Weekly Intelligence Bulletin – Week 9

4. March 19

QuoScient’s Weekly Intelligence Bulletin for the week of 21 February – 28 February 2019 is now available for download in the Media Center!

Find a summary below.


Current Threat Industry Impacted: ANY, Financials, Government
Researchers discovered a vulnerability existing in the Windows data compression tool WinRAR. There is known exploitation activity in the wild and proof-of-concept code is publicly available. A vendor update is available. Researchers identified a highly targeted spearphishing campaign targeting U.S. national security think tanks. Researchers discovered campaigns targeting U.S. employees by using both LinkedIn and spearphishing emails to ultimately deliver the More_Eggs backdoor.

Reported Incidents
Financial software company Intuit announced their TurboTax software suffered a credential stuffing attack, where an unauthorized actor attempted to use login credentials obtained from a “non-Intuit source” to gain access to user tax profiles.

Vulnerabilities Industry Impacted: ANY
Drupal released a security advisory for a highly critical Remote Code Execution (RCE) vulnerability (CVE-2019-6340) existing in the Content Management System (CMS) software of Drupal 7 and Drupal 8 installations. Researchers observed active attacks using the vulnerability three days after the release.
Researchers discovered multiple vulnerabilities in the Thunderbolt hardware interface dubbed Thunderclap that could allow attackers with physical access to a Thunderbolt port to bypass operating system security mechanisms and directly read/write system memory.

Threat Actor Activity Industry Impacted: Consumer Discretionary, Financials
On Thursday, February 28, QuoINT identified a new Cobalt spearphishing campaign impersonating the Bulgarian bank DSK.
In the last seven days, QuoINT has observed intense activity from the EmpireMonkey threat actor group. The spearphishing attacks impersonated ING, Societe Generale, and the Financial Supervisory Authority of Denmark, and targeted different Financial Institutions operating in EU.
Analysts discovered attack activity attributed to FIN6 threat actor group targeting multiple high value eCommerce merchants at the end of 2018.

Presidents Trump and Kim ended their second summit meeting in Vietnam on 27 February after the leaders failed to come to a conclusion regarding nuclear disarmament and decreasing tensions in Korea.
President Trump announced a delay on new sanctions on Chinese imports, originally due to come into force by 1 March after progress in the ongoing trade talks.
Russia’s state televised a list of U.S. military facilities, including the Pentagon and Camp David, which could reportedly be hit within five minutes by Russian hypersonic missiles.
Singapore’s Personal Data Protection Commission (PDPC) released a discussion paper on data portability, which outlines propositions on how data can easily be shared between service providers while simultaneously giving clients more control over their data.