2017-5-22 Global Cyber Attack Reports

TOP ATTACKS AND BREACHES

• WannaCryptor ransomware refuses to leave the headlines, as security researchers are claiming for a possible connection between the malware and North Korea. In addition, researchers claim that the most affected OS by WannaCryptor is Windows 7, rather than XP. Check Point SandBlast, IPS and Anti-Bot blades provide protection against this threat (Operator.Wcry.*; Microsoft Windows EternalBlue SMB Remote Code Execution, Microsoft Windows SMB Remote Code Execution (*); Non- Compliant CIFS; Microsoft Windows NT Null CIFS Sessions; Ransomware Shared Folder Access)
• The EternalBlue vulnerability used by WannaCrypt for its mass-distribution was seen serving a new ransomware named UIWIX. The malware is fileless and is equipped with anti-detection capabilities. On a related subject, a new research claims that WannaCrypt wasn’t the first to exploit the EternalBlue vulnerability, and that a cryptocurrency mining malware has been using it since late April. Check Point IPS blade provides protection against this threat (Microsoft Windows Eternalchampion SMB Remote Code Execution; Microsoft Windows Eternalromance SMB Remote Code Execution; Microsoft Windows DoublePulsar Remote Code Execution)
• Threat actors have gained access to the service-related announcement system of DocuSign, an electronic signature provider, revealing clients’ email addresses. It was followed by a phishing campaign targeting the clients with emails disguised as coming from DocuSign, and linked to a malicious DOC file.
• The Outlaw dark web market place has gone down, with its admins claiming that the closure was due to a breach it had suffered. The site had been selling illegal products and data dumps, and experienced a growth in business following the shutdown of Silk Road marketplace.
• Panic, a software company specializing in apps for Apple platforms, has suffered a breach as one of its employees had his Mac computer infected with Proton malware downloaded from a compromised download server of the macOS video transcoding app HandBrake. Source code of apps developed by Panic was stolen by the threat actors, who demanded a high bitcoin ransom or else it will be released.
• Threat-actors claim to have stolen Disney’s new “Pirates of the Caribbean”, and demand a ransom payment, or else they will expose it.

VULNERABILITIES AND PATCHES

• Apple has released security updates for the following products: iOS, macOS Sierra, watchOS, iTunes for Windows, Safari, iCloud for Windows and tvOS. The updates address over 70 vulnerabilities, some of which may allow arbitrary code execution.
• WordPress has released a security update addressing 6 security issues, including 2 cross-site scripting (XSS) vulnerabilities.
• Joomla! has released a security update addressing a high priority SQL injection vulnerability. Check Point IPS blade provides protection against this threat (Joomla com_fields Component SQL Injection)
• Cisco has released security updates for several products addressing 24 vulnerabilities, one of which is rated as critical and may lead to authentication bypass.

GLOBAL THREAT INTELLIGENCE

• Researchers are claiming to have discovered a link between the APT3 threat group to Boyusec, a contractor of the Chinese government. According the researchers, many domains used in APT3 attacks were registered by shareholders of Boyusec.
• Check Point’s researchers have published a report describing the threat of mobile banking Trojans. These malware are currently able to bypass 2-factor authentication and various android security mechanisms, thus being one of the greatest threats to mobile users.
• WikiLeaks has leaked more information about CIA threat tools under its Vault7 project. The current leak includes documents from the “Athena” project, a Windows malware with beaconing and loading capabilities, allegedly developed in cooperation with the cyber security company Siege Technologies.
• Decryption tools for BTCWare and Wallet ransomware were recently released.
• A new research sheds light on Astrum exploit kit’s recent updates which allow it to avoid detection and analysis. According the research, Astrum currently shows low traffic with a non-malware payload, which may be explained as a dry run before a future attack. Check Point Anti-Virus and IPS blades provide protection against this threat (Astrum ek; Astrum Exploit Kit
  Landing Page)