Avast Security News Team, 5 April 2019
Beware Game of Thrones pirated episodes and a new malware called Xwo, Georgia Tech students are exposed in a breach, and AriZona Iced Tea suffers a steep cyberattack.
Winter is coming for GoT pirates
With the popular HBO show returning this month, cybersecurity experts warn Game of Thrones fans that pirated episodes are among the most malware-infected files in the BitTorrent world. In 2018, 17% of all infected pirated content consisted of Game of Thrones episodes, victimizing a total of 20,934 users. And that was a year in which the show was dark. Over the past two years, researchers have identified 505 different families of threats related to pirated GoT content, including worms, trojans, adware, and downloaders. As the monumental final season looms, fans are advised to find their episodes legitimately.
Data Breach at Georgia Tech
Investigating a performance issue in one of their web applications in March, the Georgia Tech cybersecurity team discovered that a vulnerability in the app had been exploited by a cyber-intruder. In the official notice released this week, the school states that an “unknown entity” illegally accessed a central database that contained the personal info of 1.3 million students, including names, addresses, social security numbers, and birthdates. The statement adds that “the cybersecurity team is conducting a thorough forensic investigation to determine precisely what information was extracted from the system.” They say they are also working to identify which students’ data was affected. While the investigation continues, the school reassures students that the vulnerability which caused the breach has been patched.
Malware that cases the joint
Researchers have distinguished a new form of malware that is being called Xwo. Instead of infecting systems with ransomware or cryptomining programs, it simply looks and logs. Experts believe it is intended solely for reconnaissance and therefore most likely a precursor to a much more damaging attack to come. It scans for exposed web services and active default passwords, then sends that info back to its C2 server (command and control).
“This attack is designed to gather data and build a list of targets to be compromised afterwards,” warns Avast security expert Luis Corrons. “The attackers could compromise the victims themselves or sell that to the highest bidder.”
Services being checked by the malware include FTP, MySQL, PostgreSQL, MongoDB, Redis, Memcached, and Tomcat, an open source implementation of the Java Servlet. It remains to be seen if there’s another shoe to drop following the spreading of the strange Xwo, but all users are advised to change any default passwords they may have in operation.
Ransomware-flavored iced tea
AriZona Beverages suffered a devastating ransomware attack in March, and the billion-dollar iced tea producer is still recovering from the enterprise-wide assault. Experts believe the ransomware attack was the second part of a one-two malware punch suffered by the company. The ransomware hit on March 21, but several weeks beforehand the FBI had contacted the company to report it had been infected with Dridex malware. Dridex is designed to steal passwords, monitor network traffic, and push more malware, including ransomware.
In addition, AriZona had many of its servers running outdated Windows systems, which are ideal targets for cyberattacks. Upon the March 21 ransomware attack, over 200 of the company’s servers and computers displayed the message “Your network has been hacked and encrypted.” The ransomware used is iEncrypt, for which there is no known decryptor. The company has now invested hundreds of thousands of dollars into rebuilding its network system with the necessary modern protections.