5 stories from 2019 you need to know about

Check out these infosec articles from the year to date that you won’t want to have missed.

We are close to one third of the way through 2019 and, as always, it’s already been a busy year in the world of cyber security. Here are five stories you should know about…

Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.

The Elfin espionage group, aka APT33, has attacked at least 50 organizations in Saudi Arabia, the U.S., and several other countries, over the last three years.

The group specializes in scanning for vulnerable websites and using this to identify potential targets. It has compromised a wide range of targets, including governments, as well as organizations in the research, chemical, engineering, manufacturing, consulting, finance, telecoms, and several other sectors. Saudi Arabia is a big focus for the group, with the country accounting for 42 percent of attacks by Elfin since the start of 2016. However, the U.S. is also a big target of the group, accounting for 34 percent of attacks, with Elfin targeting 18 organizations there over the last three years. Some of these U.S. victims may have been targeted as part of a supply chain attack.

Elfin is one of the most active groups currently operating in the Middle East, targeting a large number of organizations across a diverse range of sectors.

Whitefly: Espionage Group has Singapore in Its Sights

Whitefly, the group behind the SingHealth breach, is also responsible for a string of other attacks in the region, Symantec researchers discovered. Whitefly, which has been operating since at least 2017, has targeted organizations based mostly in Singapore across a wide variety of sectors, and is primarily interested in stealing large amounts of sensitive information.

It compromises its victims using custom malware alongside open-source hacking tools and living off the land tactics, including malicious PowerShell scripts. Whitefly has targeted organizations in the healthcare, media, telecommunications and engineering sectors.

West African Financial Institutions Hit by Wave of Attacks

Attackers using commodity malware and living off the land tools engaged in a campaign of attacks against financial targets in Ivory Coast, Cameroon, Congo (DR), Ghana, and Equatorial Guinea. Banks and other financial institutions in the West African nations have been targeted by the attacks, which have been underway since mid-2017.

Whether the attacks were the work of one or more groups remains unknown. However, they share some commonalities in terms of the tools and tactics employed. Up to this wave of attacks, Symantec has seen relatively little evidence of these kinds of attacks against the financial sector in West Africa. However, it now appears there is at least one, and possibly more, groups actively targeting banks in this region.

Two in Three Hotel Websites Leak Guest Booking Details and Allow Access to Personal Data

Research that looked at the websites of more than 1,500 hotels in 54 countries found that two in three, or 67 percent, of these sites were inadvertently leaking booking reference codes to third-party sites such as advertisers and analytics companies.

The information leaked by these websites could allow these third-party services to log into a reservation, view personal details, and even cancel the booking altogether.

Data leaked by the majority of the hotel reservations systems included: full names, email address, postal address, mobile phone number, last four digits of credit card, card type, and expiration date, as well as passport number. Read more about this and about mitigation steps that can be taken in the full blog.

ASUS Software Updates Used for Supply Chain Attacks

In March, it emerged that the ASUS update system had been hijacked to send out malicious updates to as many as half a million computers. This supply chain attack started in June 2018 and continued through to at least late October. The Trojanized updates contained a form of backdoor program which attempted to connect to an attacker-controlled domain. The updates were signed with legitimate ASUS digital certificates. The attackers in this case appeared to be going after a specific group of about 600 users, with them seemingly not having any interest in the other machines they infected.

Check out the Security Response blog for the full versions of all of these stories, and follow Threat Intel on Twitter to keep up-to-date with the latest happenings in the world of threat intelligence and cyber security.

Like this story? Recommend it by hitting the heart button so others on Medium see it, and follow Threat Intel on Medium for more great content.