.
The UK’s National Cyber Security Center (NCSC) has stepped in to remove malicious and phishing websites linked to COVID-19 scams. The initiative has been taken following the rise in attacks that have led to the loss of victims’ money and sensitive data across Europe.
Members of the IT and cybersecurity communities have successfully obtained a password key for CovidLock Android ransomware that comes disguised as an app. The app threatens to erase data from a user’s phone if a ransom of $100 in bitcoin is not paid within 48 hours.
The National Institute of Standards and Technology (NIST) has published the draft for SP 800-53 (revision 5). This publication, titled “Security and Privacy Controls for Information Systems and Organizations,” reflects the major changes to the security landscape over the last few years. The publication intends to protect organizational operations and assets from cyberattacks.
Operators of some prominent ransomware like DoppelPaymer and Maze have stated that they will no longer target health and medical organizations during the COVID-19 pandemic. DoppelPaymer’s operators have further asserted that they will decrypt the files for free if they have inadvertently attacked any hospital or nursing home.
The Bad
Meanwhile, several organizations inadvertently exposed millions of records in different data leak incidents reported this week. Misconfigured S3 buckets became a major reason for data leaks at MCA Wizard and Doxzoo. Also, a UK-based research firm had come under the scanner for exposing 5 billion records on different security incidents due to an unguarded Elasticsearch database.
An unprotected Elasticsearch database exposed over 5 billion records collected by a UK-based research firm between 2012 and 2019. The leaky database contained extensive information on the breaches including domains, sources, contact email addresses, and passwords.
Cybercriminals launched a DDoS attack against German food delivery service Takeaway.com (Liefrando), demanding two bitcoins to stop the flood of malicious traffic. The company announced that its systems had entered maintenance mode to ensure data security amidst such attacks.
Approximately 500,000 documents related to the MCA Wizard app were exposed due to a misconfigured AWS S3 bucket. The documents included credit reports, bank statements, contracts, legal reports, driver’s license copies, purchase orders, tax returns, and social security numbers.
A data leak at Doxzoo affected over 270,000 records belonging to more than 100,000 users. The incident occurred due to a leaky S3 bucket. The leaked data included print jobs for many high-profile clientele - such as elite universities, Fortune 500 companies and more.
Canadian ISP Rogers Communications notified its customers about a data breach that took place in February 2020. The incident had exposed personal information such as addresses, account numbers, email addresses, and telephone numbers of some of its customers.
Websites of NutriBullet and TrueFire suffered Magecart-like attacks, allowing attackers to steal payment card details of customers. While the attack on NutriBullet was conducted using skimmer code, TrueFire reported the attack due to unauthorized access to its website.
New threats
The week also saw various malware attack campaigns leveraging the pandemic COVID-19 crisis. The malware used in these campaigns were BlackWater backdoor, Trickbot trojan, Crimson RAT and SpyMax. Apart from this, researchers also came across two new malware - dubbed CrazyCoin virus and Nefilim ransomware - that are active in the wild.