2017-4-3 Global Cyber Attack Report

TOP ATTACKS AND BREACHES

• America’s Job Link Alliance (AJLA), a job portal of the US Department of Labor, has been breached, exposing personal data of an unknown number of job seekers.
• Hacktivists plan to carry a large-scale operation of DDoS and defacement attacks against Israeli targets on April 7. The operation, named ‘OpIsrael’, has being carried at the same date for several years now. Among the tools distributed online for the usage of hacktivists during OpIsrael, were two alleged denialof-service tools that were found to actually be remote access Trojans (RAT).
• Turkish hacktivists have been participating in a threat campaign against Dutch targets since mid-March. In the campaign, named “Netherlands Operation”, hacktivists claim to have defaced 252 Dutch websites. The campaign follows the growing political tensions between Turkey and Netherlands.
• A new ransomware named Sanctions has recently been observed in the wild. The ransomware, which seems to be named after the western sanctions on Russia, demands 6 bitcoins (approximately 6,500$) for decryption. The malware is likely to be used in targeted attacks.
• A malvertising campaign has recently targeted skype users. In the campaign, malicious ads have pushed a file named FlashPlayer.hta full of obfuscated JavaScript code into target machines. The final payload of the attack is yet unknown.
• A phishing campaign has targeted Github repositories owners, trying to infect them with Dimnie, a downloader with info-stealing capabilities. The phishing emails were pretending to be a job proposal, with an attached Word document incorporating a malicious macro downloading Dimnie. Check Point AV blade provides protection against this threat (Trojan.Win32.Dimnie)
• A new phishing campaign targets World of Warcraft players, promising them free in-game pets, while actually stealing their game credentials.

VULNERABILITIES AND PATCHES

• Apple has released security updates for iCloud, macOS, tvOS, watchOS, iOS, macOS Sierra, Safari and various applications. The updates address 187 vulnerabilities, some of which may allow arbitrary code execution. iOS 10.3 update addresses the Safari JavaScript pop-up functionality, after it had been abused by scammers to lock mobile devices’ users outside of their browser.
• VMware has released a security update addressing 4 vulnerabilities, including 2 critical vulnerabilities
  allowing running arbitrary code on a host.
•  Google has released a security update for Chrome, addressing 5 vulnerabilities, one of which is rated
  critical and the rest are of high severity.
• Researchers have disclosed 2 vulnerabilities in Gigabyte BRIX platform. If exploited, the vulnerabilities may allow elevating privileges, executing arbitrary code and installing a backdoor in the firmware level.

THREAT INTELLIGENCE REPORTS

• A new report describes Cerber’s sandboxing evasion technique, using self-extraction.
• WikiLeaks has leaked the source code for the CIA’s secret anti-forensic Marble Framework, under its “Vault7” leak project. According to the leak, Marble is a tool used by the CIA for code obfuscation. The Framework also includes a de-obfuscator.
• According to a new report, almost 1.4 billion records were breached worldwide in 2016, in 1,792 incidents. The number of breaches in 2016 was 86% higher than in 2015. 59% of the incidents were of identity theft. The two most targeted sectors for breaches were government and technology, with 28% of the incidents each. 80% of the incidents happened in North America (almost solely in the US).
• The author of TinyNuke banking Trojan has leaked his malware’s source code. According to researchers, the leak was made after the author suffered bad reputation in threat actors’ underground forums. A new report describes Sundown exploit kit’s activity and growing significance in the exploit kits
  landscape.