make a good business better

Blog Information Security

Print Divider Print Divider Branding
 

Threat Intelligence Updates: July 2018

07/18/2018  |  By: Jessica Mantz

Share

Social Logo Social Logo Social Logo Social Logo

We continue to see a steady detection of cryptocurrency miners, just as we did last month. However, we’re also seeing a sharp increase in Trojan activity. Information from other organizations and researchers corroborates our view that Trojan malware families have increased their impact globally. Last month, the Emotet banking Trojan made a comeback after attackers began leveraging a new variant. Check Point’s Global Threat Index placed Emotet at 50thin April’s ranking, but it has now moved to 11thin June’s index. Dorkbot, another prevalent banking Trojan to watch for, moved from number 8 to number 3 in the index. Dorkbot is a banking Trojan that not only harvests sensitive data, but it can also launch denial of service attacks.  

Researchers recently warned of a complex new botnet, dubbed Mylobot, that has been detected downloading DorkBot in a recent campaign. Mylobot features many evasion techniques such as anti-sandbox, code injectionprocess hollowing, executing files directly from memory without leaving anything on disk, and delaying its infection for 14 days before accessing any command-and-control servers. Mylobot can download any payload that the attacker wishes to provide. It also searches for and disables any other malware on victim machines. These techniques combined certainly makes Mylobot a formidable threat for any organization.  

We recommend a security strategy that uses multiple layers of detective controls to identify and isolate this type of threat. Security awareness training is also beneficial in enabling end users to detect and avoid phishing emails that may carry payloads like banking Trojans and other prevalent malware.  

For more information, please visit:

Adidas Announces Data Breach Affecting Online US Customers

Adidas disclosed a possible data breach after an unnamed party claimed to have acquired data linked to Adidas customers who made purchases on Adidas’ United States website. The retailer is currently investigating to identify the scope of the incident, but it has already confirmed that contact information, usernames, and encrypted passwords of some of its customers were disclosed in the data breach. The company has no reason to believe that any credit card numbers or fitness information were impacted by the breach and is in the process of alerting affected customers. 

More information on this data breach can be found at:

Timehop Data Breach Affects 21 Million Users

Timehop, a company that created an application to show social media users their photos, videos, and posts on the current day in previous years, recently disclosed a data breach affecting approximately 21 million users. The company found that an attacker had accessed a database containing usernames, email addresses, phone numbers, as well as social media access tokens for a subset of the affected users. Timehop has stated that there is no evidence to suggest that unauthorized access has been obtained by using the compromised tokens. Additionally, the tokens have been invalidated for the affected users. The company is still investigating the incident. 

More information on this incident can be found at: 

Macy’s Announces Data Breach of Macys.com and Bloomingdales.com User Accounts

Macy’s reported a data breach affecting some of its online customers that have accounts with Macys.com or Bloomingdales.com. The breach occurred from April 26ththrough June 12th. The retailer has conducted a full investigation and has stated that data, such as full names, birth dates, addresses, phone numbers, email addresses, and payment card numbers along with expiration dates were compromised. Since identifying the breach, Macy’s has deactivated all compromised customer accounts and will be providing consumer protection services to affected individuals at no cost. 

For more information on this breach, please visit:

Malware Campaign Replaces Desktop and Quick Launch Shortcuts to Download Backdoor

Security researchers have discovered a new malware campaign that infects a system and modifies the victims’ shortcut files to covertly download and install a backdoor. The malware is distributed via a malicious macro-enabled Word document which instructs users to view the full document by enabling macros. Once the macro is enabled, the infection process begins to replace shortcut files such as Skype, Google Chrome, Internet Explorer, and Mozilla Firefox located on the user’s desktop and in the Quick Launch feature. Each time the victim uses the modified shortcut, the malware downloads additional content and replaces the shortcut files with the legitimate one to evade detection. Researchers have found that this malware is still changing and may be under development to be distributed widely. 

More information on this can be found at: 

Threat Intelligence Updates: July 2018

Related People

  • Jessica Mantz