Cyware Weekly Threat Intelligence - March 25–29

Weekly Threat Briefing • Mar 29, 2019
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Weekly Threat Briefing • Mar 29, 2019
The Good
As we’ve come to the end of March, it’s time to end the month with the most interesting threat intel of the week. As is our custom, let’s first begin with all the good that has occurred in the cybersecurity landscape over the past week. Computer scientists from the United States have developed a new email app that can quickly encrypt messages that appear in an email inbox. DHS is awarding $5.9 million to expand a cybersecurity training tool to the energy sector. In the meantime, New Jersey legislators have proposed a bill that would expand data breach notification requirements to alert consumers on data breaches.
Computer scientists from the United States have developed a new email app named ‘Easy Email Encryption E3’ that is capable of quickly encrypting messages that appear in an email inbox. The app works with the majority of popular email services such as Gmail, Yahoo, and AOL. This app automatically encrypts emails as soon as you receive emails in your mobile devices or desktops.
The Department of Homeland Security (DHS) is awarding $5.9 million to the Norwich University Applied Research Institute to expand a cybersecurity training tool used by the financial services sector to the energy sector. The training tool is designed to help energy sector enhance communication during high-stress incidents.
New Jersey legislators proposed a bill to Gov. Phil Murphy that would expand data breach notification requiring companies to alert consumers on data breaches that include personally identifiable information (PII) such as user names, passwords, email addresses, and security questions.
Europol has hosted a joint meeting of the EC3 Advisory Groups on financial services, internet security and communication providers gathering almost 70 industry experts to discuss the cyber-threat of phishing. In the two days of the joint meeting, experts came up with recommendations to combat phishing.
Microsoft has added tamper protection to its antivirus product Microsoft Defender Advanced Threat Protection (ATP) to prevent malware from disabling antivirus solution on infected systems. The tamper protection also prevents malware from disabling Microsoft's cloud-based malware detection.
The Bad
Over the past week, several data breaches and massive cyber attacks came to light. A new supply chain attack campaign dubbed ‘Operation ShadowHammer’ impacted over 1 million users who have downloaded the backdoored version of the ASUS Live Update utility on their systems. In another instance, FEMA has inadvertently shared private data of almost 2.3 million disaster victims with one of its contractors. Meanwhile, LockerGoga, the ransomware that hit aluminum giant Norsk Hydro, also infected two other American chemicals companies.
The United States Federal Emergency Management Agency (FEMA) has inadvertently shared private data of almost 2.3 million disaster victims with one of its contractors that manages its TSA program. The exposed data include applicants SPII such as street address, city names, zip codes, financial institution names, electronic funds transfer numbers, and bank transit numbers.
Researchers observed a campaign dubbed ‘Operation ShadowHammer’ that targets the supply chain by exploiting the backdoored version of ASUS Live Update Software. This campaign has impacted over 1 million users who have downloaded the backdoored version of the ASUS Live Update utility on their systems.
LockerGoga, the ransomware that hit aluminum giant Norsk Hydro, also infected two American chemicals companies Hexion and Momentive. The ransomware attack encrypted the Windows systems of these two chemical companies forcing the companies to order hundreds of new computers.
Two cryptocurrency exchange platforms DragonEx and CoinBene suffered cyber attacks compromising over**** $1 million and $45 million respectively. Both crypto portals have gone into maintenance mode to investigate the incident and retrieve back the stolen assets.
Researchers observed a new credential harvesting campaign dubbed ‘LUCKY ELEPHANT’ that uses**** doppelganger webpages to impersonate legitimate entities such as foreign governments, telecommunications, and military. The list of organizations that are impersonated by the attackers includes entities in Pakistan, Bangladesh, Sri Lanka, Maldives, Myanmar, and Nepal.
Oregon’s Department of Human Services (DHS) suffered a data breach compromising 2 million email accounts and private data of over 350,000 clients. The breach was a result of attackers gaining access to nine of its employees’ email accounts.
A consumer spyware vendor exposed almost 95,000 images and over 25,000 audio recordings online due to a leaky database that was left publicly available without any authentication. Apart from the previous photos and recordings, the leaky database is also exposing the latest pictures and audio recordings that are being uploaded every day.
A publicly available MongoDB database belonging to a popular family locator app, React Apps exposed real-time locations of over 238,000 users. The MongoDB instance also contained information such as users’ names, email addresses, profile photos, and plain text passwords.
An unprotected ElasticSearch database belonging to a video streaming site Kanopy, exposed users’ API logs and website access logs thereby revealing users’ viewing habits. The access logs included data such as user location, TLS version used, client IP and many more.
The computer systems of a parking garage belonging to the Canadian Internet Registration Authority (CIRA) which allows its employees to park their vehicles for free were infected by ransomware. The attack allowed outsiders to enter the parking garage without any security check.
New Threats
Several vulnerabilities and malware strains emerged over the past week. Researchers uncovered a new version of the AZORult data stealer dubbed ‘AZORult++’. Researchers spotted a new Android banking trojan dubbed ‘Gustuff’ which is capable of phishing credentials and stealing funds from over 100 banking apps and 32 cryptocurrency apps. Last but not least, security weaknesses found in the US Treasury Department’s system could pose an increased risk of unauthorized access to the Federal Reserve Bank (FRB) systems.