make a good business better

Blog Information Security

Print Divider Print Divider Branding
 

Threat Intelligence Updates: April 2018

04/23/2018  |  By: Jessica Mantz

Share

Social Logo Social Logo Social Logo Social Logo

Aside from the steady phishing activity that LBMC Information Security has been seeing in previous months, detections of the Kovter trojan are also on the rise. Kovter has been around for a number of years but has gone through various changes. The trojan began as a form of police ransomware, notifying users of illegal activity and requesting that a “fine” be paid. The code was later modified into a form of click-fraud malware. Once Kovter found its way onto a victim’s system via code injection, it stole information and sent it back to its command and control (C2) servers. Finally, Kovter was converted into a “fileless malware” variant, using multiple persistence mechanisms to remain on a victim’s system and thwart antivirus software.  

The Kovter trojan is commonly delivered to victims via spam and phishing emails containing a malicious attachment. The attachment is typically a macro-enabled Microsoft Office document or a 7-zip file. If the user opens the attached Microsoft Office file and enables macros within the document, malicious code executes and will install the malware. Alternatively, if the attachment is a 7-zip file and the user double-clicks the file, malicious JavaScript is executed to install Kovter. Once installed, the malware establishes communication with its command and control (C2) server to download additional resources. Fileless operation and persistence mechanisms are then deployed, as Kovter writes to the Windows Registry and spawns a new process in an attempt to conceal itself among other system processes.  

Due to Kovter’s initial infection through email, we recommend implementing protections against common email threats, like spam and phishing attacks. Organizations should configure anti-spam filters as well as threat detection thresholds to mitigate the risk of malware distribution through email. Sandboxing email attachments to isolate and analyze potential threats is another defensive measure to mitigate this risk.

For more information on Kovter and mitigation strategies, please visit:

Under Armour Reports 150 Million MyFitnessPal Accounts Breached

150 million users of Under Armour’s MyFitnessPal app, a nutrition and exercise tracking website and mobile app, have been affected by a data breach exposing usernames, email addresses, and hashed passwords. The company specified that personally identifiable information, such as credit card numbers or social security numbers were not exposed as a result of the breach. Just four days after identifying the issue, the company notified users via email and through in-app messaging. The company also provided users with steps that they can take to protect their information.  

More information on this can be found at: 

37 Million Panera Bread Customers May Be Affected by Data Breach

As many as 37 million online customers of Panera Bread may have been affected by a data breach exposing names, email and physical addresses, birth dates, Panera loyalty account numbers, and the last four digits of customer credit card numbers. The company was notified of the data breach back in August of 2017 and is being criticized for its lack of action in handling the incident until now. Panera Bread has also announced that the issue on their website has been resolved and that the investigation is continuing.

Learn more by visiting:

Payment Card Data Stolen from 5 Million Saks Fifth Avenue, Lord & Taylor Customers

Point of sale systems at Saks Fifth Avenue and Lord & Taylor stores were compromised by attackers, resulting in the theft of payment card information of approximately five million customers. The stores’ parent company, Hudson’s Bay Company, has stated that the incident has been contained and an investigation is currently underway. Further, there has been no indications that any sensitive information such as social security numbers, driver’s license numbers, or PINs have been compromised. The retailer is offering free identity protection services to affected individuals.

More information on this data breach can be found at:

Threat Intelligence Updates: April 2018

Related People

  • Jessica Mantz