Cyware Weekly Threat Intelligence, November 02 - 06, 2020
Weekly Threat Briefing • Nov 6, 2020
The Good
With another week coming to an end, let’s take a quick look at the positive developments that occurred in the cyber ecosystem. The CERT/CC launched a new Twitter bot called Vulnonym to assign random names to security bugs receiving a CVE identifier. Meanwhile, the sophisticated Maze ransomware shut down its operations permanently, putting a full stop to all its malicious activities.
-
Microsoft partnered with the NCSC’s Cyber Accelerator programmer to address cybersecurity threats in the U.K. The program aims to support start-ups in developing cybersecurity products and tools.
-
The University of Illinois and the University of West Florida received a total of $8 million in separate grants from the DHS and the NSA to tackle cybersecurity challenges. Both the universities will work on filling cybersecurity vacancies across private and public sectors.
-
The Digital Security by Design (DSbD) challenge led by UK Research and Innovation received two new fundings to prevent cyberattacks. The primary objective of the challenge is to prevent hackers from remotely taking control of digital systems.
-
The CERT/CC launched Vulnonym bot on Twitter to reduce the use of sensationalized and scary vulnerability names. The bot will assign random names to every security bug that receives a CVE identifier.
-
Maze operators officially announced its retirement after targeting dozens of big firms. From this September, the gang stopped targeting new organizations and expanding its cartel.
The Bad
Besides, the week witnessed some major data breaches affecting millions of user records. The ShinyHunters threat actor dumped 5.22GB data of Mashable on a hacker forum. In another incident, a threat actor sold a total of 34 million user records from 17 different companies. Eatigo also suffered a mass data leak after attackers offered 2.8 million user accounts for sale online.
-
Gaming firms, Capcom and Gaming Partners International (GPI), suffered major disruptions in their business operations due to cyberattacks. While Capcom responded by shutting down its corporate networks to prevent the spread of malware, GPI lost some of its crucial data to the REvil ransomware group.
-
ShinyHunters was in headlines again for leaking 5.22GB data belonging to Mashable. The exposed data included full names, email addresses, country, gender, job description, online behavior related details, authentication tokens, and much more. Talking of other such incidents, researchers found a threat actor selling databases containing a total of 34 million user records from 17 companies.
-
Deloitte’s ‘Test Your Hacker IQ’ site failed to secure its users’ data due to misconfiguration issues. Upon discovery, the firm patched the vulnerabilities that existed in Ubuntu Linux 14.04. In a similar case, GrowDiaries exposed passwords for two million customers due to two unsecured Kibana apps.
-
Folksam, accidentally leaked private data of about one million of its Swedish customers to tech giants such as Facebook, Google, Microsoft, and LinkedIn. The shared data included a wide variety of information of its customers.
-
Toymaker Mattel disclosed being hit by ransomware in July. This impacted some of its business functions but did not lead to data theft.
-
A Magecart-like attack at JM Bullion affected the credit card information of customers. According to a notification, the attack took place between February 18 and July 17.
-
Around 2.8 million eatigo accounts were up for sale on online forums. The data was accessed over a period of 18 months and included customer names, email addresses, and phone numbers.
-
Personal data and health information for some inmates and employees at private prisons and detention centers operated by the GEO Group in California, Florida, and Pennsylvania were compromised in a ransomware attack on August 19. The exposed information included name, address, date of birth, SSN, employee ID number, driver’s license number, medical treatment information, and other health-related information.
-
Premium-rate phone fraudsters targeted VoIP servers of more than 1,200 organizations over the past 12 months by exploiting an authentication bypass flaw. The servers belonged to Sangoma PBX and Asterisk.
-
Italian liquor company, Campari, was by Ragnar Locker ransomware, following which the threat actors stole 2 TB of uncrypted files. The attackers demanded a ransom of $15 million for decryption keys.
New Threats
Several new activities were also observed from different threat actor groups, this week. REvil ransomware gang claimed to have acquired the source code of the KPOT information stealer trojan for $6,500. A new threat actor group called UNC1945 actively exploited a zero-day vulnerability in Oracle Solaris operating system to gain access to corporate networks. Furthermore, security researchers uncovered more tools associated with the North Korea-linked Kimsuky threat actor group.
- The week witnessed two new ransomware strains named King Engine and RegretLocker. While King Engine preys on a victim’s device through coronavirus-themed phishing emails, the RegretLocker targets virtual hard drives. Besides, another new ransomware strain called Pay2Key used a weak RDP connection for propagation.
- The npm security team removed a malicious JavaScript library named Twilio-npm from its website for opening backdoors on programmers’ computers. The library was downloaded over 370 times before it was deleted from the site.
- A researcher demonstrated a new attack technique that enabled the remote access to any TCP/UDP port. Known as NAT Slipstreaming, the method involved sending a malicious link to targets that bypassed their firewall protection.
- Threat actors used the SMTP Multipass flaw in Rackspace’s hosted email service to send phishing emails as part of their BEC scams. The flaw enabled the attackers to evade security checks.
- Researchers unmasked a new APT group targeting non-governmental organizations in the Southeast Asian nation Myanmar. The group primarily relied on DLL side-loading.
- REvil ransomware gang claimed to have acquired the source code of the KPOT information stealer trojan for $6,500. The trojan is capable of stealing passwords from various apps on infected computers.
- A new threat actor group called UNC1945 was found actively exploiting a zero-day vulnerability in Oracle Solaris operating system to gain access to corporate networks. The flaw, tracked as CVE-2020-14871, was used in one case to install a backdoor called SLAPSTICK.
- Security researchers uncovered more tools associated with the North Korea-linked Kimsuky threat actor group targeting organizations in the U.S., Europe, Japan, South Korea, and Russia.
- QBot trojan reappeared in a new malspam campaign that exploited the U.S. election uncertainties. The trojan disguised as a zip attachment to confuse users.
- As Maze retires, affiliates are now turning to Egregor ransomware operators as a substitute. Egregor, a spin-off of Ransom.Sekhmet has been active since mid-September.
- A newly discovered worm and botnet called Gitpaste-12 leverages GitHub for propagation. It uses Pastebin to host malicious code. The malware comes equipped with reverse shell and crypto-mining capabilities and exploits over 12 known vulnerabilities.