InForce Cyber

Threat Report Jan 2020

Jan 2020 revealed some new malware as well as some old. Here is a list of major breaches and cyber security incidents for the month:

Bird Construction attacked

Canada-based Bird Construction company was targeted in a Maze ransomware attack launched in December 2019. The ransomware operators have claimed to have stolen 60GB data from the company. According to Emsisoft, the operators have now published the stolen data on its website after the company denied to pay the ransom. The published files contain employees’ personal data and information relating to Canadian company Suncor Energy.

Royal Yachting Association’s data breached

Royal Yachting Association is forcing a password reset for all users following a data breach. The incident occurred after an unauthorized party accessed a database created in 2015 containing personal data associated with a number of RYA user accounts.

Top Malware Reported

Necurs botnet returns

Researchers have discovered a new spam campaign wherein millions of emails are being sent from the Necurs botnet within a matter of hours. The top distributing IPs in this campaign come from Chile, Lithuania, and India. As a part of the campaign, victims receive an email linking to a website that peddles a get-rich-quick scam. The victims are exposed to ‘Bitcoin Era’, a Bitcoin trading platform that tells victims they can make money by trading cryptocurrency.

Ragnarok ransomware

A new ransomware called Ragnarok has been detected in use in recent targeted attacks. The attacks leverage the recently disclosed Citrix ADC bug CVE-2019-19781 to distribute the ransomware. The ransomware does not encrypt the systems that have languages set to Russian, Belarus, Turkmen, Ukrainian, Latvian, Kazakh, and Azerbaijani.

Android.Xiny

New malicious samples belonging to Android-Xiny have been found replacing pre-installed apps and system files on older Android devices with malicious applications. The trojan specifically targets phones running Android versions 5.1 or older. Once installed, the trojan gains root access to the target device and them replaces system files.

Top Vulnerabilities Reported

New ZombieLoad flaws

Researchers have discovered and published information about a new CacheOut vulnerability that affects most Intel CPUs. The vulnerability, tracked as CVE-2020-0549, can allow an attacker to target more specific data, even stored within Intel’s secured SGX enclave. Another variant of ZombieLoad flaw tracked as CVE-2020-0548 has also been detected in addition to CacheOut vulnerability.

Fortinet releases patches

Fortinet has released security updates to remove two backdoor accounts from FortiSIEM. The patches are for the CVE-2019-17659 and CVE-2019-16153 vulnerabilities. Any threat actor who gains access to a SIEM product can use it to carry out reconnaissance on a target’s internal network and later delete signs of a successful compromise.

PoC for RCE bugs released

Proofs-of-Concept for CVE-2020-0609 and CVE-2020-0610 bugs found in the Remote Desktop Gateway component on devices running Windows Server have been released recently. The flaws affect Windows Server 2012, 2012 R2, 2016, and 2019. The vulnerabilities, collectively known as BlueGate, were patched by Microsoft on January 14, 2020.

RHEL 8 vulnerable to Magellan 2.0

Red Hat has admitted that its flagship Red Hat Enterprise Linux (RHEL) 8 remains vulnerable to one of the Magellan 2.0 vulnerabilities. Magellan 2.0 is a new set of five SQLite vulnerabilities affecting Chrome versions prior to 79.03945.79. Following the discovery, Red Hat has rolled out a security update to secure the version.

Top Scams Reported

Scary Netflix scam

Netflix users are being warned about a new ongoing scam wherein unsuspecting users are asked to complete an online verification process to initiate an incomplete billing process. The email looks less suspicious and appears to come from Netflix. It tells the recipients that their billing information has been modified and for this, they are required to fill in the missing information. The email subject line states ‘Account Informations Update’ and notably doesn’t greet the recipient by name.

Recommendations

  • Update vulnerable services
  • Only allow traffic to necessary and well secured ports
  • Update AV solutions
  • Phishing training for the employees.
  • Regular pentests would identify possible weak points

Sources:
Exploit-DB
McAfeee
TrendMicro
Symantec
NIST
Google
FireEye