Weekly Intelligence Bulletin – Week 8

25. February 19

QuoScient’s Weekly Intelligence Bulletin for the week of 14 February – 21 February 2019 is now available for download in the Media Center!

Find a summary below.

CYBER
Current Threat

Industry Impacted: ANY, Financials
Researchers discovered a new malware family dubbed WinPot, which automates the dispensing of cash from ATM machine cassettes in ATM cash-out attacks. Researchers observed a campaign occurring at the end of January which delivered an updated variant of the known Remote Access Tool named KEYMARBLE, associated to the North-Korean linked APT group Lazarus. Apparently, the campaign targeted a user or entity located in Russia, which is an unlikely target based on the fact that the countries are allied states.

Reported Incidents

Industry Impacted: ANY, Financials, Government
Researchers recently discovered the service provider Applion using unsecured servers to host the confidential information of multiple Swedish companies, resulting in their data being exposed openly on the internet. On Tuesday, 19 February, QuoINT obtained new information regarding the cyber incident that recently occurred at Bank of Valletta (BoV). We attributed the attack to the e-Crime threat actor group dubbed EmpireMonkey. On 19 February, the Australian Cyber Security Center (ACSC) announced that a recent compromise by a “sophisticated state actor“ occurred on the networks of some political parties including Liberal, Labor and the Nationals. Researchers discovered 92 million unique user accounts reportedly stolen from eight breached websites for sale on a dark web marketplace.

Vulnerabilities

Industry Impacted: ANY, Information Technology
Researchers recently audited five popular password managers (1Password, Dashlane, KeePass, LastPass and RoboForm) and subsequently discovered security flaws, which left some passwords exposed in plain-text within the computer’s memory while the managers were in a locked state.

Threat Actor Activity

Industry Impacted: Energy, Financials, Government
Researchers identified continuous attacks allegedly linked to the Latin American threat actor APTC-36 (publicly known as Blind Eagle) targeting Colombian government institutions, its financial sector, and its petroleum and manufacturing industry.

GEOPOLITICS
Microsoft reported continued cyber and disinformation attacks targeting European political parties and non-profit organizations working on issues related to democracy, electoral integrity and public policy. Germany’s Federal Office for Information Security (BSI) reported an increase of IT security incidents affecting critical infrastructure, however these were not all due to cyber attacks.