Cyber Round-up

Cyber Round-up for 21st June

Welcome to the Ironshare Cyber Round-up where we look back at the events of that last week and cover some of the news, posts, views, and highlights from the world of Security.

In this week’s round-up:

Security News

U.S. Electric Companies Targeted by TRISIS

XENOTIME, the Advanced Persistent Threat group behind the TRISIS Industrial Control System (ICS) malware, whom originally targeted oil and gas industries, has recently been expanding its focus to target electric companies. The Russian linked XENOTIME group, have been spotted exploring the networks of U.S. electric organisations, indicating a potentially attack on critical infrastructure. It is believed that an attack of this nature could also result in loss of life and major physical damage, making it extremely dangerous. Governments and companies are recommended to work cooperatively to defend critical infrastructure and the lives of the workers, from such devastating cyber attacks.


Airplane Manufacturer ASCO hit by Ransomware Attack

ASCO, one of the world’s largest airplane manufacturers, has been hit by a ransomware attack. After ASCO’s plant in Zaventem, Belgium, was severely impacted by the infection, it was forced to shut down production in its U.S, Canada and Germany based factories. About 70% of the Belgium plant’s workers have been given leave for a week until the issue is resolved. ASCO have not revealed if the ransom has been paid, but it is evident that the damage caused by the attack is severe. It is never recommended to pay the ransom, always ensure that you have offline backups available to restore systems and service, in the event of an attack.



Cyberespionage Campaign Targeting Middle East

A Mobile cyberespionage campaign, named “Bouncing Golf”, has been discovered and it is targeting Middle Eastern Countries. The malware involved in the campaign has been identified as AndroidOS_GolfSpy.HRX; and possesses a large amount of cyberespionage capabilities. The attack works by embedding malicious code in applications that bad actors have repackaged from legitimate apps. The capabilities of this malware give it the potential to completely hijack an infected android mobile device, and from this hackers can effectively steal device accounts, device locations, stored files and messages. Although the number of devices impacted so far is small in number, military info was included in the stolen data. Users are recommended to keep their devices up to date with the latest software and install mobile endpoint security (such as Cisco AMP for Endpoints), to help protect your device against these types of exploits and rogue applications.


Firefox 0-Day Vulnerability Allows Complete Device Takeover

A new critical vulnerability in Firefox and Firefox ESR allows attackers to completely take over any device affected by the exploit. Due to a flaw in Array.pop method, the attacker can exploit JavaScript objects, resulting in an exploitable crash that allows control over an affected system. Anyone using Mozilla Firefox is vulnerable to an attack of this nature. Patches have now been released for this vulnerability, available in Firefox 67.0.3 and Firefox ESR 60.7.1. As this vuln is being actively exploited in the wild, Mozilla recommends that users update their systems immediately.


Vulnerabilities & Updates

Cryptocurrency Mining Botnet Uses ADB to Spread Through SSH

A new cryptocurrency mining botnet has been discovered, that exploits poor default settings, including a lack of authentication on open ADB (Android Debug Bridge) ports. The botnet has the potential to spread to any system that has previously established an SSH connection with the infected host. This vulnerability is present in all Android-based devices, and the botnet has been seen operating in 21 different countries. Users are suggested to update their devices immediately and always change any default authentication settings to ensure devices are secure.


Linux Worm Capable of Leveraging a Critical RCE Vulnerability (CVE-2019-10149)

MSRC (Microsoft Security Response Center) recently confirmed the existence of an active Linux worm that could potentially take advantage of a critical Remote Code Execution vulnerability in Linux Exim email servers. Only customer’s using Exim version 4.87 to 4.91 are affected, and it was confirmed that the vulnerability does not exist in Microsoft Azure infrastructure and Services. Microsoft recommends that any customer’s running a vulnerable version of Exim should update to the latest fixed version as soon as possible.


And that’s it for this week round-up, please don’t forget to tune in for our next instalment.

Why not follow us on social media using the links provided on the right.

Edition #46 – 21st June 2019

Ironshare – Security Simplified