SPELL RADAR

GLOBAL INTELLIGENCE REPORT – APRIL 2019

CONTENTS
Introduction ...................................................................................................................................................................................................... 2
Executive Summary ......................................................................................................................................................................................... 3
Security Incidents ............................................................................................................................................................................................ 4
Incidents....................................................................................................................................................................................................... 8
Misconfiguration ......................................................................................................................................................................................... 10
APT’s, Malwares & Campaigns...................................................................................................................................................................... 11
Malwares & Campaigns ............................................................................................................................................................................. 13
Espionage Groups. .................................................................................................................................................................................... 15
Botnets ....................................................................................................................................................................................................... 16
PHISHING AND SCAMS ............................................................................................................................................................................... 17
Advisory and Patches .................................................................................................................................................................................... 20
IOCS.............................................................................................................................................................................................................. 24
INTRODUCTION
In this Global Intelligence Report, we look at some of the latest trends of the month of March 2019 as observed on the
SpellWorkbench threat intelligence platform.

This report enumerates: -

1. Key Breach Incidents, Industry, data and location trends.

2. Emerging and Evolving threats, Ongoing threat actor campaigns as well as newly identified actors.
3. Phishing campaigns and user exposure trends.
4. Critical advisories and compliance patches.

Spell Radar Strategic Intel Reports provides a security analyst with a quick and comprehensive view of the latest security incidents and
trends.
EXECUTIVE SUMMARY
Some key highlights of this report are: -

1. Cyber-attack disrupted power restoration in Venezuela.

2. Toyota customers in Japan affected by data breach.
3. Hackers steal $19 Million from Bithumb cryptocurrency exchange.
4. Passwords of millions of Facebook users were stored in plain text due to software bug.
5. Unprotected elastic search DB exposes job profiles in China.
6. Fileless Banking Trojan targeting Brazilian banks.
7. State sponsored Russian hackers targeting Euro governments ahead of elections.
8. China’s APT40 group steal navy secrets.
9. Necurs Botnet adopts new strategy to evade detection.
10. Facebook phishing scam targeting iOS users.
11. Scam targeting Christchurch terror attack donations.
12. Microsoft announces end of security updates for Windows 7 after January 14, 2020.
SECURITY INCIDENTS
 Fig.1 Security Incidents Map1

Incident Cause March 2019 Data Exposure March 2019

DDOS Misconfiguration Ransomware2 Cryptojack Financial Accounts Email Health

10 3
2 2
5
1
1 1

1 The data represented in this report is based on the number of incidents/article hits.
 Affected Industries March 2019
IT Government Healthcare Education Sportswear Exchange Games

2 2
1 1 1 1

Exposure Trend Jan'19 - Mar'19 Cause Trend Jan'19 - Mar'19

Financial
Cryptojack

Email
Misconfigurations
Health

Ransomware
Accounts

0 1 2 3 4 0 2 4 6 8 10

Mar-19 Feb-19 Jan-19 Mar-19 Feb-19 Jan-19

 TARGET TREND JAN'19 - MAR'19
Jan-19 Feb-19 Mar-19

11

9 6

1
2 3 4
4 3 1
2 1 1 1

NORTH UK AUSTRALIA EUROPE ASIA SOUTH

AMERICA AMERICA

Industry Trend Jan'19 - Mar'19

Exchange

Information & Technology

Healthcare

Government

0 1 2 3 4 5 6 7 8

Mar-19 Feb-19 Jan-19

Incidents
Sl. No Title Description Impact
Wolverine Solutions Group (WSG) mails billing for McLaren, HAP and
Medical billing company hit with 600,000
1 ransomware attack
Covenant HealthCare. The company was a victim of a malicious ransomware
attack. residents

Three colleges across the U.S. have been hacked. The hackers duped college
Hackers breached college
2 applicant databases
staff members into handing over passwords and took control over databases -
that housed student applicant information.
The hackers likely used passwords spraying on Citrix systems, a technique that
exploits weak passwords. Once they gained a foothold with limited access,
3 Security breach at Citrix systems
they worked to circumvent additional layers of security. The attackers may
-
have accessed and downloaded some business documents.
A cyber-attack had prevented Venezuela's authorities from restoring power
Cyber-attack prevented power
4 restoration in Venezuela
throughout the country following a blackout. The Venezuela's government -
blamed the outage on US sabotage at the central power generator in Guri.
A ransomware attack on Washington-based Columbia Surgical Specialists
resulted in unauthorized access of medical records of almost 400,000 patients.
Ransomware attack on Columbia
5 Surgical Specialists, Washington
The company paid almost $15,000 in ransom for a decryption key, arguing the 15,000 USD
health of their patients was more important, as surgeries were scheduled for
that day.

FILA fall victim to the card Sportswear brand FILA is the latest company to fall victim to the card-stealing
6 5600 user data
stealing JavaScript infection JavaScript infection that menaced British Airways and Ticketmaster last year.

Pakistani government site was compromised to deliver a dangerous payload

the Scanbox Frame work. Visitors to the site load the Scanbox JavaScript code
7 Pakistani government site hacked -
from a remote location, which collects information about their machine as well
as log any keystrokes they make while using the site.
Chinese hackers have launched supply chain attacks against three gaming
Supply chain attacks against
companies in order to spread malware far and wide across Asian endpoints. It
8 gaming companies by Chinese -
targeted two gaming titles and a “gaming platform application," compromising
hackers
them with the same backdoor code.
Sl. No Title Description Impact
A hacker set off the tornado emergency sirens in the middle of the night
Two tornado sirens hacked in across two North Texas towns. Following the unauthorized intrusion, city
9 -
Texas city authorities had to shut down their emergency warning system a day
before major storms and potential tornados were set to hit the area.
Norsk Hydro, one of the world's largest aluminum producers, has been
Norsk Hydro industries hit by
10 ransomware
hit by a crypto-locking ransomware attack that began at one of its U.S. -
plants and has disrupted some global operations.

Police Federation of England and A ransomware attack hit databases and other systems earlier this week
11 Wales Suffers Ransomware at the headquarters of the Police Federation of England and Wales -
Attack (PFEW).

PewDiePie fans launched PewDiePie fans have resorted to extreme measures in making their idol
12 ransomware attacks with get the coveted position including launching ransomware attacks with -
PewDiePie ransomware PewDiePie ransomware.

Real Trends’ website was hacked just hours after the firm released its
13 Real Trends’ website hacked -
latest brokerage rankings.

Personal information belonging to millions of Toyota customers in Japan

Toyota customers in Japan hit by
14 may have been compromised as a result of a breach suffered by a 3.1 million
data breach
Toyota Motor Corporation (TMC) sales subsidiary and its affiliates.
Hackers compromised a few Bithumb’s hot EOS and XRP wallets and
Hackers stole $19 Million from
15 transferred around 3 million EOS (roughly $13 million) and 20 million 19 Million USD
Bithumb exchange
XRP (~ $6 million) to accounts under their control.
Earl Enterprises reported a security breach of its payment card
Card Breach Reported at Earl
16
Enterprises' Restaurants.
processing systems. Hackers planted malware on the point-of-sale -
systems at some Earl Enterprises' restaurants.
Misconfiguration

Sl. No Title Description

A data leak from an unsecured Elasticsearch server has exposed the Dow Jones Watchlist
Dow Jones Watch list Database
1 Leaked
database, which contains information on high-risk individuals and was left on a server sans
password.
Verification.io 's unprotected Mongo An unprotected server exposing online 4 MongoDB databases belonging to the email
2 DB database exposed 809 million validation company Verifications.io. The archive includes 808,539,849 records containing
records email records, email with phone and business leads.
The database which, named as "BreedReady", was open for anyone to access. It contains
Database of 1.8m Chinese women
3 surfaced online
personal details of 1.8 million women from China including their names, addresses, age, sex,
phone numbers, location, ID numbers, and marital status
A database containing 257,287 legal documents, with some marked as "not designated for
Database leaks 250K legal
4 publication," was left exposed on the public internet without a password, allowing anyone to
documents
access and download a treasure trove of sensitive legal materials.

Unprotected elastic search DB An unprotected Elasticsearch database was exposed online which contains approximately 33
5 exposed job profiles in China million job profiles in China.

As a result of a server migration project photos, videos, and audio files uploaded more than
MySpace loses 50 million songs in
6 three years ago in MySpace have lost from the servers. Back-ups were not created before
server migration
server migration.

Passwords of millions of Facebook A bug in Facebook caused the passwords of many of its users to be stored in plain text and
7 users were stored in plain text were visible for the social network’s employees.

The U.S. Federal Emergency Management Agency inadvertently shared 2.3 million disaster
FEMA Exposed 2. 3 million disaster
8 victims' private data
survivors' personal details with a third-party contractor. Twenty different types of sensitive
personal data pertaining to the survivors was accidentally shared by FEMA.

Spyware app exposes private MobiiSpy, an Android app that can be used to track what people do on their phones, left over
9 photos and audio 95,000 images and 25,000 audio recordings on a publicly accessible database.

A family tracking app leaked real- An app called Family Locator left the MongoDB database exposed with no password,
10 time location data resulting in the location of about 280 ,000 users leaking in real time.
APT’S, MALWARES & CAMPAIGNS
 Fig 2. Threat Map

THREAT TREND MAR 2019 Threat Trend Jan'19 - Mar'19

Phishing Malspam
Uncattegorized Botnet 3% 6% Cryptominers
12% 18% Exploit Kit
9% RAT

Malspam

Exploit Kit

Ransomware Trojan
15%
Uncategorized

Ransomware
RAT
9%
Trojan 0 2 4 6 8 10 12 14
28%
Mar-19 Feb-19 Jan-19
 Targeted Locations Mar 2019 Target Trend Jan'19 - Mar'19
South America
7% Russia
13%
East Asia Europe
13%
UK
13% Middle East
Central Asia
USA
Middle East
27% Europe
South East Asia
South America USA
27%
0 1 2 3 4

Mar-19 Feb-19 Jan-19

Malwares & Campaigns.

Sl. No Threat Target

1 Fake Browser Updates Pushing Ransomware and Bank Malware -
2 Fileless Banking Trojan Targeting Brazilian Banks -
3 Troldesh(Shade) ransomware -
4 New SLUB Backdoor Uses GitHub and Slack -
5 The Pirate Bay Users Targeted By ‘PirateMatryoshka’ Malware Pirate bay users

6 New Ursnif variant targets Japan -

7 Analysis of Powload -
8 Malspam pushes Emotet with Qakbot malware -
Sl. No Threat Target
9 Adware found in 206 applications on the Google Play Store Android users
10 Analysis of BlackMoon (Banking Trojan) -
11 DanaBot control panel analysis -
12 AZORult++: an updated version of AZORult written in C++ -
13 LockerGoga ransomware analysis -
14 Supply chain attack that leveraged ASUS Live Update software ASUS users

15 WinRAR Zero-day used in Multiple Campaigns -

16 Plugin vulnerabilities exploited in traffic monetization schemes -
17 Analysis of Ransomware Loader for Nozelesn -
18 Vulnerable Docker hosts exploited by cryptocurrency miners -
19 Malspam campaign uses Boeing 737 Max crashes -
20 Spoofed CDC warning used to deliver latest gandcrab ransomware -
Espionage Groups.

Espionage Activity Trend Jan'19 - Mar'19

2
1.8
1.6
1.4
1.2
1
0.8
0.6
0.4
0.2
0

Jan-19 Feb-19 Mar-19

Sl. No Title Actor Target

APT27 Hackers leverage a variety of publicly available and self-
21 developed tools in recent attacks
APT27 -

22 China’s APT40 group stole navy secrets APT40 Navy

23 Iranian hackers hit 200 companies worldwide in the past 2 years APT33 oil, gas, and construction companies

24 FIN7 is back with a previously unseen SQLRat malware Fin7 -

Sl. No Title Actor Target
25 Lazarus campaigns on crypto-currency businesses Lazarus Crypto-currency business

26 OceanLotus malware analysis OceanLotus -

State sponsored Russian hackers targeting Euro governments

27 APT28 Euro governments
ahead of elections

Botnets
Sl. No Botnets
1 Necurs Botnet adopts a new strategy to evade detection
2 Emotet Epoch 1 Changes its C2 Communication
3 Malspam pushes Lokibot
4 New Mirai Variant Targets Enterprise Devices
5 PsiX Bot analysis
6 Trickbot Analysis
PHISHING AND SCAMS
 User Exposure Mar 2019 Phishing Exposure Trend Jan'19 -
Mar'19

11% Apple

Government Government
11% 34%
Banking Exchanges
Social Media
Netflix
Education
22%
Banking
Netflix
Education
22%
0 1 2 3 4

Mar-19 Feb-19 Jan-19

Sl. No Title Description

Hacking Group Stealing
1 Targeting popular Instagram profiles has become modus for a certain group of Turkish-speaking hackers.
Popular Instagram
The hackers get into the accounts through phishing.
Profiles

Space Matrix's chief finance officer received an e-mail in April last year in a phishing attempt. "The e-mail
2 Hackers target address looked like it was from chief executive officer Arsh, and even the way it was written was very
Singapore company similar to how Arsh would write an e-mail. It said to transfer $200,000 to an account, but thankfully the
employees realized it wasn't legitimate and they didn't go ahead with the transaction.

Facebook phishing scam A new cyber-scam collecting social media account logins is making its way through iOS devices, fooling
3 users with its realistic-looking login process. Unsuspecting victims are entering their Facebook credentials
targeting iOS users
into the fake login screen, which then sends the credentials straight to the malware’s C&C server.
Sl. No Title Description
A phishing scam targeting Carmel Unified School District in Monterey County, California, exposed
Scam targeting School documents containing sensitive employee information. Hackers obtained login credentials to several
4 District in Monterey employee email accounts, one of which stored employee, their spouses’ and dependents’ Social security
County numbers, employee marriage certificates, employee dependents’ birth certificates and doctor’s notes,
some containing medical information.

Scam targeting
5 Christchurch terror Despicable scammers are targeting people wanting to make donations to the victims of the Christchurch
terror attack. The scammers are sending out an email that carries Westpac, branding.
attack donations

Phishing scam targets The church members get an email from their minister requesting for them to contribute to the church by
6
churchgoers buying and sending in gift cards. The emails seem harmless and legitimate, but was from malicious source

Phishing campaigns Both Netflix and AMEX campaigns are very well crafted and feature convincing fill-out forms, legitimate
7 target Netflix users and logos, and faithfully mimicked web pages. But once the users filled their details in one of their webpages,
AMEX customers the hackers obtained all the details.

“Bad tidings" phishing “Bad Tidings,” has siphoned victims’ credentials pretending to be the Kingdom’s Ministry of Interior’s e-
8 campaign targets Saudi Service portal, known as “Absher.” The recent emails have targeted four government entities: The Ministry
of Interior, Saudi Government, Ministry of Foreign Affairs and the Ministry of Labor and Social
gov agencies Development – as well as the Saudi British Bank.

Phishing scam breaches The Oregon Department of Human Services said that a phishing incident has allowed unauthorized access
9 Oregon department of to the personal information of clients in welfare and children services programs. The group of potentially
human services affected consumers exceeds 350,000.

Watering Hole Phishing

10 Campaign Targets A phishing campaign has compromised at least four South Korean websites by injecting fake login forms to
steal user credentials.
South Korean Websites
ADVISORY AND PATCHES
Sl. No Advisory/Alert Description
Adobe has released security updates to address a vulnerability in ColdFusion. An attacker
1 Adobe ColdFusion Updates
could exploit this vulnerability to take control of an affected system.

Cisco has released multiple security updates to address vulnerabilities in various Cisco
2 Cisco security updates products. An attacker could exploit some of those vulnerabilities to take control of an affected
system.

Google has released Chrome version 72.0.3626.121 for Windows, Mac, and Linux. This version
Chrome version 72.0.3626.121
3 addresses a vulnerability that a remote attacker could exploit to take control of an affected
released
system.

Adobe has released security updates to address vulnerabilities in Adobe Photoshop CC and
Adobe Photoshop CC and Adobe
4 Adobe Digital Editions. An attacker could exploit these vulnerabilities to take control of an
Digital Editions
affected system.

Microsoft security updates, March Microsoft has released updates to address multiple vulnerabilities in Microsoft software. A
5
2019 remote attacker could exploit some of these vulnerabilities to take control of an affected system.

Google has released Chrome version 73.0.3683.75 for Window s, Mac, and Linux. This version
Chrome version 73.0.3683.75
6 addresses multiple vulnerabilities that an attacker could exploit to take control of an affected
released
system

Cisco has released security updates to address vulnerabilities in Cisco products. A remote
7 Cisco Security Updates
attacker could exploit one of these vulnerabilities to cause a denial-of-service condition.
 WordPress 5.1. 1 Security and WordPress 5.1 and prior versions are affected by a vulnerability. An attacker could exploit this
8
Maintenance Release vulnerability to take control of an affected website.

Security Update for Azure Linux Microsoft has released an update to address a vulnerability in Azure Linux Guest Agent. An
9
Guest Agent attacker could exploit this vulnerability to obtain access to sensitive information.

Security Updates for VMware
10
Workstation and Horizon
VMware has released security updates to address vulnerabilities affecting Workstation 14 and
15, and Horizon 6 and 7. An attacker could exploit some of these vulnerabilities to take control
of an affected system.

After January 14, 2020, Microsoft will no longer provide security updates or support for PCs
11 Microsoft Windows 7
running the Windows 7 operating system.

Mozilla has released security updates to address vulnerabilities in Firefox and Firefox ESR. An
12 Firefox and Firefox ESR
attacker could exploit some of these vulnerabilities to take control of an affected system.

Drupal has released security updates to address a vulnerability in Drupal Core. A remote
13 Drupal Releases Security Updates
attacker could exploit this vulnerability to take control of an affected system.

Cisco Releases Security
14
Advisories for Multiple Products
Cisco has released several security advisories to address vulnerabilities in multiple Cisco
products. A remote attacker could exploit some of these vulnerabilities to take control of an
affected system.

Mozilla has released security updates to address vulnerabilities in Firefox. An attacker could
15 Security Updates for Firefox
exploit some of these vulnerabilities to take control of an affected system.
 Mozilla has released a security update to address vulnerabilities in Thunderbird. An attacker
16 Thunderbird
could exploit these vulnerabilities to take control of an affected system.

Apple has released security updates to address vulnerabilities in multiple products. A remote
17 Apple security updates
attacker could exploit some of these vulnerabilities to take control of an affected system.

ASUS has released Live Update version 3.6.8. This version addresses vulnerabilities that a
18 ASUS live update version 3.6.8
remote attacker could exploit to take control of an affected system.

Cisco Releases Security Updates Cisco has released security updates to address vulnerabilities in multiple Cisco products. A
19
for Multiple Products remote attacker could exploit some of these vulnerabilities to take control of an affected system.

Cisco has released a security update to address a vulnerability in Cisco IOS XE. An attacker
20 Security Update for Cisco IOS XE
could exploit this vulnerability to obtain sensitive information.

VMware Releases Security VMware has released security updates to address vulnerabilities in multiple products. An
21
Updates attacker could exploit some of these vulnerabilities to take control of an affected system.
IOCS
 Type Link
Domains https://spellsecuritystaging.s3.amazonaws.com/artifact%2F1554455890.xlsx

File Hashes https://spellsecuritystaging.s3.amazonaws.com/artifact%2F1554455877.xlsx

IPs https://spellsecuritystaging.s3.amazonaws.com/artifact%2F1554455903.xlsx

URLs https://spellsecuritystaging.s3.amazonaws.com/artifact%2F1554455845.xlsx

Email https://spellsecuritystaging.s3.amazonaws.com/artifact%2F1554455864.xlsx
 SPELLSOCIAL
INTEL
REPORT

Questions?

research@spellsecurity.com

SpellSecurity Inc