2017-4-10 Global Cyber Attack Reports
TOP ATTACKS AND BREACHES
- A major attack that struck a popular bank in Brazil late last year has now been disclosed. For 5 hours, attackers took control of the bank’s entire DNS infrastructure, including email and FTP servers, and infected every client that accessed the bank with credential-stealing malware. The attackers are suspected to be a highly-sophisticated Brazilian gang.
- The hacking collective “Anonymous” launched the annual ‘OpIsrael’ – an attack against Israeli sites on April 7th. According to Check Point’s analysis, the operation, launched for the 5th time, drew less attention than it had in past years, and resulted in only a few website defacements and minor leaks of Israelis’ personal information.
- A significant attack, believed to originate from Chinese nation-state actors, has been affecting key private-sector leaders involved in forming the United States’ trade policy. The operation allowed for initial scanning of the targets, and further attacks are believed to follow.
- A new study sheds light on the Lazarus group, a major APT actor which has been focusing on stealing money from banks, including the famous SWIFT attack in Bangladesh. According to researchers, the scale of the group’s operation is much larger than other actors, and it is believed that the group has ties to the North Korean government.
- American game store giant Gamestop has revealed that it is investigating a possible breach into its online platform, after it had received reports that information of payment cards used on Gamestop was being sold online. The information includes CVV (3 digits on the back of the card), even though it is not supposed to be stored by online stores.
- Moonlight Maze, one of the world’s most prominent hacking groups from the 1990’s which was believed to have disappeared, has possibly evolved into the Turla APT and might still be active today, a new study shows. The group was responsible for theft of major American state secrets in the 1990’s.
VULNERABILITIES AND PATCHES
- Google has released a security update for over 70 vulnerabilities in Android, 25 of which are marked
with Critical severity.
- Schneider Electric, manufactures of SCADA equipment, has been found to be using unchangeable hardcoded passwords in certain products, and is reportedly unresponsive to researchers who notified them
about the issue.
- WikiLeaks has released 27 additional documents as part of its “Vault 7” leak of alleged CIA documents.
- Cisco has released a patch for its Aironet 1830 Series and 1850 Series products, which included hardcoded default credentials that could allow remote attackers to gain control over the devices.
- Researchers have found in-the-wild attacks leveraging a new Microsoft Word 0-day, before it was disclosed and patched. The vulnerability involves Word retrieving a fake RTF file from a malicious Word document, which causes Word to run the malicious script.
THREAT INTELLIGENCE REPORTS
- Researchers have found that the recently discovered Apache Struts2 Remote Code Execution vulnerability is being used to directly deploy the Cerber ransomware to Windows servers.
- An extremely sophisticated spyware app for Android dubbed Chrysaor has been discovered by Google. The app, which includes multiple features for spying (screenshotting, listening on calls, accessing messenger apps) and for evading detection or deletion, is believed to be an Android variant of Israeli firm NSO’s Pegasus spyware. Check Point Mobile Threat Prevention provides protection against this threat
- A technical analysis of the Sathurbot botnet has been published. The botnet spreads via malicious torrents, and then exploits multiple WordPress vulnerabilities on infected machines to gain site login information. The botnet only tries a single attack from each infected machine to ensure that its bots are not blacklisted or blocked.