News – July 2019


  • Iran-Linked APT34 Invites Victims to LinkedIn for Fresh Malware Infections

    July 19, 2019

    A recent phishing campaign by Iran-linked threat actor APT34 made use of a savvy approach: Asking victims to join their social network. According to FireEye, the adversaries masqueraded as a Cambridge University lecturer, including setting up a LinkedIn page, in order to gain victims’ trust. From there the attackers asked their “friends” to open malicious documents. APT34, ...

  • Spam Campaign Targets Colombian Entities with Custom-made ‘Proyecto RAT,’ Uses Email Service YOPmail for C&C

    July 18, 2019

    We observed a recent campaign that primarily targets financial institutions and governmental organizations in the South American region, particularly in Colombia. This blog post covers the activities we observed, the remote access tools (RATs) used, the campaign’s techniques and procedures, and its indicators of compromise (IoCs). Our findings indicate that the campaign appears to be ...

  • Bulgaria’s hacked database is now available on hacking forums

    July 18, 2019

    The database of Bulgaria’s National Revenue Agency (NRA), which was hacked over the weekend and sent to local reporters, is now being shared on hacking forums, ZDNet has learned from sources in the threat intelligence community. Download links to the hacked database have been shared by a hacked data trader known as Instakilla, believed to be operating out of ...

  • Mirai Botnet Sees Big 2019 Growth, Shifts Focus to Enterprises

    July 18, 2019

    The infamous Mirai internet of things botnet is spiking in growth while changing up its tactics, techniques and procedures so far in 2019, to target more and more enterprise-level hardware, It’s a state of affairs that presents a greater concern than ever before given the ongong migration to the cloud era, researchers said. According to researchers ...

  • StrongPity APT Returns with Retooled Spyware

    July 17, 2019

    The APT group behind the sophisticated malware known as StrongPity (a.k.a. Promethium) has mounted a fresh spyware campaign that is still ongoing as of July 2019. The group has retooled with new malware to control compromised machines, according to researchers. “The new malware samples have been unreported and generally appear to ...

  • Why Cities Are a Low-Hanging Fruit For Ransomware

    July 15, 2019

    Ransomware attacks against local governments and cities are repeatedly making headlines, with crippling results on city operations and budgets. Last month, the Florida city of Riviera Beach paid hackers $600,000 after being hit by a ransomware attack that downed its computer systems for three weeks. In 2018, several Atlanta city systems were crippled after a ransomware attack extorted ...

  • Turla APT Returns with New Malware, Anti-Censorship Angle

    July 15, 2019

    The Turla APT has revamped its arsenal in 2019, creating new weapons and tools for targeting government entities. It’s now using booby-trapped anti-internet censorship software as an initial infection vector, suggesting Turla is going after dissident or other civil-society targets. The Russian-speaking actors believed behind Turla named the dropper “Topinambour,” which is another word for the ...

  • New Miori Variant Uses Unique Protocol to Communicate with C&C

    July 10, 2019

    We first detailed a new Mirai variant called Miori in a report late last year after finding the malware spreading via a ThinkPHP Remote Code Execution (RCE) vulnerability. It has recently reappeared bearing a notable difference in the way it communicates with its command-and-control (C&C) server. This Miori variant departs from the usual binary-based protocol and uses ...

  • Marriott Hit With $123M Fine For Massive 2018 Data Breach

    July 9, 2019

    The U.K.’s privacy watchdog is hitting Marriott International with a $123 million (£99 million) penalty stemming from its 2018 data breach of more than 383 million guest records. The Tuesday fine is issued by the Information Commissioner’s Office (ICO) and comes only a day after the organization proposed a record $230 million fine against British Airways for its ...

  • Hackers breached Greece’s top-level domain registrar

    July 9, 2019

    State-sponsored hackers have breached ICS-Forth, the organization that manages Greece’s top-level domain country codes of .gr and .el. ICS-Forth, which stands for the Institute of Computer Science of the Foundation for Research and Technology, publicly admitted to the security incident in emails it sent ot domain owners on April 19. The hackers behind the breach are the same group ...

  • Anubis Android Malware Returns with Over 17,000 Samples

    July 8, 2019

    The 2018 mobile threat landscape had banking trojans that diversified their tactics and techniques to evade detection and further monetize their malware — and in the case of the Anubis Android malware, retooled for other malicious activities. Anubis underwent several changes since it first emerged, from being used for cyberespionage to being retooled as a banking malware, combining information ...

  • NHS must spend now to prevent devastation of ‘WannaCry 2.0’

    July 4, 2019

    The government must urgently pump more money into cyber securitywithin the NHS to plug gaps that render the healthcare system vulnerable to an attack more destructive than the WannaCry saga. Although many positive steps have been taken since the 2017 attack, a lack of investment, a deficit of skills and awareness, and the use of out-dated systems are ...

  • ‘Twas the night before

    July 4, 2019

    Recently, the United States Cyber Command (USCYBERCOM Malware Alert @CNMF_VirusAlert) highlighted several VirusTotal uploads of theirs – and the executable objects relating to 2016 – 2017 NewsBeef/APT33 activity are interesting for a variety of reasons. Before continuing, it’s important to restate yet again that we defend customers, and research malware and intrusions, regardless of their source. Accordingly, subscribers to ...

  • Latest Spam Campaigns from TA505 Now Using New Malware Tools Gelup and FlowerPippi

    July 4, 2019

    Since our last research on TA505, we have observed new activity from the group that involves campaigns targeting different countries over the last few weeks. We found them targeting countries in the Middle East such as United Arab Emirates and Saudi Arabia, as well as other countries such as India, Japan, Argentina, the Philippines, and South Korea. This ...

  • Sodin ransomware exploits Windows vulnerability and processor architecture

    July 3, 2019

    When Sodin (also known as Sodinokibi and REvil) appeared in the first half of 2019, it immediately caught our attention for distributing itself through an Oracle Weblogic vulnerability and carrying out attacks on MSP providers. In a detailed analysis, we discovered that it also exploits the CVE-2018-8453 vulnerability to elevate privileges in Windows (rare among ransomware), and uses legitimate processor ...

  • Making Intelligence Actionable: Cybersecurity Preparedness in the Credit Union Industry

    July 3, 2019

    As the threat landscape continues to evolve, organizations need to be increasingly proactive in their approach to cybersecurity. One industry that’s taken proactive measures toward cybersecurity preparedness is the credit union industry. Over the last couple of years, the National Credit Union Administration (NCUA) developed a tool called the Automated Cybersecurity Examination Tool (ACET) to help credit unions ...

  • Broadcom In ‘Advanced Talks’ To Acquire Symantec

    July 3, 2019

    Another software move for chipmaker, as Broadcom reportedly seeks to acquire security veteran Symantec Singapore-based Broadcom is to double down on its software foray with reports it is in “advanced talks” to acquire veteran security specialist Symantec. Broadcom of late has become acquisitive as it seeks to expand beyond its traditional chip business. In March 2018, President Donald ...

  • Cyberwarfare in space: Satellites at risk of hacker attacks

    July 2, 2019

    There’s an urgent need for NATO and its member countries to address the cybersecurity of space-based satellite control systems because they’re vulnerable to cyberattacks – and if left unaddressed, it could have severe consequences for global security, a new paper from a major thinktank on international affairs has warned. Almost all modern military engagements rely on space-based assets, ...

  • US wants to isolate power grids with ‘retro’ technology to limit cyber-attacks

    July 2, 2019

    The US is very close to improving power grid security by mandating the use of “retro” (analog, manual) technologies on US power grids as a defensive measure against foreign cyber-attacks that could bring down power distribution as a result. The idea is to use “retro” technology to isolate the grid’s most important control systems, to limit ...

  • US Cyber Command issues alert about hackers exploiting Outlook vulnerability

    July 2, 2019

    US Cyber Command has issued an alert via Twitter today about threat actors abusing an Outlook vulnerability to plant malware on government networks. The vulnerability is CVE-2017-11774, a security bug that Microsoft patched in Outlook in the October 2017 Patch Tuesday. The Outlook bug, discovered and detailed by security researchers from SensePost, allows a threat actor to escape from the Outlook ...