2017-7-17 Global Cyber Attack Reports

TOP ATTACKS AND BREACHES

• A worker of the Multi-State Lottery Association (MSLA) in the US took advantage of his access to its secured computers to conduct one of the biggest lottery scams in history. The worker infected the computers with a malicious DLL he had crafted that hijacked the computers’ random number generation algorithm, thus allowing him to predict the winning tickets. The operation was exposed once his culprits tried to cash-out anonymously, thus raising the suspicions of law-enforcement agencies.
• AlphaBay, the biggest dark-web marketplace, has been taken down by law-enforcement agencies, putting an end to a wide of range criminal activities done through the site. Researchers estimate that the site had approximately 300,000 listings of illegal products, from drugs to stolen banking credentials.
• A mobile non-encrypting ransomware named LeakerLocker has recently been found in two Google Play applications: “Wallpapers Blur HD” and “Booster & Cleaner Pro”; each has a few thousands downloads. The malware uses the privileges granted to the applications in order to harvest personal data of victims, and then demands a ransom payment or the data will be leaked. Check Point SandBlast Mobile and Anti-Bot blades provide protection against this threat (TrojanRansom.AndroidOS.LeakerLocker)
• A new web scam alerts users on “Malicious Pornographic Spyware/Riskware Detected”, luring them to call “certified technicians” and pay for their assistance in mediating the threat. Victims are redirected to this web browser pop-up by potentially unwanted programs (PUP). Check Point IPS blade provides protection against this threat (Suspicious Site Containing Tech Scams)
• A new point-of-sale (PoS) malware named LockPoS was spotted hitting PoS systems in Brazil. The malware is linked to the C&C chain of a Flokibot campaign active in the country. Check Point Anti-Bot blade provides protection against this threat (Trojan.Win32.Flokibot.*)

VULNERABILITIES AND PATCHES

• Microsoft has released July’s Patch Tuesday, which includes security updates for multiple products. The updates address at least 54 security issues, some of which are rated critical. Check Point IPS blade provides protection against this threat (Microsoft Edge Remote Code Execution; Microsoft Internet Explorer Remote Code Execution; Microsoft Browser Security Feature Bypass)
• Adobe has released security updates for Adobe Flash Player and Adobe Connect. The updates address 6 vulnerabilities, one of which is a critical remote code execution vulnerability. Check Point IPS blade provides protection against this threat (Adobe Flash Player Memory Corruption; Adobe Flash Player Information Disclosure)
• Cisco has released a security advisory for Cisco IOS and IOS XE Software. The advisory addresses buffer overflow vulnerabilities in the Simple Network Management Protocol (SNMP) subsystem of the vulnerable software, and may allow an attacker to conduct remote code execution.
• Samba has released security updates addressing a critical vulnerability in all versions of Samba from 4.0.0 onwards using embedded Heimdal Kerberos, which could allow man-in-the-middle attacks.

THREAT INTELLIGENCE REPORTS

• Check Point researchers have published a new research regarding OSX/Dok malware, a MacOS banking Trojan stealing bank credentials. It sheds light on the malware’s obfuscation and evasion techniques, such as disabling security updates, signing with Apple certificates, and location-based attack tailoring, and describes the attackers’ attempts to bypass two-factor-authentications by manipulating victims into
  installing a messenger application and using it to send them the SMS verification code sent by the bank. Check Point IPS, Anti-Bot and Anti-Virus blades provide protection against this threat (Trojan.OSX.DOK; Mac OSX/Dok Unauthorized Remote Access)
• Wikileaks has revealed a new CIA cyber tool under its “Vault7” project. The tool, named HighRise, is an Android application designed for mobile devices running Android 4.0 to 4.3. It functions as an SMS proxy between implants and listening posts, thus providing greater separation between them.
• A new attack vector, WPSetup Attack, targets non-configured WordPress websites. The attackers are looking for new WordPress websites which include a unique string that indicates that they are not yet configured, thus more vulnerable, and takes over them by abusing the rest of the installation process. Check Point IPS blade will protect against this threat in its next online package
• A new variant of CryptoMix ransomware has recently been discovered. It keeps its predecessor’s capability to encrypt files offline, and adds .exte extension on encrypted files.