Weekly Intelligence Summary | 17 April 2020
Updated: Jun 11
In the spotlight this week:
Zoom’s privacy and security woes are still ongoing. Two large, global FSIs are on a list of 500k Zoom accounts found for sale on the dark web.
Other items that should attract attention:
Both NTT and Microsoft are offering free protection to healthcare industry in APAC regions. Beware security vendors, Microsoft may have a big plan (MCRA) on expanding their security solutions: Sentinel, Azure AD, Windows Defender ATP, Windows 10 VBS, Office 365 ATP.
The #SFO breach: “What information was involved? At this time, it appears the attackers may have accessed the impacted users’ usernames and passwords used to log on to those personal devices.” This incident shows actors' TTP (#Magcart, #Dragonfly) like the attacks in British Airways (or CX). If critical infrastructure, including HK Airport, MTR, Hospitals, PLC/HK Electric, or HKEX think that their networks are running an inside private network, therefore they are well-protected by existing technologies. That kind of thinking may have some issue as referred to this incident.
BEC, target phishing, Trickbot/Ryuk are still evolving.
COVID-19 is the key enabler for VPN-routers exploit researches. 0-days come out including US-CERT and FBI issued alerts.
April 14, 2020 | Microsoft offering free cybersecurity services to protect health groups from hackers
Microsoft AccountGuard for Healthcare is a security service offered at no cost for healthcare providers on the front line of care combatting COVID-19, including hospitals, care facilities, clinics, labs, and clinicians, as well as pharmaceutical, life sciences, and medical devices companies that are researching, developing, and manufacturing COVID-related treatments, and non-governmental organizations (NGOs), and international non-governmental organizations (INGOs) (collectively, COVID-19 Responders). The service is designed to help these highly targeted customers protect themselves from cybersecurity threats
Source: The Hill. Retrieved from https://thehill.com/policy/cybersecurity/492675-microsoft-offers-free-cybersecurity-services-to-protect-health-groups
April 14, 2020 | Malicious Attackers Target Government and Medical Organizations With COVID-19 Themed Phishing Campaigns
While the various COVID-19 themed phishing campaigns observed by Unit 42 are numerous, this blog seeks to provide a thorough picture and solid technical analysis of the cross-section between the various types of COVID-19 themed threats organizations may be facing during the ongoing pandemic. Specifically, we address a ransomware variant (EDA2) observed in attacks on a Canadian government healthcare organization and a Canadian medical research university, as well as an infostealer variant (AgentTesla) observed in attacks against various other targets (e.g. a United States defense research entity, a Turkish government agency managing public works, a German industrial manufacturing firm, a Korean chemical manufacturer, a research institute located in Japan and medical research facilities in Canada).
Source: Unit 42 Palo Alto. Retrieved from https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/
April 14, 2020 | Understanding the relationship between Emotet, Ryuk & TrickBot
The Intel 471 Malware Intelligence team noted that one of the more notable relationships in the world of cybercrime is that between Emotet, Ryuk and TrickBot. This loader-ransomware-banker trifecta has wreaked havoc in the business world over the past two years, causing millions of dollars in damages and ransoms paid. Our Malware Intelligence team receives a lot of great questions from our clients on this subject, so we thought it would be good to do a Q/A style blog covering some of the more general questions.
Source: Intel 471. Retrieved from https://blog.intel471.com/2020/04/14/understanding-the-relationship-between-emotet-ryuk-and-trickbot/amp/ (https://dragonadvancetech.com/reports/Ransomware%20Playbook_v3.3.pdf)
April 15, 2020 | Multiple fiber routers compromised by botnets using 0-day
Multiple fiber routers are being compromised by botnets using 0-day. It is interesting to see 360.com paying attention to IoT devices and routers. Unlike other security researchers, they put high attention on devices produced by Taiwan and India. There are two devices from Taiwan under their surveillance.
Source: The Netlab. Retrieved from https://blog.netlab.360.com/multiple-fiber-routers-are-being-compromised-by-botnets-using-0-day-en/
April 16, 2020 | Continued Exploitation of Pulse Secure VPN Vulnerability
This Alert provides an update to Cybersecurity and Infrastructure Security Agency
(CISA) Alert AA20-010A: Continued Exploitation of Pulse Secure VPN Vulnerability. which advised organizations to immediately patch CVE-2019-11510—an arbitrary file reading vulnerability affecting Pulse Secure virtual private network (VPN) appliances. CISA is providing this update to alert administrators that threat actors who successfully exploited CVE-2019-11510 and stole a victim organization’s credentials will still be able to access—and move laterally through—that organization’s network after the organization has patched this vulnerability if the organization did not change those stolen credentials.
Source: CISA. Retrieved from https://www.us-cert.gov/ncas/alerts/aa20-010a