2017-5-29 Global Cyber Attack Reports

TOP ATTACKS AND BREACHES

• Security researchers have revealed a new malvertising campaign called RoughTed. According to the researchers, RoughTed is able to bypass ad blockers and is used for scams and exploit kits.
• Fraudulent actors are taking advantage over global fear from ransomware following WannaCry’s recent attack, to conduct web scams. Victims are tempted to enter websites which display a fake alert on a potential security threat and urge them to contact an alleged “technical support”. Once victims fall into the trap, the threat actors may try to charge them for fake services or conduct other fraudulent scams.
• Security researchers have found a new Gmail phishing campaign suspected to be originating from Russian threat actors, targeting more than 200 victims. The phishing email was designed to look like it originates from Google, claiming someone had stolen the victim’s password and that they should change it immediately.
• Security Researchers have found fake applications on Google play store offering the users a protection from Wannacry Ransomware for their mobile phone, while in fact using the apps to deliver ads. Notably, WannaCry ransomware affected only the Windows operating system and was not built for Android.
• A rise in malicious Visual Basic scripts has led security researchers to reveal a new “Houdini” campaign. “Houdini” is a VBScript worm that first appeared in 2013 and was updated in 2016. It is capable of replicating itself in the compromised system and contact with a C2 server.

VULNERABILITIES AND PATCHES

• Check Point researchers have published a new blog post describing a new critical vulnerability found in the subtitle mechanism used by popular streaming applications.
  Check Point IPS blade provides protection against this threat (Popcorn Time Subtitles Remote Code Execution;Kodi Open Subtitles Addon Remote Code Execution; StremIO Subtitles Remote Code Execution; VLC ParseJSS Null Skip Subtitle Remote Code Execution)
• Microsoft has silently patched a critical vulnerability in its Malware Protection Engine that allowed to craft an executable that, when running in the engine’s emulator, would allow remote code execution.
• A vulnerability has been found in the popular open source software Samba. Samba allows different operating systems to share network folders with Windows. The vulnerability allowed threat actors to upload a malicious library to a writable share, causing the server to load and execute it.
• A Security researcher has found a “significant authentication bypass” vulnerability in Twitter that may allow an attacker to tweet using any account. The discovery has earned him a $7560 bug bounty.
• A new attack vector against Android OS called “Cloak and Dagger” has been revealed by security researchers. This attack allows a malicious app to completely take over victims’ devices with permissions automatically granted to the app when downloaded from Play Store.

THREAT INTELLIGENCE REPORTS

• Check Point researchers have published a report describing the discovery of 41 apps, registered on the Google Play Store, that were infected with a malware called Judy.
• Researchers from Check Point have shared their research regarding the “Shadow Brokers”, “WannaCry” and the leak of the stolen cyber weapons from the NSA.
• The new report describes the massive increase of 752% in ransomware attacks from 2015 to 2016, and sheds light on recent developments in malware distribution and evasion techniques. The report estimates that in the future, threat actors may increase their focus in attacking infrastructures for ransom purposes, including industrial control systems and payment systems.