External Threat Summary for December 2018

Data Breach

San Diego School District Hacked, 500,000 Individuals’ Personal Data Exposed

An attacker gained access to personal data belonging to some 500,000 students from the San Diego Unified School District. The assailant used phishing emails to collect log in credentials from district employees between January and November 2018.

Data Breach

Quora Hacked, Exposing Data for 100 Million Users

The question and answer website Quora announced that up to 100 million users’ account data, including data from linked networks and all public and non-public account activities, were stolen by an unknown attacker, whose method for obtaining access to the system remains unknown.

Botnet Propagation

20,000 Strong WordPress Botnet Spreading to Other WordPress Sites

A botnet consisting of 20,000 infected WordPress pages has been observed attacking other WordPress pages in order to spread the botnet infrastructure. The botnet attacks the sites using an XML API used by mobile app developers to link to WordPress pages.

Rogue Mobile Application

DanaBot Banking Trojan Adds New Spam Module

The DanaBot banking trojan has received an update which allows it to harvest email addresses from an infected user’s address book, and then distribute spam message directly from that user’s mailbox.

Scam Tactics

Recent Trend of “Sextortion” Emails Now Leading to Ransomware and Spyware Infections

The 2018 trend of “sextortion” emails, in which an attacker uses previously stolen account credentials to scam a victim with threats of releasing videos of the victim’s purported pornography habits, has undergone a significant shift in tactics. Recently, such emails have included ransomware and/or spyware payloads, shifting the attack from a scam to a direct attack against the victim’s computer.

Social Media Threat

Cyber Spy Group Observed Following Top Researchers, Updating Spyware on Open-Source Repositories

A cyber criminal group known as Speedworm has been observed using the online code repository GitHub to post, analyze, and modify its malware code. In addition, the group has conspicuously updated its code quickly after researchers on social media have posted new vulnerabilities or patches against known vulnerabilities.

Holiday Shopping Scams

Phishing Campaigns Uses Fake Amazon Confirmations to Spread Malware

In 2018, a phishing scam in which attackers send emails pretending to be order confirmations from Amazon reached new levels of realism, as the new campaign’s emails are virtually indistinguishable from Amazon emails. Many of the links in the emails direct to legitimate Amazon pages, whereas the “Order Details” button links to a malicious document.

Social Media Threats, Alternative Infection Vector

Operation Sharpshooter Malware Campaign Infects Critical Infrastructure via Social Media, Dropbox

A large-scale malware campaign dubbed Operation Sharpshooter has leveraged several social media-based social engineering techniques to direct victims across several critical infrastructure industries to download malicious files through Dropbox. The primary lure behind the campaign is job recruitment.


Chinese Ransomware Attack Demands Payment via Popular Chinese Chat App

A Chinese ransomware has forgone the traditional ransomware method of demanding ransom via cryptocurrency, and instead demanded that victims pay via WeChat, one of China’s most used social network platforms, which allows for monetary transfers from user to user.

Social Media Abuse

Malware Controlled by Hidden Messages Distributed Inside Memes on Twitter

A cyber criminal group has been observed providing instructions to its malware via the use of steganography. The users would upload “meme” images contained hidden text to Twitter, which would instruct the malware to take screenshots of the infected computer and then relay those images back to a command and control (C2) server