08 May 2020 | Asia Cyber Summary

In the spotlight this week:

WeChat’s Chinese censorship capabilities and systems are continuously being refined and built through unassuming international users; Microsoft Azure cloud platform source code leaks; and two major ransomware incidents.

  • It has been common knowledge that Chinese chat apps, like WeChat, conduct blocking and sometimes monitoring of users and visitors. But, discovering that the rest of the world is being surveilled in order to train and refine censorship in China shows just how far private companies go to comply with Beijing's self-censorship demands.

  • An alarming rumour was found from Twitter on May 7, 2020. The post mentioned a possible incident that Microsoft’s Azure cloud platform source code may have been leaked on a private GitHub. A similar AWS incident was previously reported regarding how Imperva’s data breach was actually caused by a misconfiguration on AWS cloud. In APAC, more and more entities are planning to move portions of their data centers to the cloud. However, these entities seldom check the shared responsibility determined on the Service-Level-Agreements on cybersecurity protection and completely rely on Certified Safety Professionals (CSP), presuming that these security professionals will be able protect them.

  • Two major ransomware incidents were identified recently. TrendMicro reported that targeted ransomware (EDA2[2] – educational ransomware) attacked Taiwanese organizations. KrebsonSecurity also disclosed that Europe’s largest private hospital operator was hit by Snake ransomware. KrebsonSecurity noted that ransomware gangs are now shaming and revealing victim businesses that do not pay by publishing stolen data from victims and conducting human-operated ransomware campaigns.

May 06, 2020 | Europe’s Largest Private Hospital Operator Fresenius Hit by Ransomware

It was anonymously reported that computers in the Fresenius Kabi US office building had been roped off, and that a cyberattack had affected every part of the company’s operations around the globe. The informer said that the apparent culprit was the Snake ransomware. The Snake ransomware is a relatively new strain that was first introduced earlier this year and is being used to shake down large businesses, holding their IT systems and data hostage in exchange for payment in a digital currency such as Bitcoin. Some or all of this data is then published on victim-shaming sites set up by the ransomware gangs as a way to pressure victim companies into paying up.

Source: Krebs on Security. Retrieved from https://krebsonsecurity.com/2020/05/europes-largest-private-hospital-operator-fresenius-hit-by-ransomware/ and https://krebsonsecurity.com/2019/12/ransomware-gangs-now-outing-victim-businesses-that-dont-pay-up/

May 06, 2020 | How hackers are updating the EVILNUM malware to target the global financial sector

Hackers behind a series of targeted financial attacks have been updating their malwares to better evade detection over the last year, according to new Prevailion research slated to be published in the coming week. Since February 2019, the hackers, who have begun impersonating CEOs and banks in their lure documents, have introduced at least seven updates to the malicious software known as EVILNUM, which enables attackers to upload and download files, harvest tracking cookies, and run arbitrary commands.

Source: Under the Breach’s Twitter Post. Retrieved from https://twitter.com/underthebreach/status/1258153076554375168

May 06, 2020 | Credit Card Skimmer Masquerades as Favicon

Malware authors are notorious for their deceptive attempts at staying one step ahead of defenders. As their schemes get exposed, they always need to go back to their bag of tricks to pull out a new one. When it comes to online credit card skimmers, a number of evasion techniques have already been made known; some are fairly simple, and others are more elaborate. The goal remains to deceive online shoppers while staying under the radar from website administrators and security scanners. In this latest instance, what was observed is an old server-side trick combined with the clever use of an icon file to hide a web skimmer. Threat actors registered a new website purporting to offer thousands of images and icons for download; in reality however, this has a single purpose: to act as a façade for a credit card skimming operation.

Source: Malwarebytes. Retrieved from https://blog.malwarebytes.com/threat-analysis/2020/05/credit-card-skimmer-masquerades-as-favicon/

May 07, 2020 | Tokopedia Hack

A twitter user with the account name @underthebreach posted a tweet on May 7, 2020 claiming that the suspect behind the Tokopedia hacking stole data from a private website, GitHub. The suspect allegedly had 500 GB worth of private Microsoft source codes and some windows runtime files/APIs. Following a series of research, the allegation of the stolen data from GitHub was found to be true as the suspect dumped the entire DirList of the private repositories.

Source: Under the Breach’s Twitter Post. Retrieved from https://twitter.com/underthebreach/status/1258153076554375168

May 08, 2020 | We Chat, They Watch: How International Users Unwittingly Build up WeChat’s Chinese Censorship Apparatus

Documents and images transmitted entirely among non-Chinese registered accounts undergo content surveillance wherein files are analyzed for content that is politically sensitive in China. Upon analysis, files that are deemed politically sensitive are used to invisibly train and build up WeChat’s Chinese political censorship system. From public information, it is unclear how Tencent uses non-Chinese registered users’ data to enable content blocking, or which policy rationale permits the sharing of data used for blocking between China and international regions of WeChat.

Source: Securities and Futures Commission. Retrieved from https://www.sfc.hk/edistributionWeb/gateway/EN/circular/intermediaries/supervision/doc?refNo=20EC37

Subscribe Here to receive Blackpanda thought leadership, webinar invitations, and cyber intelligence direct to your inbox.