Data Breach

Airbus Suffers Data Breach, IT Personnel Affected

Airbus has reported, in accordance with the EU’s GDPR compliance regulations, that it has detected a data breach affecting contact and identification details for some employees, included some in IT. The company has announced that it has strengthened security measures and is currently investigating the breach.

Source: https://www.reuters.com/article/us-airbus-cyber/airbus-reports-breach-into-its-systems-after-cyber-attack-idUSKCN1PO2TQ


Data Breach

Abine Announces 2.4 Million Affected in Blur Data Breach

Abine announced that a file containing personal information for some 2.4 million users who had registered before 2018 had been left freely accessible online. The information contained in the breach includes email addresses, some names, some password hints, IP addresses, and encrypted website passwords. The company says that no passwords stored inside of users’ accounts were exposed.

Source: https://www.zdnet.com/article/data-of-2-4-million-blur-password-manager-users-left-exposed-online/


Rogue Mobile Application

Spyware Spreads in Google Play Store

The MobSTSPY spyware, embedded in six apps, spread to 196 countries via the Google Play store. While the method of infection is not novel, the scale of the infection, and the fact that the malware was present in six different apps, is striking. The apps were downloaded more than 100,000 times. The malware itself contains standard spyware capabilities, as well as a trojan-like interface for popular login pages, such as those for Google and Facebook.

Source: https://threatpost.com/mobstspy-trojan-google-play/140534/


Phishing

Phishing with Custom Web fonts

Attackers have developed a method for obfuscating malware source code on a forged webpage by employing a substitution cypher via custom web fonts. This allows the attackers to circumvent security implementations, such as JavaScript blockers, because the browser reads the source code on the page as plain text, rather than as JavaScript directly, thus causing the browser to render the code without being identified by the blockers. The source code was embedded in the page’s CSS files.

Source: https://www.bleepingcomputer.com/news/security/new-phishing-tactic-uses-custom-web-fonts-to-prevent-detection/


Data Exposure

German Politicians Doxxed in Major Campaign

Attackers have doxed several hundred German politicians, including Chancellor Angela Merkel, belonging to all major German political parties, with the far-right Alternative for Germany (AfD) remaining unaffected. The information released in the dump includes personally identifiable information (PII), bank details and debit authorizations, and private chat histories and conversations with family members. Some of the data in the dump reached as far back as 2009.

Source: https://www.tagesschau.de/inland/deutsche-politiker-gehackt-101.html


Spam

Attackers Spread Spam via Emergency Notification Network

The Australian Early Warning Network (EWN), the country’s emergency notification system, was hacked and used to distribute spam to all of the network’s subscribers. The incident occurred as a cyclone approached the Queensland coast. The EWN says that the attacker gained access to the system using “illicitly gained credentials”.

Source: http://www.ewn.com.au/alerts/ewn-hacked-privacy-alert-2019-01-05-400002.weather?fb_comment_id=1998089213606124_1998793206869058


External Threats

WordPress Vulnerabilities Increased 30% in 2018

Reported vulnerabilities in WordPress increased by about 30% in 2018. In comparison, from 2017 to 2018, WordPress experienced an increase of 21%. In total, 17,142 vulnerabilities were discovered across WordPress sites in 2018, compared to 14,082 in 2017. Approximately one half of these vulnerabilities have a publicly available exploit, and another third do not have any known solutions.

Source: https://www.imperva.com/blog/the-state-of-web-application-vulnerabilities-in-2018/


DNS Hijacking

DNS Hijacking Campaign Attributed to Iranian Actors

A major, global DNS hijacking campaign targeting victims in North America, Europe, the Middle East, and North Africa since 2017 has been attributed to unidentified actors in some way associated with Iran. The attacks, which were staged in clusters from January 2017 to January 2019, employed DNS record manipulation and fraudulent SSL certificates, allowing the attackers to harvest credentials for further attacks against the affected organizations.

Source: https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html


Digital Governance

DHS Orders Government Agencies to Audit DNS Records, DNS Services Updating Security Infrastructure

The US Department of Homeland Security has issued an order to government agencies directing those agencies to conduct a full DNS audit, including password changes, enabling of MFA, and implementation of Certificate Transparency logs. In a related development, several major DNS providers have announced their intentions to make significant upgrades to their DNS handling software in order to increase speeds and block several security workarounds.

Source: https://cyber.dhs.gov/ed/19-01/, https://www.bleepingcomputer.com/news/security/dns-ddos-attack-protections-to-be-forcefully-enabled-for-non-compliant-sites/


External Threats

DarkHydrus Using Google Drive as C2 Server

The DarkHydrus APT, as known as Lazy Meerkat, has been observed using Google Drive as a Command and Control (C2) server for its variant of the RogueRobin Trojan. Drive is not the default C2 server, though the trojan’s code allows the attacker to manually enable a DNS tunnel for communication with Drive should the need arise. The use of Google Drive allows the trojan to upload, download, and update files while effectively bypassing blocklists, due to Google generally being whitelisted at the majority of organizations.

Source: https://www.bleepingcomputer.com/news/security/darkhydrus-apt-uses-google-drive-to-send-commands-to-roguerobin-trojan/