CyberCrime - W/E - 1/31/20
Attackers Use Exposed Docker Hosts for Nefarious Purposes (01/29/2020)
While scanning for Docker hosts exposed to the Internet, the research team at Palo Alto Networks identified 1,400 unsecured Docker hosts, 8,673 active containers, and 17,927 Docker images. The majority of the malicious activities involved cryptojacking but some compromised Docker engines were used for launching other attacks or installing rootkits on the hosts. Sensitive information, such as application credentials and infrastructure configuration, were also found from the exposed logs. The researchers noticed that some attackers mounted the entire host file system to a container and accessed the host operating system from the container to read/write from it.
While scanning for Docker hosts exposed to the Internet, the research team at Palo Alto Networks identified 1,400 unsecured Docker hosts, 8,673 active containers, and 17,927 Docker images. The majority of the malicious activities involved cryptojacking but some compromised Docker engines were used for launching other attacks or installing rootkits on the hosts. Sensitive information, such as application credentials and infrastructure configuration, were also found from the exposed logs. The researchers noticed that some attackers mounted the entire host file system to a container and accessed the host operating system from the container to read/write from it.
Cyber Thieves Selling 30 Million Payment Cards from Wawa Breach (01/28/2020)
Stolen payment card data gleaned from the nine-month Wawa convenience store breach is being sold on the cybercriminal underground, KrebsOnSecurity reported. On January 27, the Joker's Stash, a fraud store, began selling payment cards, which it claimed came from "a huge nationwide breach" and includes 30 million card accounts. Two unidentified sources told researcher Brian Krebs that the cards, which are a stash called "BIGBADABOOM-III," point right back to the Wawa breach.
Stolen payment card data gleaned from the nine-month Wawa convenience store breach is being sold on the cybercriminal underground, KrebsOnSecurity reported. On January 27, the Joker's Stash, a fraud store, began selling payment cards, which it claimed came from "a huge nationwide breach" and includes 30 million card accounts. Two unidentified sources told researcher Brian Krebs that the cards, which are a stash called "BIGBADABOOM-III," point right back to the Wawa breach.
Hackers Hijack Social Media Accounts for 15 NFL Teams (01/28/2020)
Fifteen National Football League (NFL) teams, including Super Bowl contenders the San Francisco 49ers and Kansas City Chiefs, have had their social media accounts hacked. The NFL's official account on Twitter has also been hijacked. According to ESET researchers, a hacker collective called "OurMine" has claimed responsibility for the incidents, taking over the Twitter, Facebook, and Instagram accounts of some of the teams.
Fifteen National Football League (NFL) teams, including Super Bowl contenders the San Francisco 49ers and Kansas City Chiefs, have had their social media accounts hacked. The NFL's official account on Twitter has also been hijacked. According to ESET researchers, a hacker collective called "OurMine" has claimed responsibility for the incidents, taking over the Twitter, Facebook, and Instagram accounts of some of the teams.
Scammers Spoof FBI Phone Number, Pose as Agents (01/28/2020)
The FBI has seen an increase in phone calls that spoof the Bureau's phone number as part of a Social Security scam. The callers spoof the FBI's headquarters' phone number, 202-324-3000, so the call appears to be coming from the FBI on the recipient's caller ID. In this scam, fraudulent callers posing as an FBI agent inform the victim that his or her Social Security number has been suspended.
The FBI has seen an increase in phone calls that spoof the Bureau's phone number as part of a Social Security scam. The callers spoof the FBI's headquarters' phone number, 202-324-3000, so the call appears to be coming from the FBI on the recipient's caller ID. In this scam, fraudulent callers posing as an FBI agent inform the victim that his or her Social Security number has been suspended.
xHunt Campaign Uses Watering Hole to Harvest Credentials (01/28/2020)
While analyzing the xHunt threat campaign's activities, Palo Alto Networks identified a Kuwaiti organization's Web page used as an apparent watering hole. The page contained a hidden image which was observed between June and December 2019 and referenced domains associated with malicious activity conducted by the xHunt campaign operators. It is suspected that the threat actors involved in the Hisoka attack campaign compromised and injected HTML code into this site in an attempt to harvest credentials from its visitors.
While analyzing the xHunt threat campaign's activities, Palo Alto Networks identified a Kuwaiti organization's Web page used as an apparent watering hole. The page contained a hidden image which was observed between June and December 2019 and referenced domains associated with malicious activity conducted by the xHunt campaign operators. It is suspected that the threat actors involved in the Hisoka attack campaign compromised and injected HTML code into this site in an attempt to harvest credentials from its visitors.