2nd December – Threat Intelligence Bulletin

For the latest discoveries in cyber research for the week of 2nd December 2019, please download our Threat Intelligence Bulletin.

TOP ATTACKS AND BREACHES

• Check Point Research has found a nearly 223% increase in phishing scams during this holiday shopping season compared to last year. Such attacks intend to steal users’ credentials and payment information or to sell cheap knockoffs of popular expensive items such as Ray-Ban glasses and Pandora jewelry.
• Mixcloud, a UK-based streaming service, has been hacked, and data of tens of millions of users was compromised and put up for sale on the darkweb. Exposed data includes usernames, email addresses, hashed passwords, login dates and IP addresses.
• An unprotected and publicly available Elasticsearch server belonging to two data enrichment companies has exposed the personal and social information of roughly 1.2 billion individuals. According to researchers the information is unique and includes names, email addresses, phone numbers and Linkedin and Facebook profile information.
• Prosegur, a Spanish multinational security company, has fallen victim to a Ryuk ransomware attack, allegedly delivered by Emotet. The company was forced to disconnect its network, send employees home and restrict communication with its customers to avoid propagation of the ransomware.

Check Point Anti-Virus and Anti-Ransomware blades provide protection against these threats (Ransomware.Win32.Ryuk.TC; Trojan.Win32.Emotet)

• Adobe’s Magento Marketplace has suffered a data breach by a malicious actor that utilized an undisclosed vulnerability in order to gain access to the personal data of the platform users. The exposed information included names, email addresses, MageID, billing and shipping address information, and some limited commercial information.
• Details of 7 Palo Alto Networks current and former employees were accidentally exposed by a third-party contractor. The details included names, dates of birth and social security numbers.

VULNERABILITIES AND PATCHES

• Researchers have discovered 37 vulnerabilities in four popular open-source VNC remote desktop clients and servers that would allow an attacker to gain control of a remote computer.
• A new vulnerability (CVE-2018-9195) has been found and patched in multiple security products of the security company Fortinet. The vulnerability would allow an attacker to spy on traffic between Fortinet applications and servers as well as to track the online behavior of the company’s users.
• A researcher has detected a vulnerability in the control panels for lights placed on tall structures to warn airplanes not to hit them. The panels were exposed to the public internet and could be used to turn off the lights by an attacker.
• Security firm Kaspersky has fixed multiple vulnerabilities in its products (CVE-2019-15684, CVE-2019-15685, CVE-2019-15687 and CVE-2019-15688). The vulnerabilities could allow an attacker to disable several protections and gather limited data about its users.

THREAT INTELLIGENCE REPORTS

• The National Cyber Security Centre in the Netherlands has reported that at least 1,800 companies globally are victims of one of the three Ransomware families: LockerGoga, MegaCortex and Ryuk.

Check Point Anti-Virus and Anti-Ransomware blades provide protection against these threats (Ransomware.Win32.Ryuk.TC; Ransomware.Win32.LockerGoga; Trojan-Ransom.Win32.MegaCortex)

• Researchers have raised several privacy and security concerns regarding a popular Chinese smartwatch (SMA-WATCH-M2) that is used by parents to track their children. The use of unencrypted communication between the watch and the company servers and a vulnerable database allowed the researchers to obtain personal and real-time location information of nearly 5000 children.
• Researchers have discovered a new password stealer, CStealer, which targets passwords stored in the Chrome browser. The stealer uploads the stolen credentials to a remote MongoDB database, which may indicate that the data is shared between several attackers.
• The Trickbot banking Trojan has been upgraded with the ability to steal private keys and passwords from OpenSSH and OpenVPN clients through its password-stealing module. The stolen data can later be used by attackers to gain access to additional computers.

Check Point Anti-Virus and Anti-Bot blades provide protection against this threat (Trojan-Banker.Win32.TrickBot)

• A report has shown the sharp increase in the malicious use of Chrome notification, pushing unwanted ads, phishing scams and malicious content