2017-6-12 Global Cyber Attack ReportsJune 12, 2017
TOP ATTACKS AND BREACHES
- The FBI is helping Qatar investigate hacks into its Al-Jazeera news network, which possibly included the planting of false news stories. It is believed that Russian hackers were involved in breaching Al-Jazeera and planting fake stories, which may have triggered the current political crisis in the Middle East between Qatar and its neighbors.
- Russian hacking group APT28 (“Fancy Bear”) were revealed to have been targeting Montenegro with several attacks in the past months, prior to the country’s decision to join NATO. Russia was vocally opposing this decision, and is believed to have been using the cyber-attacks to apply pressure on Montenegro not to join NATO.
- Popular Polish gaming studio “Projekt Red”, famous for publishing the “Witcher” games, has announced that files related to their upcoming game release were stolen and are being held for ransom.
- Malware attributed to the Russian Turla group was discovered to be using comments on American singer Britney Spears’ Instagram page for C&C communication. The comments were picked by using unique hashes, and included hidden characters to resolve into the C&C domain.
- A database containing over 10-million American vehicle identification numbers, matched with owners’ personal information, was found to be insecurely exposed on the web. Other than the leak of carowners’ personal information, criminals can also use the VINs to clone stolen cars and to even duplicate car keys.
VULNERABILITIES AND PATCHES
- Cisco has released security updates for vulnerabilities in multiple products, some of which could result in remote code execution on vulnerable machines.
- VMware has released an update to handle critical security flaws in vSphere Data Protection. Check Point IPS blade provides protection against this threat (VMware vSphere Data Protection Remote Code Execution)
- Google is rolling out Chrome 59, which includes security updates for 30 vulnerabilities in the browser.
THREAT INTELLIGENCE REPORTS
- Check Point has published an analysis of the most recent Jaff ransomware campaign. It is believed that the current campaign is run by different actors than earlier campaigns, suggesting that Jaff is now being sold as-a-service for multiple actors. Check Point SandBlast, IPS, Anti-Bot and Anti-Virus blades provide protection against this threat (Suspicious Microsoft Office File Archive Mail Attachment, Trojan-ransom.Win32.Jaff)
- An analysis of a sophisticated social-media-based phishing attack has been published. The campaign lured visitors by offering free flight tickets on social media platforms, then took over victims’ profiles to leave recommendations for the tickets in multiple languages.
- A large multi-organizational operation to take down the popular RIG exploit kit has taken place. RIG had been considered the most prevalent exploit kit in the wild prior to this operation. About 40,000 malicious domains used by the exploit kit were identified and removed, and the kit’s activity has dropped considerably.
Check Point IPS, Anti-Virus and Anti-Bot blades provide protection against this threat (RIG Exploit Kit Landing Page, Exploit.Win32.Rig ek, Rig ek, and more)
- A new crypto-miner malware, dubbed SambaCry, has been detected in the wild. SambaCry exploits the EternalRed vulnerability in Samba, which is considered to be the Samba equivalent to Microsoft Windows SMB’s EternalBlue vulnerability that allowed the WannaCry ransomware to spread last month. Check Point IPS blade provides protection against this threat (Linux EternalRed Samba Remote Code Execution (CVE-2017-
- An analysis of the IoT botnet environment has revealed that the current top botnet is the Persirai, infecting 64% of the devices tracked in the research. Persirai infects web cameras in a similar fashion to Mirai, on which code it is based on, but is considered to be operated by Iranian actors.