The Good

We’re back with the most interesting threat intel of the week. The past week witnessed several cybersecurity advancements, security incidents, as well as the emergence of new threats. To begin with, let’s first glance through all the positive developments that have emerged over the past week. Google has announced new privacy rules for the Google Drive API to protect users’ data by limiting the number of data accessed by third-parties via Google’s APIs. Singapore is planning to introduce a tool known as ‘SG-Verify’ that helps businesses verify user data via QR codes. Meanwhile, researchers from the University of Illinois have published a research paper that explains the use of commodity storage devices to recover encrypted files.

• Singapore plans to launch a software tool called ‘SG-Verify’ as a part of its smart nation efforts. This tool enables businesses to verify user identity and transfer data via QR codes. In addition, this tool will enhance situational awareness through the collection, sharing, and analysis of data and help government agencies provide more pre-emptive and responsive services.

• A research team from the University of Illinois and the Coordinated Science Laboratory has published a paper titled ‘Project Almanac: A Time-Traveling Solid State Drive’. This research paper explains the use of commodity storage devices already in a computer to recover the encrypted files without paying the ransom.

• Google has announced new privacy protections for Chrome extensions, along with new rules for the Google Drive API as part of ‘Project Strobe’. Project Strobe aims at improving the privacy and security of users’ data by limiting the number of data accessed by third-parties via Google’s APIs and tools.

The Bad

Several data breaches and security incidents were witnessed in the last seven days. The website of First American Financial Corp exposed almost 885 million sensitive documents. Also, attackers implanted malware on point-of-sale systems at almost 102 Checkers and Rally’s locations. Last but not least, an unprotected Elasticsearch database belonging to Pyramid Hotel Group exposed almost 85GB in security logs of major hotels.

• The website of First American Financial Corp exposed almost 885 million sensitive documents online including bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and drivers license images. According to the researcher who uncovered the breach, anyone who knew the URL for a valid document at the firstam.com website could view other documents by simply modifying a single digit in the link.

• Canva, an Australia-based company that provides graphic design service, has been hacked by ‘Gynosticplayers’ and data for roughly 139 million users have been compromised. The stolen data included users personal information including names, usernames, email addresses, residential city, and country. The compromised data also includes password hashes for almost 61 million users and Google token for the remaining users.

• A misconfigured database belonging to Amadeus has exposed information on 36 million booked flights, 15 million passengers, over one million hotel bookings, and 700,000 visa applications. Information on international travel plans of high-ranking Israeli diplomats including Israeli Prime Minister Benjamin Netanyahu has also been exposed.

• Unauthorized third-parties have hacked the databases of popular news aggregation site Flipboard and have potentially downloaded the user data contained within them. The hacked databases contained Flipboard users’ account information including user names, hashed and salted passwords, email addresses, and digital tokens used to login to Flipboard using site credentials from Google, Facebook, and Twitter.

• New Zealand Treasury Secretary Gabriel Makhlouf disclosed that his department has become a victim of a hack after its systems have been deliberately and systematically hacked. However, Makhlouf confirmed that there has been no evidence of any compromise of personal information held by the Treasury.

• Attackers hacked the gift card website of major UK pub chain, Greene King, and accessed customers’ personal information. The compromised information includes names, email addresses, user IDs, encrypted passwords, addresses, postcode, and gift card order numbers of customers.

• Attackers implanted malware on point-of-sale systems at 102 Checkers and Rally’s locations in order to steal customers’ payment card data. The payment card information stored on the magnetic stripe of payment cards including cardholder names, payment card numbers, card verification codes, and expiration dates has been compromised.

• A security researcher has discovered an unprotected Elasticsearch database that exposes almost 42.5 million records of dating app users, with the majority of the users being Americans. The exposed information includes users’ user names, ages, locations, and IP addresses. The dating apps mentioned in the leaky database include Cougardating, Christiansfinder, Mingler, Fwbs, and TS.

• Security researchers Noam Rotem and Ran Locar from VpnMentor have uncovered an unprotected Elasticsearch database belonging to Pyramid Hotel Group. The unsecured database has exposed almost 85GB in security logs of major hotels including Aloft Sarasota of Marriott property, Tarrytown House Estate in New York, Carton House Luxury Hotel in Ireland, Aloft Hotels in Florida, and Temple Bar Hotel in Ireland.

• Attackers infected Luzerne County’s computer systems with a virus causing the county to shut down the majority of its servers. County courthouse servers were impacted. The virus attack has forced court branch employees to manually process jury paperwork. However, the County has started the cleanup process and has implemented emergency operation plans to continue daily services without disrupting the remediation process.

New Threats

The past week also saw the occurrence of several new malware strains and vulnerabilities. Researchers have revealed that Emotet was the most prevalent email-based threat in the first three months of 2019. Attackers are scanning the internet for Windows servers that are running MySQL databases to infect systems with GandCrab ransomware. Meanwhile, new research has revealed that nearly 1 million Windows PCs are still vulnerable to the recently patched BlueKeep vulnerability.

• Researchers have observed malspam campaigns targeting business users with the Hawkeye keylogger malware during the last two months. The malspam campaigns distribute Hawkeye keyloggers in order to steal accounts credentials and sensitive data from business users, which can be later used in BEC scams and account takeover attacks.
• Researchers have detected several compromised Content Management Systems (CMS) such as WordPress and Joomla that were serving Shade ransomware, backdoors, redirectors, and a variety of phishing pages. The core reason for the compromise of Wordpress and Joomla sites could be unpatched vulnerabilities and outdated plugins, themes, and extensions.
• A security researcher named Dhiraj Mishra uncovered a flaw in DuckDuckGo Privacy Browser application 5.26.0 for Android that could allow an attacker to launch URL Spoofing attacks. The flaw tracked as CVE-2019-12329 is an address bar spoofing vulnerability that allows the browser’s omnibar to be spoofed with the help of a specially crafted JavaScript page which makes use of the setInterval function to reload an URL every 10 to 50 ms.
• Researchers have observed a malspam campaign that promotes bitcoin generator tool on YouTube. This campaign drops the info-stealing and clipboard hijacking Trojan ‘Qulab’ that is capable of stealing browser history, saved browser credentials, browser cookies, saved credentials in FileZilla, Discord credentials, and Steam credentials.
• China-linked cyber-espionage group APT10 has launched a malware attack against government and private organizations in Southeast Asia with two new loaders. Additionally, new variants of PlugX and Quasar RAT are dropped as final payloads in this attack campaign.
• Researchers have uncovered a critical vulnerability in Convert Plus WordPress Plugin that allows an unauthenticated attacker to create accounts with administrator privileges. The critical vulnerability has impacted all versions of the Convert Plus Plugin up to v3.4.2 and has been fixed in version 3.4.3.
• Attackers are scanning the internet for Windows servers that are running MySQL databases to infect systems with GandCrab ransomware. The attack is initiated using SQL database commands that uploads a smaller piece of DLL on to the server. This DLL is later invoked to retrieve GandCrab ransomware hosted on an IP address in Quebec, Canada.
• Researchers have revealed that Emotet banking trojan was the most prevalent email-based threat in the first three months of 2019. The analysis revealed that in the first three months of 2019, 82% of all payloads were either Emotet or other banking trojans. Emotet is now widely considered a botnet, frequently downloading additional modules.
• New research has revealed that nearly 1 million Windows PCs are still vulnerable to the recently patched BlueKeep vulnerability (CVE-2019-0708). Earlier, it was believed that there were nearly 7.6 million Windows systems impacted by the flaw. Researchers have noted that the vulnerability has the potential to cause destructions similar to the 2017’s WannaCry, NotPetya, and Bad Rabbit ransomware attacks.
• Security researchers have uncovered a new malware dubbed ‘HiddenWasp’ that targets Linux systems. This malware is developed from major parts of code used in Mirai and Azazel rootkit. HiddenWasp malware has a zero-detection rate in all antivirus software.