Professional Documents
Culture Documents
SpellRadar April19
SpellRadar April19
SpellRadar April19
Spell Radar Strategic Intel Reports provides a security analyst with a quick and comprehensive view of the latest security incidents and
trends.
EXECUTIVE SUMMARY
Some key highlights of this report are: -
10 3
2 2
5
1
1 1
1 The data represented in this report is based on the number of incidents/article hits.
Affected Industries March 2019
IT Government Healthcare Education Sportswear Exchange Games
2 2
1 1 1 1
Financial
Cryptojack
Email
Misconfigurations
Health
Ransomware
Accounts
0 1 2 3 4 0 2 4 6 8 10
11
9 6
1
2 3 4
4 3 1
2 1 1 1
Exchange
Healthcare
Government
0 1 2 3 4 5 6 7 8
Three colleges across the U.S. have been hacked. The hackers duped college
Hackers breached college
2 applicant databases
staff members into handing over passwords and took control over databases -
that housed student applicant information.
The hackers likely used passwords spraying on Citrix systems, a technique that
exploits weak passwords. Once they gained a foothold with limited access,
3 Security breach at Citrix systems
they worked to circumvent additional layers of security. The attackers may
-
have accessed and downloaded some business documents.
A cyber-attack had prevented Venezuela's authorities from restoring power
Cyber-attack prevented power
4 restoration in Venezuela
throughout the country following a blackout. The Venezuela's government -
blamed the outage on US sabotage at the central power generator in Guri.
A ransomware attack on Washington-based Columbia Surgical Specialists
resulted in unauthorized access of medical records of almost 400,000 patients.
Ransomware attack on Columbia
5 Surgical Specialists, Washington
The company paid almost $15,000 in ransom for a decryption key, arguing the 15,000 USD
health of their patients was more important, as surgeries were scheduled for
that day.
FILA fall victim to the card Sportswear brand FILA is the latest company to fall victim to the card-stealing
6 5600 user data
stealing JavaScript infection JavaScript infection that menaced British Airways and Ticketmaster last year.
Police Federation of England and A ransomware attack hit databases and other systems earlier this week
11 Wales Suffers Ransomware at the headquarters of the Police Federation of England and Wales -
Attack (PFEW).
PewDiePie fans launched PewDiePie fans have resorted to extreme measures in making their idol
12 ransomware attacks with get the coveted position including launching ransomware attacks with -
PewDiePie ransomware PewDiePie ransomware.
Real Trends’ website was hacked just hours after the firm released its
13 Real Trends’ website hacked -
latest brokerage rankings.
Unprotected elastic search DB An unprotected Elasticsearch database was exposed online which contains approximately 33
5 exposed job profiles in China million job profiles in China.
As a result of a server migration project photos, videos, and audio files uploaded more than
MySpace loses 50 million songs in
6 three years ago in MySpace have lost from the servers. Back-ups were not created before
server migration
server migration.
Passwords of millions of Facebook A bug in Facebook caused the passwords of many of its users to be stored in plain text and
7 users were stored in plain text were visible for the social network’s employees.
The U.S. Federal Emergency Management Agency inadvertently shared 2.3 million disaster
FEMA Exposed 2. 3 million disaster
8 victims' private data
survivors' personal details with a third-party contractor. Twenty different types of sensitive
personal data pertaining to the survivors was accidentally shared by FEMA.
Spyware app exposes private MobiiSpy, an Android app that can be used to track what people do on their phones, left over
9 photos and audio 95,000 images and 25,000 audio recordings on a publicly accessible database.
A family tracking app leaked real- An app called Family Locator left the MongoDB database exposed with no password,
10 time location data resulting in the location of about 280 ,000 users leaking in real time.
APT’S, MALWARES & CAMPAIGNS
Fig 2. Threat Map
Malspam
Exploit Kit
Ransomware Trojan
15%
Uncategorized
Ransomware
RAT
9%
Trojan 0 2 4 6 8 10 12 14
28%
Mar-19 Feb-19 Jan-19
Targeted Locations Mar 2019 Target Trend Jan'19 - Mar'19
South America
7% Russia
13%
East Asia Europe
13%
UK
13% Middle East
Central Asia
USA
Middle East
27% Europe
South East Asia
South America USA
27%
0 1 2 3 4
23 Iranian hackers hit 200 companies worldwide in the past 2 years APT33 oil, gas, and construction companies
Botnets
Sl. No Botnets
1 Necurs Botnet adopts a new strategy to evade detection
2 Emotet Epoch 1 Changes its C2 Communication
3 Malspam pushes Lokibot
4 New Mirai Variant Targets Enterprise Devices
5 PsiX Bot analysis
6 Trickbot Analysis
PHISHING AND SCAMS
User Exposure Mar 2019 Phishing Exposure Trend Jan'19 -
Mar'19
11% Apple
Government Government
11% 34%
Banking Exchanges
Social Media
Netflix
Education
22%
Banking
Netflix
Education
22%
0 1 2 3 4
Space Matrix's chief finance officer received an e-mail in April last year in a phishing attempt. "The e-mail
2 Hackers target address looked like it was from chief executive officer Arsh, and even the way it was written was very
Singapore company similar to how Arsh would write an e-mail. It said to transfer $200,000 to an account, but thankfully the
employees realized it wasn't legitimate and they didn't go ahead with the transaction.
Facebook phishing scam A new cyber-scam collecting social media account logins is making its way through iOS devices, fooling
3 users with its realistic-looking login process. Unsuspecting victims are entering their Facebook credentials
targeting iOS users
into the fake login screen, which then sends the credentials straight to the malware’s C&C server.
Sl. No Title Description
A phishing scam targeting Carmel Unified School District in Monterey County, California, exposed
Scam targeting School documents containing sensitive employee information. Hackers obtained login credentials to several
4 District in Monterey employee email accounts, one of which stored employee, their spouses’ and dependents’ Social security
County numbers, employee marriage certificates, employee dependents’ birth certificates and doctor’s notes,
some containing medical information.
Scam targeting
5 Christchurch terror Despicable scammers are targeting people wanting to make donations to the victims of the Christchurch
terror attack. The scammers are sending out an email that carries Westpac, branding.
attack donations
Phishing scam targets The church members get an email from their minister requesting for them to contribute to the church by
6
churchgoers buying and sending in gift cards. The emails seem harmless and legitimate, but was from malicious source
Phishing campaigns Both Netflix and AMEX campaigns are very well crafted and feature convincing fill-out forms, legitimate
7 target Netflix users and logos, and faithfully mimicked web pages. But once the users filled their details in one of their webpages,
AMEX customers the hackers obtained all the details.
“Bad tidings" phishing “Bad Tidings,” has siphoned victims’ credentials pretending to be the Kingdom’s Ministry of Interior’s e-
8 campaign targets Saudi Service portal, known as “Absher.” The recent emails have targeted four government entities: The Ministry
of Interior, Saudi Government, Ministry of Foreign Affairs and the Ministry of Labor and Social
gov agencies Development – as well as the Saudi British Bank.
Phishing scam breaches The Oregon Department of Human Services said that a phishing incident has allowed unauthorized access
9 Oregon department of to the personal information of clients in welfare and children services programs. The group of potentially
human services affected consumers exceeds 350,000.
Cisco has released multiple security updates to address vulnerabilities in various Cisco
2 Cisco security updates products. An attacker could exploit some of those vulnerabilities to take control of an affected
system.
Google has released Chrome version 72.0.3626.121 for Windows, Mac, and Linux. This version
Chrome version 72.0.3626.121
3 addresses a vulnerability that a remote attacker could exploit to take control of an affected
released
system.
Adobe has released security updates to address vulnerabilities in Adobe Photoshop CC and
Adobe Photoshop CC and Adobe
4 Adobe Digital Editions. An attacker could exploit these vulnerabilities to take control of an
Digital Editions
affected system.
Microsoft security updates, March Microsoft has released updates to address multiple vulnerabilities in Microsoft software. A
5
2019 remote attacker could exploit some of these vulnerabilities to take control of an affected system.
Google has released Chrome version 73.0.3683.75 for Window s, Mac, and Linux. This version
Chrome version 73.0.3683.75
6 addresses multiple vulnerabilities that an attacker could exploit to take control of an affected
released
system
Cisco has released security updates to address vulnerabilities in Cisco products. A remote
7 Cisco Security Updates
attacker could exploit one of these vulnerabilities to cause a denial-of-service condition.
WordPress 5.1. 1 Security and WordPress 5.1 and prior versions are affected by a vulnerability. An attacker could exploit this
8
Maintenance Release vulnerability to take control of an affected website.
Security Update for Azure Linux Microsoft has released an update to address a vulnerability in Azure Linux Guest Agent. An
9
Guest Agent attacker could exploit this vulnerability to obtain access to sensitive information.
VMware has released security updates to address vulnerabilities affecting Workstation 14 and
Security Updates for VMware
10 15, and Horizon 6 and 7. An attacker could exploit some of these vulnerabilities to take control
Workstation and Horizon
of an affected system.
After January 14, 2020, Microsoft will no longer provide security updates or support for PCs
11 Microsoft Windows 7
running the Windows 7 operating system.
Mozilla has released security updates to address vulnerabilities in Firefox and Firefox ESR. An
12 Firefox and Firefox ESR
attacker could exploit some of these vulnerabilities to take control of an affected system.
Drupal has released security updates to address a vulnerability in Drupal Core. A remote
13 Drupal Releases Security Updates
attacker could exploit this vulnerability to take control of an affected system.
Cisco has released several security advisories to address vulnerabilities in multiple Cisco
Cisco Releases Security
14 products. A remote attacker could exploit some of these vulnerabilities to take control of an
Advisories for Multiple Products
affected system.
Mozilla has released security updates to address vulnerabilities in Firefox. An attacker could
15 Security Updates for Firefox
exploit some of these vulnerabilities to take control of an affected system.
Mozilla has released a security update to address vulnerabilities in Thunderbird. An attacker
16 Thunderbird
could exploit these vulnerabilities to take control of an affected system.
Apple has released security updates to address vulnerabilities in multiple products. A remote
17 Apple security updates
attacker could exploit some of these vulnerabilities to take control of an affected system.
ASUS has released Live Update version 3.6.8. This version addresses vulnerabilities that a
18 ASUS live update version 3.6.8
remote attacker could exploit to take control of an affected system.
Cisco Releases Security Updates Cisco has released security updates to address vulnerabilities in multiple Cisco products. A
19
for Multiple Products remote attacker could exploit some of these vulnerabilities to take control of an affected system.
Cisco has released a security update to address a vulnerability in Cisco IOS XE. An attacker
20 Security Update for Cisco IOS XE
could exploit this vulnerability to obtain sensitive information.
VMware Releases Security VMware has released security updates to address vulnerabilities in multiple products. An
21
Updates attacker could exploit some of these vulnerabilities to take control of an affected system.
IOCS
Type Link
Domains https://spellsecuritystaging.s3.amazonaws.com/artifact%2F1554455890.xlsx
IPs https://spellsecuritystaging.s3.amazonaws.com/artifact%2F1554455903.xlsx
URLs https://spellsecuritystaging.s3.amazonaws.com/artifact%2F1554455845.xlsx
Email https://spellsecuritystaging.s3.amazonaws.com/artifact%2F1554455864.xlsx
SPELLSOCIAL
INTEL
REPORT
Questions?
research@spellsecurity.com
SpellSecurity Inc