March 19th 2021 | Asia Cyber Summary

Updated: May 19, 2021


Blackpanda is excited to announce our strategic partnership with Pandamatics Underwriting, Asia’s first and only pure cyber insurance coverholder. In addition to Blackpanda being the named responder on all Pandamatics Underwriting policies, policy holders will receive privileged and discounted access to Blackpanda incident response services as well as a range of trusted cyber risk management partners detailed below. Interested? Read more here: What is Cyber Insurance?

In the Spotlight This Week

  • Magecart Attackers Save Stolen Credit-Card Data in .JPG File

  • Latest Mirai variant targets SonicWall, D-Link, and IoT Devices

  • Chinese APT group targets telcos in 5G-related cyber-espionage campaign

  • Fastway Couriers confirms security breach

  • Vodafone Spain issued highest fine to date by Spanish data protection agency

Magecart Attackers Save Stolen Credit-Card Data in .JPG File

Magecart attackers have found a new way to hide their nefarious online activity by saving data they’ve skimmed from credit cards online in a .JPG file on a website they’ve injected with malicious code. Researchers at website security firm Sucuri discovered the elusive tactic recently during an investigation into a compromised website using the open-source e-commerce platform Magento 2.

Peering under the hood of the compromised site revealed a malicious injection that was capturing POST request data from site visitors. A POST request method asks a web server to accept data enclosed in the body of the request message, usually so it can be stored. It’s often used in Web transactions when someone has uploaded a file to a website or submitted a completed web form.

Specifically, Sucuri found that attackers injected PHP code into a file called ./vendor/magento/module-customer/Model/Session.php, then used the “getAuthenticates” function to load malicious code. The code also created a .JPG file, which attackers used to store any data they captured from the compromised site. This feature allows the attacker to easily access and download the stolen information at their convenience while concealing it within a seemingly benign JPG.

Latest Mirai Variant Targets SonicWall, D-Link, and IoT Devices

A new variant of the Mirai botnet has been discovered targeting a slew of vulnerabilities in unpatched D-Link, Netgear and SonicWall devices — as well as never-before-seen flaws in unknown internet-of-things (IoT) gadgets. The attacks are still ongoing according to researchers with Palo Alto Networks’ Unit 42 team. Upon successful exploitation, the attackers try to download a malicious shell script, which contains further infection behaviors such as downloading and executing Mirai variants and brute-forcers.

Chinese APT Group Targets Telcos in 5G-Related Cyber-Espionage Campaign

A Chinese advanced persistent threat (APT) actor is targeting major telecommunications companies in the US, Europe, and Southeast Asia in a cyber-espionage campaign that appears designed to steal data pertaining to 5G technology. The campaign — dubbed Operation Diànxùn — is likely motivated by the ban on the use of Chinese technology in 5G rollouts in several countries.

According to McAfee, the threat actor behind the campaign is using methods associated with Mustang Panda, a group that several security vendors previously have identified as working for the Chinese government.

Data related to Operation Diànxùn shows that victims were lured to a website purporting to be a career page for Huawei — widely regarded as the leader in the 5G space. Several governments, including the US, have barred the use of Huawei's 5G technology out of fears that it might contain backdoors that enable widespread spying. There's nothing to indicate that Huawei is in any way connected to the current threat campaign, however, McAfee says.

Fastway Couriers Confirms Security Breach

Global franchised courier Fastway Couriers has issued a notice confirming that it was the subject of a cyber attack that resulted in a data breach. The breach on one of its IT systems was discovered by one of the company's third-party IT development contractors on February 25. Data affected by the incident includes names, addresses, email addresses, and phone numbers belonging to nearly 450,000 parcel recipients. Fastway Couriers said that no financial data or any other personal data was compromised in the attack as such information is not stored on any Fastway Couriers IT systems.

Vodafone Spain Issued Highest Fine to Date by Spanish Data Protection Agency

Vodafone Spain has been hit with the highest ever fine to be issued by the Spanish Data Protection Agency (AEPD). The telecommunications company was financially penalized in four separate fines totaling USD 9.72M over its use of aggressive telemarketing tactics and its failure to protect data. A total of 191 complaints about the telecommunications company's consent and data-processing practices were factored into the AEPD's decision.

In a decision notice published March 11, the AEPD stated that Vodafone had targeted customers with unsolicited calls, emails, and SMS messages without first obtaining their consent. The communications were received even by customers who had specifically requested that their details be added to a directory listing people who do not want to receive marketing communications.

Vodafone Spain was found to have approved an international data transfer that didn't meet the requirements of the GDPR. The company was further found to be operating without any means or methods to verify the origin or legality of the data being processed.

Subscribe Here to receive Blackpanda thought leadership, webinar invitations, and cyber intelligence direct to your inbox.