fbpx

InForce Cyber

Threat Report June 2020

The month of June brought back some old attacks, like DOS and ransomware.
Here are some topics to support this statement:

AWS said it mitigated a 2.3 Tbps DDoS attack, the largest ever

The previous record for the largest DDoS attack ever recorded was of 1.7
Tbps, recorded in March 2018.

Amazon said its AWS Shield service mitigated the largest DDoS attack ever
recorded, stopping a 2.3 Tbps attack in mid-February this year.

The incident was disclosed in the company’s AWS Shield Threat Landscape
[PDF], a report detailing web attacks mitigated by Amazon’s AWS Shield
protection service.

The report didn’t identify the targeted AWS customer but said the attack
was carried out using hijacked CLDAP web servers and caused three days of
“elevated threat” for its AWS Shield staff.

Accidental Loss of Database Leads to Outage, Potential Threat For Jenkins
Artifactory Portal

Jenkins blocked releases to the Jenkins Artifactory instance due to a
partial user database loss on June 02, 2020.

In early June, the Jenkins team noticed an error in their Kubernetes
cluster system, that forced them to rebuild parts of the Jenkins Artifactory
portal from scratch.

While rebuilding the system, they lost around three months worth of changes
made in the Lightweight Directory Access Protocol (LDAP) database, including
details about user accounts used by Jenkins plugin developers.

Power company Enel Group suffers Snake Ransomware attack

European energy company giant Enel Group suffered a ransomware attack a few
days ago that impacted its internal network.

Detected on June 7, the incident is the work of EKANS (SNAKE) ransomware
operators, the group that also targeted Honda earlier this week.

Enel Group confirmed for BleepingComputer that its internal IT network was
disrupted on Sunday evening following a ransomware attack caught by their
antivirus before the malware could spread.

Dealing with the incident required isolating the corporate network for a
limited time, “to carry out all interventions aimed at eliminating any
residual risk.” All connectivity was safely restored on early Monday
morning, the company says.

Once Again Hackers Exploit Misconfigured AWS S3 Buckets

Threat actors are continuously leveraging misconfigured AWS S3 data storage
buckets to slip malicious code into websites, endeavoring to steal credit
card details and conduct malvertising campaigns.

*       In May, researchers from the cybersecurity firm, RiskIQ, discovered
three compromised websites, owned by Endeavor Business Media, hosting
JavaScript skimming code. This classic method is embraced by Magecart, an
association of several hacker groups that target online shopping cart
systems.
*       Those three affected websites host content and chat forums related
to emergency services provided by police officers, firefighters, and
security professionals.
*       In virtual credit card skimming attacks, also called formjacking,
Magecart operators secretly insert JavaScript code into a compromised
website — usually on payment pages — to steal customers’ card details, which
is later transferred to a remote hacker-controlled server.

MAZE Attacks Victoria Beckham’s Advisory Firm

The threat group MAZE claims to have carried out a cyber-attack on a
mergers and acquisitions firm whose client list includes former Spice Girl
and fashion designer Victoria Beckham.

MAZE maintains that it has encrypted and exfiltrated data from New York
company Threadstone Advisors using ransomware.

Threadstone is an independent advisory firm based on Madison Avenue that
specializes in the consumer and retail sectors. The company worked with
Beckham to facilitate a minority investment by NEO investment partners.

Honda cyberattack halts plants in India, Brazil, Turkey

Honda plants in Turkey, Brazil and India have halted operations as the
Japanese carmaker battles to recover from a cyberattack that affected
several factories worldwide.

The cyberattack at the beginning of the week targeted Honda’s internal
servers and spread a virus through the company’s systems, a spokeswoman told
AFP on Wednesday.

A four-wheel vehicle plant in Turkey and motorcycle plants in India and
Brazil were still out of action following the attack, the spokeswoman said,
adding that the firm was “still investigating details”.

Natura &Co says ‘cyber incident’ partially hit Avon operations; shares fall

SAO PAULO (Reuters) – Brazilian cosmetics maker Natura &Co (NTCO3.SA) said
on Tuesday its subsidiary Avon has suffered a cyber incident that has halted
some of its systems, partially hitting operations.

“Avon is assessing the extent of this incident and working diligently to
mitigate its effects, making every effort to normalize its operations,”
Natura &Co said in a securities filing without elaborating.

The company did not indicate how Avon operations were affected and when the
problem would be solved.

Ransomware Strikes Third US College in a Week

Columbia College, Chicago has become the third US college in a week to fall
victim to a cyber-attack involving the Netwalker family of ransomware.

The Illinois educational establishment, along with Michigan State
University and the University of California, San Francisco, was targeted by
cyber-criminals and given six days to pay a ransom to recover its files.

Netwalker, also known as Mailto or as an updated version of Kokoklock
ransomware, was first observed operating in September 2019. The malware
works by encrypting data and renaming files with the developer’s email
address and an extension made up of the victim’s unique ID.

Like the attack on the University of California, the assault on Columbia
occurred on June 3, exactly one week after Michigan State University was
hit. On the Netwalker blog, the cyber-criminals claimed to have exfiltrated
“very highly sensitive data like social security numbers and other private
information” from Columbia.

US energy providers hit with new malware in targeted attacks

U.S. energy providers were targeted by spear-phishing campaigns delivering
a new remote access trojan (RAT) capable of providing attackers with full
control over infected systems.

The attacks took place between July and November 2019, and the threat actor
behind it — tracked as TA410 by Proofpoint researchers who spotted the
campaigns — used portable executable (PE) attachments and malicious macro
laden Microsoft Word document to deliver the malicious payload.

The malware dubbed FlowCloud is a full-fledged RAT that gives the TA410
operators total control over compromised devices, as well as the capability
to harvest and exfiltrate information to attacker-controlled servers.

Hackers strike at Life Healthcare, extent of data breach yet to be assessed

Admissions systems, business processing systems and e-mail servers have
been taken offline by the Life Healthcare Group, which confirmed on Tuesday
that its southern African operation has been the victim of a targeted
criminal attack on its IT systems.

“We acted immediately on becoming aware of the incident and took our
systems offline, in order to actively contain the attack,” the group said.

“The extent to which sensitive data has been compromised is yet to be
ascertained, as we are still in the process of investigating.”

External cyber security experts and forensic teams have been brought on
board to advise and supplement its internal teams and capacity, said Life
Healthcare. “We have alerted the relevant authorities and investigations are
under way.”

Patient care has not been impacted, the group emphasised.

Data Breaches

Russian hacker releases at least 14,000 Mexican taxpayer IDs

Researchers at Lucy Security recently discovered that a Russian hacker
named m1x breached a Mexican government web portal and three days later once
the government refused to pay a ransom, publicly-released some 14,000
Mexican taxpayer ID numbers.

Colin Bastable, CEO of Lucy Security, said the researchers discovered the
case on a hacking forum on the dark web Sunday, June 7. The hacker first
announced that he was waiting for payment Sunday morning, but the Puebla
staff did not know how to pay in bitcoin and the two parties could not reach
an agreement fast enough. So on Wednesday of this week, m1x leaked 100
gigabytes of Mexican government data on a public cloud service.

Dating Apps Exposed 845 GB of Explicit Photos, Chats, and More

Security researchers Noam Rotem and Ran Locar were scanning the open
internet on May 24 when they stumbled upon a collection of publicly
accessible Amazon Web Services “buckets.” Each contained a trove of data
from a different specialized dating app, including 3somes, Cougary, Gay
Daddy Bear, Xpal, BBW Dating, Casualx, SugarD, Herpes Dating, and GHunt. In
all, the researchers found 845 gigabytes and close to 2.5 million records,
likely representing data from hundreds of thousands of users. They are
publishing their findings today with vpnMentor.

Hackers Breached A1 Telekom, Austria’s largest ISP

A1 Telekom recently provided details about a six-month-long espionage
attack on its infrastructure.

*       In June 2020, A1 Telekom disclosed that it was suffering a malware
infection since November 2019. The infection was detected in December 2019,
but it took five more months to detect and remove all of the hidden backdoor
components, and to completely stop the intrusion.
*       The intruders are thought to be a nation-state hacking group
(possibly the Chinese APT group Gallium) with financial motivation. They
penetrated the networks through web shells and managed to compromise some
databases and ran some queries to get information about the company’s
internal network.
*       These queries were very specific inquiries about the location, phone
numbers, and other customer data related to some private customers of A1,
and a massive amount of data was downloaded.

Stalker Online Breach: 1.3 Million User Records Stolen

Security researchers are warning players of a popular MMO game that over
1.3 million user records are being sold on dark web forums.

Usernames, passwords, email addresses, phone numbers and IP addresses
belonging to players of Stalker Online were found by researchers from
CyberNews.

The firm explained that the passwords were stored only in MD5, which is one
of the less secure encryption algorithms around.

Two databases were found on underground sites as part of a dark web
monitoring project undertaken by the research outfit, one containing around
1.2 million records and another of 136,000 records.

Security Breach Impacts State Police Database

A data breach has impacted Maine State Police’s information sharing
database for federal, state and local law enforcement officials, the agency
confirmed late Friday.

State police say they were notified on June 20 by Netsential that a data
breach may have included information from the Maine Information and Analysis
Center, or MIAC.

The agency has contracted the Houston, Texas-based company, which provides
web hosting services to hundreds of law enforcement and government agencies
across the country, since 2017.

Security Threats By Trend

Vulnerability Summary May 2020

Following vulnerabilities, were rated “CRITICAL” by Microsoft

CVE

Title

Severity

Public

Exploited

XI – Latest

XI – Older

Type

<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020
-1248
> CVE-2020-1248

GDI+ Remote Code Execution Vulnerability

Critical

No

No

2

2

RCE

<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020
-1299
> CVE-2020-1299

LNK Remote Code Execution Vulnerability

Critical

No

No

2

2

RCE

<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020
-1219
> CVE-2020-1219

Microsoft Browser Memory Corruption Vulnerability

Critical

No

No

1

1

RCE

<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020
-1181
> CVE-2020-1181

Microsoft SharePoint Server Remote Code Execution Vulnerability

Critical

No

No

2

2

RCE

<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020
-1073
> CVE-2020-1073

Scripting Engine Memory Corruption Vulnerability

Critical

No

No

2

2

RCE

<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020
-1213
> CVE-2020-1213

VBScript Remote Code Execution Vulnerability

Critical

No

No

1

1

RCE

<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020
-1216
> CVE-2020-1216

VBScript Remote Code Execution Vulnerability

Critical

No

No

1

1

RCE

<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020
-1260
> CVE-2020-1260

VBScript Remote Code Execution Vulnerability

Critical

No

No

1

1

RCE

<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020
-1281
> CVE-2020-1281

Windows OLE Remote Code Execution Vulnerability

Critical

No

No

2

2

RCE

<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020
-1300
> CVE-2020-1300

Windows Remote Code Execution Vulnerability

Critical

No

No

2

2

RCE

<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020
-1286
> CVE-2020-1286

Windows Shell Remote Code Execution Vulnerability

Critical

No

No

2

2

RCE

 Recommendations

1.      Following Microsoft critical vulnerabilities, update all vulnerable
services
2.      Only allow traffic to necessary and well secured ports
3.      Update AV solutions
4.      Phishing training for the employees.
5.      Regular pentests would identify possible weak points
6.      Encrypt data in transit and in rest

 Sources:

Exploit-DB

McAfeee

TrendMicro

Symantec

NIST

Google

FireEye