Threat Library Bi-Weekly May 13-28

For the past two weeks, we continued seeing an increase in the number of threat groups that use the hybrid attack technique (aka double extortion). After infiltrating the system, the threat group first steals the data on the compromised system, and then they encrypt it. If the victims do not pay the ransom demand, the attackers release the stolen data. Over the past two weeks, the following groups have adopted this technique: NetWalker, Ako, and Snake ransomware. NetWalker and Ako ransomware managed to attack multiple organizations and leak some of the stolen data as proof.

Top 5 Cyber Terms:

• NetWalker ransomware - In May 2020, the operators of NetWalker placed a heavy emphasis on targeting and attracting technically advanced affiliates for their program. By doing so, they created an exclusive group of top-tier network intruders to execute their new RaaS business model. Security researchers assess that this enables NetWalker creators to collaborate with other cybercriminals who already have access to large networks and have the ability to spread ransomware.

• Snake ransomware - On May 20, 2020, security researchers found that medical data and personally identifiable information belonging to patients at a Fresenius Medical Care unit were leaked on a paste website by the creators of the Snake ransomware. The hackers published a small batch of data, but they announced that there’s “more to come,” announcing that the data is part of a much larger leak.

• GhostDNS - In May 2020, security researchers received unrestricted access to the components of the GhostDNS exploit kit. The complete source code for the malware kit and multiple phishing pages was uploaded to a file-sharing platform by a careless user who did not password-protect the archive.

• Winnti Group - From February to May 2020, researchers detected multiple attacks targeting video game companies, apparently part of a campaign by the Winnti group. The threat group used a modular backdoor dubbed PipeMon, that was signed with a certificate belonging to a video game company that was attacked by the same threat actor in 2018.

Other cyber terms that are worth a notable mention: Maze ransomware, Sodinokibi, and Nefilim.

For more information about those terms, please visit our ETP Suite Threat Library.

General Cyber Update

New Bluetooth vulnerability - Academic researchers disclosed a security vulnerability in Bluetooth dubbed Bluetooth Impersonation AttackS (or BIAS). This vulnerability enables an attacker to spoof a remotely paired device, exposing over a billion modern devices.

Voter info for millions of Indonesians leaked - On May 21, a threat actor leaked the personal information of over 2,300,000 Indonesian citizens in a hacking forum, and claims they will release a total of 200 million at a later date. The breached database is the Indonesian voter information updated to 2014. The threat actor states that the voter records are stolen from the KPU, the general election commission of Indonesia.

The MagBo portal - The MagBo cybercrime marketplace soared in popularity to become the largest criminal marketplace of its kind. Access to more than 43,000 hacked websites is currently being sold over the platform.

LiveJournal credentials leaked online - On May 27, 2020, it was published that the credentials of over 26,000,000 users of LiveJournal, a popular blogging platform, were leaked. The data contained usernames, emails, and plaintext passwords. The data was stolen in a security breach in 2014.