3 July 2020 | Asia Cyber Summary

In the spotlight this week:

  • Microsoft quietly released emergency security update to fix two Windows codecs bugs.

  • DarkLab intelligence analysts in Hong Kong detected a Lokibot phishing campaign targeting the maritime and engineering sectors in Europe, Asia, and the US. The attack came from spoofed email addresses of legitimate organizations in Asia.

  • Trustwave SpiderLabs have identified an executable file displaying highly unusual behaviour, sending system information to a suspicious Chinese domain.

  • US Cyber Command warned that foreign state-sponsored hacking groups are likely to exploit a major security bug disclosed today in PAN-OS.

  • A foreign hacking group, known as the "Korean Hackers" and "Team Johnwick", breached media company E27, demanding a "donation" to reveal vulnerabilities used in the attack.

JUL 1, 2020 | Microsoft Releases Emergency Security Update to Fix Two Bugs in Windows Codecs

Security updates were quietly deployed to customers on Tuesday through the Windows app store. Tracked as CVE-2020-1425 & CVE-2020-1457, the two bugs only impact Windows 10 and Windows Server 2019 distributions. In security advisories published by Microsoft, the company said the two security flaws can be exploited with the help of a specially crafted image file. The two bugs were built in the Windows Codecs Library and described as two remote code execution (RCE) vulnerabilities were patched earlier this week. The OS maker said it learned of the bugs from a report written by Trend Micro's Zero Day Initiative; a program that intermediates communications between security researchers and larger companies. Source: https://www.zdnet.com/article/microsoft-releases-emergency-security-update-to-fix-two-bugs-in-windows-codecs/#ftag=RSSbaffb68

JUL 1, 2020 | Ransomware Gangs Don’t Need PR Help

Publicizing claims of ransomware attacks on companies large and small, plays right into the hands of organized crime. While it might seem like the right thing to do as investors and the public have a right to know—especially with regards to attacks that involve publicly traded companies and recognizable brands—additional information from the victim company or their partners affected by the attack, this sensationalizes the act, giving the threat actor more publicity. Dozens of ransomware actors have published their own blogs, showcasing their findings through press releases, often with screenshots of claimed access to computers, or teasers of documentation that expose proprietary and financial information of the victim. With the clear goal of publicly pressurizing the victim company into paying the ransom, this self-serving act puts victims between a rock and a hard place, with the risk of having their sensitive company data published online or sold on the Dark Web (or both). Mimicking the actions taken by professional extortionists neither provides assurance nor comfort to a threat actor that does not deserve it. Source: https://krebsonsecurity.com/2020/07/ransomware-gangs-dont-need-pr-help/

JUN 30, 2020 | US Cyber Command Says Foreign Hackers Will Most Likely Exploit New PAN-OS Security Bug

US Cyber Command warned that foreign state-sponsored hacking groups will likely exploit a major security bug disclosed today in PAN-OS, the operating system running on firewalls and enterprise VPN appliances from Palo Alto Networks. In a tweet, US Cyber Command advised: "Please patch all devices affected by CVE-2020-2021 immediately, especially if SAML is in use." Source: https://www.zdnet.com/article/us-cyber-command-says-foreign-hackers-will-most-likely-exploit-new-pan-os-security-bug/#ftag=RSSbaffb68

JUN 30, 2020 | Lokibot Campaign Targets Maritime Industry

DarkLab intelligence analysts detected a Lokibot phishing campaign targeting the maritime and engineering sectors in Europe, Asia, and the US. The attack came from spoofed email addresses of legitimate organizations in Asia. The earliest phishing email detected dates back to October 2019. The 2019 email was sent from a compromised subdomain of an Indonesian company and contained a malicious archive (.rar) attachment purportedly pertaining to a purchase order; a common theme of spam emails. Although the campaign exploits well-known threat vectors, a lack of widespread adoption of anti-spoofing technologies like SPF and DMARC, or their incorrect implementation allows cyber criminals to continue sending credible phishing emails from legitimate-looking domains. Source: https://blog.darklab.hk/2020/06/29/phishing-vessels/

JUN 30, 2020 | GoldenSpy: Chapter Two – The Uninstaller

Trustwave SpiderLabs have identified an executable file displaying highly unusual behavior that sends system information to a suspicious Chinese domain. Discussions with the client revealed that this was part of their bank’s required tax software. The client explained that upon opening operations in China, their local Chinese bank required that they install a software package called ‘Intelligent Tax’ — produced by the Golden Tax Department of Aisino Corporation — for paying local taxes. Trustwave SpiderLabs is still actively investigating and seeking out more telemetry on the GoldenSpy campaign. In their report, Trustwave declared that the GoldenSpy campaign has the characteristics of a coordinated Advanced Persistent Threat (APT) campaign targeting foreign companies operating in China. During their analysis, they found that the GoldenSpy threat actors followed removal recommendations step by step with their uninstaller. Source: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/goldenspy-chapter-two-the-uninstaller/ https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-golden-tax-department-and-the-emergence-of-goldenspy-malware/

JUN 29, 2020 | Hacker Gang Wiping Lenovo NAS Devices, Demanding Ransom

A hacker group going by the name of 'Cl0ud SecuritY' broke into old LenovoEMC (formerly Iomega) network-attached storage (NAS) devices, wiping files and leaving ransom notes behind asking owners to pay between $200 and $275 to get their data back. Attacks appear to have targeted only LenovoEMC/Iomega NAS devices that expose their management interface on the internet without a password. ZDNet was able to identify around 1,000 such devices using a Shodan search. Source: https://www.zdnet.com/article/a-hacker-gang-is-wiping-lenovo-nas-devices-and-asking-for-ransoms/

JUN 29, 2020 | Preparing for Post-Intrusion Ransomware

Since 2015, Secureworks® Counter Threat Unit™ (CTU) researchers have observed a significant increase in the number, and impact of post-intrusion ransomware incidents. In these attacks, (1) a threat actor gains access to a compromised network, (2) moves laterally to other systems and networks, (3) locates the critical business assets, and then lastly chooses a time (which could be days or months after initial access) to deploy ransomware that encrypts the victim’s files. Around the end of 2019, criminals realized they could gain additional leverage by stealing data before encrypting it and then threatening the victim with public disclosure. Source: https://www.secureworks.com/blog/preparing-for-post-intrusion-ransomware

JUN 26, 2020 | Hackers breach E27, Asking for A “Donation” to Reveal Vulnerabilities in Their System

Asian media firm E27 was hacked last Friday. The attackers asked for a small "donation" to provide information on the vulnerabilities used in the attack. In an email notification sent to the members and clients of E27, and shared with BleepingComputer by Cyble, E27 CEO Mohan Belani explained that they were victims of a "malicious cyber-attack". This cyberattack was conducted by a hacking group identifying themselves as "Korean Hackers" and "Team Johnwick". Source: https://www.bleepingcomputer.com/news/security/hackers-breach-e27-want-donation-to-reveal-vulnerabilities/

Subscribe Here to receive Blackpanda thought leadership, webinar invitations, and cyber intelligence direct to your inbox.