Week 6 Cyberattack Digest 2019 – ExileRAT trojan, Eskom Group, and others
Are you ready for a portion of the hottest cyber security news? As always, we have prepared something interesting for you in our week 6 cyber attack digest.
Rats and cats are trojans
by SC Media – 5 February 2019
Subscribers to a Tibetan Government-in-Exile mailing list experienced a recent email phishing campaign aiming to infect them with a remote access trojan. So-called ExileRAT, the trojan is designed to gather data stored in a system, retrieve and push files, and also execute and end a number of processes. Security experts explain that ExileRAT shares a command-and-control infrastructure with LuckyCat, an older RAT attributed to a suspected Chinese APT group with the same name. Earlier, the LuckyCat trojan has been used to spy on pro-Tibetan activists and sympathizers via their Android and Windows devices. The new Android version of LuckyCat that is capable of removing files, executing apps, recording audio and stealing contact information, SMS messages, calls and locations. It is also believed that the trojan can modify the permissions of Tencent’s WeChat chat application, which allows the malefactors retrieve encryption keys and decrypt messages. The Tibetan Government-in-Exile seeks independence for Tibet, governed as an autonomous region within greater China. ExileRAT campaign uses the India-based organization’s own mailing list in a scheme to spy on its subscribers and sends them an email disguised as the one from the CTA. “This attack was yet another evolution in a series of attacks targeting a constituency of political supporters, and further evidence that not all attacks require the use of zero-day vulnerabilities,” concludes the report of Cisco Systems’ Talos. “Having stopped this attack quickly, we hope that the disruption caused by Cisco Talos will ensure the adversary must regroup.”
Major South African power company suffers a breach
by Bleeping Computer – 6 February 2019
South African energy supplier Eskom Group has become a victim of a double security breach. The incident affected an unsecured database containing customer data and a corporate computer that was infected with the Azorult information-stealing Trojan. According to Eskom’s web site, they are an energy company based out of Johannesburg in South Africa and a supplier of over 95% of all the electricity used in South Africa and approximately 45% of the electricity used in Africa. The attacks exposed Eskom’s network credentials, customer information, redacted customer credit card information, and sensitive business information. The incident happened when a security researcher .sS.! discovered data belonging to Eskom stolen by the Azorult password-stealing Trojan. .sS.! tried to notify Eskom through Twitter. In their initial reply, Eskom told the expert that this was not an account associated with Eskom. The stolen data indicates that it belongs to a user who has access to Eskom’s internal network was compromised by Azorult. This data contains passwords for logging into the Eskom network, corporate email accounts, a screenshot of the victim’s desktop during the Trojan install, and other sensitive information. .sS.! continued pressure, and other security researchers, and emails from the press, Eskom finally acknowledged the infected computer and started investigating the case.
Olympia Financial Group recovered after an attack
by MarketWatch – 11 February 2019
Olympia Financial Group Inc. (OLY) (“Olympia”) has recently announced that it had resumed its business operations and had restored almost all information technology systems. Earlier the organization suffered a ransomware cyber attack that was announced in company’s press release on February 3, 2019. Investigations remain ongoing. Experts have not found any evidence of exposure of customers’ personal information. In case there is any, Olympia will notify the impacted people immediately.Th