Weekly Intelligence Bulletin – Week 28

16. July 18

QuoScient’s Weekly Intelligence Bulletin for the week of 05 July – 12 July 2018 is now available for download in the Media Center! Find below a summary.

CYBER

Vulnerabilities Microsoft’s July Patch Tuesday release includes security patches for 53 vulnerabilities of which: 27 are remotely exploitable and 17 are rated as critical. While none of the vulnerabilities are reportedly exploited in the wild, administrators should prioritize patching for those vulnerabilities rated as critical and remotely exploitable impacting Internet Explorer, as web-based attacks are frequently used by threat actors.

Adobe’s July Patch Tuesday released four security bulletins to address 112 vulnerabilities, including a critical vulnerability in Adobe Flash and 51 critical vulnerabilities for Adobe Acrobat and Reader. Reportedly, none of the vulnerabilities are exploited in the wild, however, the vendor patches should be applied to affected systems in a timely manner, with priority on the Flash Player security patch.

Current Threats On July 7, a user of the forum ‘mal4all’ posted a link claiming to be leaked source code for Carbanak financial malware. However, during our initial observations there are indications that the code belongs to another financial malware known as Pegasus, which is a full attack framework.

Reported Incidents Reportedly, the Russian bank PIR Bank suffered a cyberattack on the evening of July 4, resulting in a loss of more than USD 918,140 (58 million rubles). The funds were stolen through the Russian Central Bank’s Automated Workstation Client, the bank’s electronic interbank transfer system, and withdrawn to accounts located at 22 different banks within Russia. According to sources, the malware used in the attack is not yet identified but the threat actors likely entered the bank through a phishing scam.

Reportedly, the popular fitness app, Polar, inadvertently reveals location data of users with both public and private profiles. Users who modify their settings to opt-in for sharing training sessions and GPS location data are unknowingly also sharing other personal details when using Polars’ social platform called Polar Flow – where users can share their runs. Polar retains all user sessions since 2014, and displays that data all over the world and on the same map.

Cyber Threat Actor Activity QuoINT observed new Cobalt Group activity, which began on July 4, 2018. This new phishing campaign is using a malicious domain impersonating a Bulgarian bank to serve the payload. The threat actor sent multiple spear-phishing waves each one having a different set of recipients. We discovered other waves that contained a different set of targets, totalling of 1700+ unique addresses. The targeted Financial Institutions are mainly located in Europe (Spain, Italy, Germany, Sweden), CIS (Russia, Kazakhstan), and Asia-Pacific regions.

Researchers identified stolen digital certificates of two Taiwanese companies that are being abused by a cyberespionage group dubbed BlackTech in order to sign malware distributed in a campaign targeting East Asia. The ability to compromise firms and reuse the compromised certificates in attacks suggests that BlackTech is highly skilled and targeted in their operations.

CRYPTOCURRENCY

On July 9, unidentified attackers compromised the decentralized crypto exchange Bancor and managed to steal over USD 23 million worth of crypto assets. The attack was executed against a vulnerable Bancor’s smart contract. After the breach, Bancor’s token BNT has started to drop until losing up to the 38% of its value, 20 days after the incident.

GEOPOLITICS

North Korea menaces to backtrack on de-nuclearization agreement since its leadership is not satisfied with the agreed actions carried out by the American government thus far. At this time, it is unlikely to expect North to reduce its intensive cyber espionage and cyber fraud activities, which have both proven in the past to give them tactical advantage in the diplomatic negotiations and an alternative and unsanctioned revenue stream.

OUTLOOK

On July 15, Moscow, Russia will host the FIFA World Cup 2018 Final. Threat actors may take advantage of this large global interest, potentially leading to a DDoS or other cyberattack.

On July 16, U.S. President Trump and Russian President Putin will meet in Finland to discuss a variety of issues, including military strategies. This meeting will take place less than a week after the NATO summit.