22 May 2020 | Asia Cyber Summary

In the spotlight this week:

Winnti Group launched trojanized game executables on gaming platforms; Secureworks released a list of threat group profiles; QNAP devices discovered to be vulnerable to remote takeover attacks; FBI warns about attacks on Magento online stores.

  • Winnti Group launched a new modular backdoor targeted against gaming companies based in South Korea and Taiwan. The group compromised the gaming companies’ systems by planting trojanized game executables on the gaming platforms. One of the attack cases revealed that the group’s actions might have led to a supply chain attack.

  • Secureworks CTU Researchers released a list of threat group profiles. Among the groups listed are APT41 with an alias, Bronze Atlas; APT4 which is also known as Bronze Edison; APT30 which is also known as Bronze Geneva; APT34 with an alias, Cobalt Edgewater; and CrimsonRAT, otherwise known as CopperFieldStone.

  • Thousands of QNAP devices are found to be vulnerable to remote takeover attacks. In a Medium blog posted under its Infosec write-ups on May 19, 2020, in-depth technical details were provided on three of four vulnerabilities found in the QNAP devices. Among these four vulnerabilities, three are directly affecting the Photo Station app, while the other affects the QTS file manager app.

  • FBI warns about attacks on Magento online stores via old plugin vulnerability. IOCs are found to be associated with the e-skimming threat: Magecart or FIN7. This is a three-year-old vulnerability that is still being used by hackers. Netlab 360 has discovered a network-wide DNS malicious domain analysis system, with more than 10% of the total DNS traffic coverage is in China.

May 20, 2020 | No "Game Over" for the Winnti Group

In February 2020, a new modular backdoor, which was named PipeMon, was discovered. Persisting as a Print Processor, it was used by the Winnti Group against several video gaming companies that are based in South Korea and Taiwan and developed MMO (Massively Multiplayer Online) games. Video games developed by these companies are available on popular gaming platforms and have thousands of simultaneous players. One of the attacks had malware operators compromising a victim’s build system which might have led to a supply-chain attack, allowing the attackers to trojanize game executables. In another case, the game servers were compromised which might have allowed the attackers to manipulate in-game currencies for financial gain.

Source: Welivesecurity. Retrieved from https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/

May 20, 2020 | Counter Threat Unit Researchers Publish Threat Group Definitions

Secureworks released records of threat group profiles on its website. While these records do not provide full profiles of actors in the groups identified and no infrastructure indicators were mentioned, the data prove to be valuable to help establish a shared language for discussing these groups.

Source: Secureworks. Retrieved from https://www.secureworks.com/research/threat-profiles

May 19, 2020 | QNAP Pre-Auth Root RCE Affecting 312K Devices on the Internet

Multiple vulnerabilities in QNAP PhotoStation and CGI programs were discovered in 2019. These vulnerabilities can be chained into a pre-auth root RCE. All QNAP NAS models are found to be at risk, with 312,000 vulnerable QNAS NAS instances provided and detailed on the Internet (statistical prediction). These vulnerabilities have been responsibly reported, fixed, and added in the National Vulnerability Database. The article released in the Medium blogpost is the first public disclosure of the QNAP vulnerabilities. However, only three out of the thousands of vulnerabilities were detailed in public as these were claimed to be enough to achieve pre-auth root RCE.

Source: Infosec Write-ups, medium.com Retrieved from https://medium.com/bugbountywriteup/qnap-pre-auth-root-rce-affecting-450k-devices-on-the-internet-d55488d28a05

May 19, 2020 | EasyJet Admits Data of Nine Million Hacked

EasyJet admitted that a highly sophisticated cyberattack has affected approximately nine million of its customers. The company reported that email addresses and travel details had been stolen and that 2,208 customers also had their credit card details maliciously accessed.

The company has already informed the United Kingdom's Information Commissioner's Office while it investigates the breach. EasyJet also said that it first became aware of the attack in January 2020.

Source: BBC. Retrieved from https://www.bbc.com/news/technology-52722626

May 19, 2020 | FBI warns about attacks on Magento online stores via old plugin vulnerability

The FBI warns about how hackers are now exploiting a three-year-old vulnerability in a Magento plugin to take over online stores and plant a malicious script that records and steals buyers' payment card data. The vulnerability is a cross-site scripting (XSS) bug that allows the threat actor to plant malicious code inside an online store's HTML code. Netlab 360 reported that the server used in web skimmer attacks goes back as far as May 2019. DNSMon identified one malicious site, magento-analytics[.]com, which was stealing credit card information from online shopping users by injecting javascript on e-commerce sites. The original site went offline after the article about the malicious activity has been posted.


ZDnet. Retrieved from https://www.zdnet.com/article/fbi-warns-about-attacks-on-magento-online-stores-via-old-plugin-vulnerability/

FBI Cyber Division. Retrieved from https://www.documentcloud.org/documents/6893935-FBI-Flash-Alert-MU-000127-MW.html

May 19, 2020 | Israel Linked to a Disruptive Cyberattack on Iranian Port Facility

On May 9, 2020, the shipping traffic at Iran’s bustling Shahid Rajaee port terminal came to an abrupt and inexplicable halt. Computers that regulate the flow of vessels, trucks and goods all crashed at once, creating massive disruption on waterways and roads leading to the facility. After waiting a day, Iranian officials acknowledged that an unknown foreign hacker had briefly knocked the port’s computers offline.

Source: Washington Post. Retrieved from https://www.washingtonpost.com/national-security/officials-israel-linked-to-a-disruptive-cyberattack-on-iranian-port-facility/2020/05/18/9d1da866-9942-11ea-89fd-28fb313d1886_story.html

Subscribe Here to receive Blackpanda thought leadership, webinar invitations, and cyber intelligence direct to your inbox.