The cyber-security company Cybereason issued a report last week on a new malicious campaign carried out in Japan, which uses Ursnif trojan to steal bank-related information. The cyber-attack begins when the user receives a phishing email that contains an infected Office document, which asks for permission to enable macros; thus, tests to verify if the victim is in Japan begin. Once it is confirmed, a PowerShell payload – fixed in an image – executes Bebloh trojan, which would later download the Ursnif from the malicious actor's server. Attacks using the mentioned trojan are not uncommon in the country; however, in this campaign, the hackers have overhauled and added functionalities that make it more persistent and difficult to detect. Some of the features are modules targeting anti-PhishWall and Rapport; IE, Outlook, and Thunderbird stealers; and software specialized on disk encryption and theft of cryptocurrency. 

We assess that attackers will continue to develop malicious campaigns in the long-term; those likely will keep using Ursnif trojan in combination with other malware to target Japanese users of online banking services. The mentioned trojan first appeared in 2013, but its usage has been extended since its code became public in 2015. Furthermore, the expansion of financial services has also made this type of attacks more attractive. We find it that there is an even chance that the module focused on disabling the anti-PhishWall and Rapport functions and poses a risk to the potential victims. Although the researchers were not able to corroborate that said module is running as the attackers intended, its presence denotes an interest in overriding security measures; those features likely will be worked on in future campaigns. We recommend clients operating in Japan to consider informing personal that manages bank credentials of this new malicious campaign. We further advise clients ascertaining the origin of office documents before enabling macros. 

Citrix announced last week that they had found a data breach which compromised 6TB of their clients' sensitive information. As disclosed by the company, the FBI warned them that Resecurity, a cybersecurity firm, had discovered the breach on March 6. The hackers performed a password spraying attack, which consists of finding and exploiting the less secure passwords to spread malware and gain special permissions to gather the desired information. According to Resecurity, the attack was directed by the Iranian-backed hacking group IRIDIUM.

This serious data breach, facilitated through the simple and highly effective method of password spraying, highlights the need for increased password security practices. A research study by the UK's National Cyber Security Centre found that 75% of employees from participating organizations used one of the top 1,000 passwords. IRIDIUM previously conducted a cyber-attack on Citrix in December 2018 and has been linked to more than 200 attacks worldwide. They mainly target technology and energy companies but have also attacked government agencies. We advise all clients relying on Citrix to contact the company immediately to ascertain if their information was compromised. Further, organizations are encouraged to reiterate the importance of strong passwords to their employees and consider the use of multi-factor identification to reduce the risk of successful cyber-attacks. 

• Last week in India, it was released that a researcher found that a server that contained sensitive information of over 450,000 Delhi citizens had not been appropriately configured, leaving the information accessible to cyber-attackers.
• Recently, developers from Drupal, the free and open-source content management framework, announced that their security team had discovered a new vulnerability in their system and had consequently released a new version to address the problem. 
• As disclosed during the recent NDSS Symposium, a group of researchers found three different types of cyber-attacks that could be perpetrated against 4G and 5G LTE mobile networks. 

In the UK, packages containing explosive devices were discovered last week at London City Airport, Heathrow Airport, and Waterloo station within three hours of one another. No injuries occurred as a result of the packages. The packages were white postal bags containing small improvised explosive devices and were stamped by the Irish postal service. The package discovered at Heathrow Airport caught fire when opened by a staff member. Bomb technicians carried out controlled explosions on the other packages. The discovery of the devices did not impact air or rail services. Media reports indicated that an additional suspicious device was found at the University of Glasgow that police believe is possibly linked to the three packages sent the day prior. 

The possibility of additional package bombs cannot be ruled out, and the threat is highly likely to remain elevated in the days leading up to the March 29 Brexit decision. A "No Deal" Brexit outcome is projected to have significant economic and security consequences in Northern Ireland. In addition to the heightened tension surrounding the Brexit proceedings, a decision on whether to prosecute Northern Ireland soldiers for their role in the 1972 Bloody Sunday massacre is expected to be announced next week and will likely give rise to civil unrest no matter the outcome of the announcement, particularly in major urban centers in Northern Ireland. Days after the packages were found, the threat of Northern Ireland related terrorism in Britain remains "MODERATE" according to the domestic security agency, M-I-5. However, according to M-I-5, the threat of international terrorism remains "SEVERE." While a link to the Irish terrorist groups Real Irish Republican Army and New IRA has not been confirmed, the markings on the packages as well as the current tensions in the UK between Northern Ireland and England contribute to the possibility of IRA involvement. 

The discovery of any further devices is likely to lead to localized disruptions and increased security forces presence. We further find it likely that there will be an increase in security forces presence in Northern Ireland over the long term as tensions increase, likely causing logistics and travel disruptions for clients operating in the region. We advise clients throughout the UK to remain vigilant and report any observed suspicious activity or packages to the police or the anti-terrorist hotline. We advise against approaching or interacting with any suspicious persons or packages. 

Last month, the international medical humanitarian organization, Doctors Without Borders, announced that two of its Ebola attention centers in the Democratic Republic of the Congo had to be temporarily closed. The decision came after the organization suffered two attacks to their facilities. The first assault occurred in the medical center located at Katwa in the north-eastern area. An unidentified group bounced into the location, threw stones, and set fire to the center. One person was killed, and another was injured. The building and equipment were severely damaged. Later, a second attack took place at a medical center located at Butembo. The attackers tried to set fire and shoot the building. The motives behind these attacks are still unknown. Katwa and Butembo are the main health zones affected in the country. So far in 2019, the Health Minister of the DRC has registered almost 870 cases of Ebola. Before the attacks, five new cases were reported: two in Katwa, and three in Butembo. 

We find an even chance that more attacks will continue in the short term. Additionally, it is likely that other medical humanitarian organizations will reduce operations in the country as preventive measures. We find it likely that Ebola will continue to propagate; countries such as Uganda, Rwanda, and South Sudan may be at risk if the virus is not controlled. We advise clients to avoid travel to the region due to the health risk and limited medical attention. The country has a high rate of crime and civil unrest, and there are limited emergency services for foreign nationals. We recommend clients with interest in the DRC to follow on the development of the situation, so to consider adjusting operation plans if this type of attacks continues. 

American government agencies and business have been the target of many malicious attacks by nation-state actors. Analysts at the National Security Agency recently claimed that most of the cyber-attacks are from Iranian and Chinese hackers. Since U.S. President Donald Trump's decision to conclude the nuclear deal with Iran, as well as constant trade tension between China and the U.S., the attacks have increased. According to media reports, Iranian hackers have attacked government agencies, banks, corporations, and other entities. However, the Chinese cyber-attacks have focused on companies related to the U.S. military, such as technology companies, to gather classified information about trade, military intelligence, and plans.

We assess that the consistent cyber-attacks on government agencies and corporations in the U.S. will likely continue as intelligence agencies have not identified the responsible parties yet due to the complexity of the attacks. According to media reports, there are many enterprises have been targeted by malicious actors such as Boeing, T-Mobile, General Electric Aviation, among others; however, there is not enough information to conclude how damaging the attacks were. In 2015, China and the U.S. reached a cyber-agreement to monitor malicious cyber-activities to decrease the number of attacks and to cooperate in high-level summits to develop mechanisms against cyber-crimes. We recommend clients, especially those with operations in the U.S., ensure their systems have the latest security patches and anti-virus/anti-malware software. Furthermore, we advise clients to monitor incoming requests to the internal network, principally from Iranian and Chinese based IP addresses.

Carbon Black, a cyber-security research firm, announced last week the discovery of a new macOS malware variant of "Shlayer" targeting operating system version 10.10.5-10.14.3. Unknown malicious actors cloak the malware as an Adobe Flash update on large numbers of websites, including some that appear to be legitimate domains. The malware escalates privileges after infection. Distributed through DMG, PKG, ISO, and ZIP files, many of which possess legitimate Apple developer credentials, the malware collects system information, creates a custom URL with the collected information, and then downloads the second stage. Following this second stage, the malware attempts to harvest the password-protected payload and stores it in an archive. The malware then attempts to escalate privileges to gain root access to the device to download additional software and disable the system's Gatekeeper. 

As the malware possesses legitimate domains and developer credentials, we assess that the malware poses an increased threat to clients who utilize macOS devices. Further, as the malware affects recent versions of macOS, wen find it unlikely that installing the latest versions of macOS will best mitigate the threat of this malware variant. We recommend clients closely scrutinize any website-based prompts to update or install Adobe Flash. Any clients who must use Adobe Flash are recommended to ensure that the program is updated to the most recent version through the program itself. 

Open sources reported last week that malicious actors initiated a phishing campaign that uses Google Translate as a facade to steal Google and Facebook credentials. According to experts, the process starts with phishing emails pretending to come from Google with the subject "Security Alert." The content warns about an unverified log-in from a Windows device, and it recommends pressing a button to consult the activity. After the user clicks the link, it will redirect to a Google Translate page that simulates a Google Account log-in. Researchers stated that the phishing page is harder to detect through a mobile browser as it hides better the Google Translate interface and resembles a more legitimate Google Account log-in. If the user enters the information requested, the attackers receive the information via email. Afterward, it redirects to a Facebook log-in page to start the same phishing process. Malicious actors can steal accounts, passwords, and other data related to the person's verification settings such as phone number and alternate email address.

We expect that more phishing campaigns will appear in short to medium term as malicious actors are rendering more sophisticated methods to steal data from individuals and large firms. Cisco systems estimated that 28.5 billion devices would be connected to IP networks by 2022 which means that approximately every person will own an average of 3.6. Therefore, we find it highly likely that cyber-attackers will remain a relevant threat in the long term. We recommend clients to avoid opening Google security alerts or ensure that the source of the email is legitimate. If the link directs the user to a Google Translate page, do not write any data and immediately close the window browser. We further advise clients to be vigilant about the information provided in digital sites as well as the reliability of its source.

In India, it was reported last week that economic specialists have continued to discuss the economic trends in the Indian market and how to face the main challenges in terms of monetary policy. Several economic indicators show that the Indian economy is slowing: the consumer-price growth is lower than the target set, the 10-year bonds have lost value, and the Indian rupee is one of the worst performing currencies in Asia. The Central Bank and economists are debating which measure could boost the economy based on the two inflation rates, regular and core. They expect that both indicators could meet in the medium term to gather more information about the market; thus, the Monetary Policy Committee could decide the policies. There is also a parallel discussion taking place on whether the Indian Central Bank will cut or maintain the interest rates.

We assess that because India is one of the biggest economies in the world, its economy's slowdown could have long-lasting and far-reaching ripple effects throughout several regions, but especially those close to the country. The main difference between the regular and core inflation rates is that the core inflation eliminates volatile price indicator such as food and fuel prices. The core inflation rate helps to understand better the economy in a more extended period, explaining why many economists prefer this indicator to establish monetary policies. We consider it likely that the regular rate will move towards the other, thus reducing the volatility of the food and fuel prices in the long-term. We recommend clients in India and neighboring countries monitor both inflation rates to understand better how the Indian economy is reacting to the different variables and how it will vary in the future. 

Late last month, Tech Crunch disclosed an investigation regarding a specialized app distributed by Facebook via third parties and used to collect users' smartphone activities. Facebook's Research app was first distributed in 2016 by three beta testing programs: Applause, uTest, and Betabound. Once downloaded, the app has to remain running in the background, and, in return, the user receives $20 US dollar per month in e-cards, and another $20 per every friend referred to the app. The app grants Facebook access to decrypted messages, encrypted messages, Amazon purchase history, web searches, email usage, social networks, all app related information, and games. On March 2018, Facebook used another VPN app named Onavo to gather all the users' data even though it transgressed Apple Store's non-data collection policies; the app was later removed from the store.

We expect the information gathering methods to continue increasing in the short to medium term as the revenue obtained for the selling and analysis of sensitive data is considerably high. Apple has now blocked Research App from the Apple Store and could revoke Facebook's certificates to distribute employee-only apps. The incident will continue to cause tension in the relationship between both companies, as Apple's CEO has continuously criticized Facebook's data-gathering policies. We advise all clients to instruct their employees to immediately uninstall Research App as all work-related sensitive information could be exposed to Facebook. Furthermore, clients are encouraged to thoroughly read the privacy agreements before downloading any app on their devices. Open sources reported last week that widely used Remote Desktop Protocol has 25 security vulnerabilities that allow malicious servers to attack the client's computer. In a normal situation, an RDP client connects to a remote RDP server. After the connection has been established, the RDP client can access and control the remote computer. However, researchers found that security vulnerabilities allow malicious RDP servers to attack and control the client's device. Experts tested these vulnerabilities on FreeRPD and rdesktop, two of the most common open-source RPDs, and found that significant vulnerabilities allow malicious actors to execute malicious code in the client's device. Cyber-security researchers further warned that Microsoft's RDP is vulnerable to attacks via the client's clipboard. Malicious actors can eavesdrop and copy executable malware into the client's computer.

As technical users and IT administrators commonly use RDP clients to connect remote computers into a specific network, we assess that RDP vulnerabilities will be a relevant risk in the immediate to medium term. We recommend clients to inform their IT department about the significant vulnerabilities in the identified RDP clients and to update future versions as it is highly likely that developers will address these issues. As malicious actors are currently rendering complex methods to attack electronic devices, we recommend clients to run routine analyses focused on RDP vulnerabilities to ascertain data breaches or malware. If clients use Microsoft built-in RDP, we advise disabling the clipboard-sharing function until the issue has been patched.

Last week in the US, Discover Financial Services Inc. informed the Office of California's Attorney General of a data breach that they discovered in August 2018, and might affect some of its clients. The company filed a formal notification on January 25; however, the document does not provide information on the number of impacted cardholders, nor on the specific information that was compromised. The company has started to issue a new card for its clients and, in some cases, new account numbers to prevent any fraudulent schemes. The company was emphatic in its pronouncements that the systems were not hacked and that it was a routine notification – required under California state law if more than 500 residents are involved. 

We find it highly likely that the company will continue to replace the cards of the potentially affected clients in the short to medium term as a measure to diminish the risk of fraudulent operations. Furthermore, Discover has announced that they would cover unauthorized purchases made possible due to this breach. Because of the actions that were taken by the company, we assess that the compromised data has an even chance of only being related to the clients' cards. However, since there is no clarity on the precise information that was breached, we recommend potentially impacted clients to remain alert for social engineering attacks. We further advise exercising caution and closely monitor bank statements in the mid to long term for any abnormal movements and, should the client found any, promptly report it to the company. Recently, Airbus announced that a data breach was detected in the first days of the year in the "Commercial Aircraft Business" systems, specifically those containing Airbus employees' personal information. After a thorough investigation, the company concluded that no systems related to aircraft production and development were compromised. However, the breach caused the attackers to be able to retrieve IT and professional information of the European Division. The company announced the enhancement of their corporative and personnel cybersecurity protocol and assured that the production lines will continue to work as usual and that no delays are expected to occur as a result of the attack.

We assess this will be a relevant matter for all clients operating in the aircraft industry as the mentioned incident is the second data breach suffered by a major aircraft construction company in less than a year. In March 2018, the American aircraft assembler Boeing suffered a ransomware attack in low importance systems. We recommend all clients to increase their cybersecurity protocols to have better defenses in case of a cyber-attack and to instruct their employees on how the company's security could be compromised if they click on unverified websites, emails, links or if they download unknown documents. 

Security researchers at RiskIQ in France recently reported a new group as part of the Magecart collective which recently targeted French advertising agency Adverline. The new group, known as Magecart Group 12, conducted their attack by injecting malicious code into a JavaScript library that controls retargeting advertising. The malicious code, similar to previous Magecart attacks, contains a web-based skimmer which steals credit card information. As a result of the attack, Trend Micro identified over 270 e-commerce sites with the skimmer installed, across a range of commerce lines. Some affected sites included those used for travel, cosmetics, healthcare, and apparel. As noted by security researchers, the skimmer code prevents deobfuscation and analysis by conducting frequent internal integrity checks. 

We assess that given the ongoing success of Magecart attacks, they will continue in the immediate to long term. Additionally, with a new threat group joining the Magecart collective, we assess it likely that there will be both an increase in attacks as well as significant developments and innovations to the coding used to conduct them. We advise clients who have conducted any e-commerce activities with companies based in France to monitor their credit card bills for abnormal activity. Additionally, given Magecart's willingness to attack high-profile targets such as attacks on Ticketmaster, British Airways, and Newegg last year, any clients involved in e-commerce are advised to ensure all cyber-security measures have the most recent security patches and updates installed, and that cyber-security best practices are being used to secure commerce networks.

Last week, an independent security researcher was able to locate a database that contained around 24 million documents liked to loans and mortgages from several financial institutions in the United States that dated back to 2008. Some of the records contained sensitive and personal data such as name, birth date, social security number, address, bank account number, W-2 tax forms, among others. Due to the amount of found information, researchers found it difficult to trace back the holder of information; however, later it was found that the documents were in possession of Ascension – a company in Texas that provides analytic and data services. The documents were taken down by January 15, but they have been exposed for at least two weeks. At present, there is no certainty of how many persons were affected by this breach, but a partner company of Ascension stated that affected clients would be notified.

Although the systems of Ascension reportedly were not compromised, because of the sensitive nature of the exposed information, we assess that the data breach poses a significant threat to affected clients. At present, researchers were able to corroborate that there were documents from institutions like Wells Fargo, Capital One, Citigroup, and the Department of Housing and Urban Development. We find it likely that other affected companies might emerge as the investigations continue. We recommend potentially affected clients to follow on the results of the investigation and to be aware of a possible communication regarding the data breach. Currently, the company has not given information on where concerned people could ask for further details. Therefore, we advise all potentially impacted clients to exercise caution and closely monitor credit statements and tax claims in the mid to long term for any abnormal movements. 

In Colombia, a terrorist attack was reported last week at Francisco Paula de Santander Police Academy located in southern Bogota. The suicide bomber evaded the security officers on the entrance, crashed into one of the academy's buildings and detonated a device as a group of students, and the entrance guards were approaching. The explosive device was composed of 80 kg of pentolite and killed at least ten cadets, injured another 65 police officers, and damaged the windows from buildings and homes outside the complex. The pentolite is also known as buster and is commonly used to clear terrain as well as in mining works; it is comprised of nearly 40% TNT. The police academy hosted a General Brigadier graduation ceremony minutes before the attack took place.

Pinkerton expects the situation to worsen as special anti-terrorist operations and governmental retaliation measures are expected to take place. This situation could also affect the government's resolution to continue the peace talks with the Ejercito de Liberacion Nacional (ELN), the biggest guerrilla group in Colombia, even though there have been no specifications on whom ordered the attack. We advise all clients operating in the country to be vigilant when near police buildings or police officers' concentrations as crime groups specifically target authorities´ buildings. Clients from the energy and mining industries are advised to enhance their security measures as they tend to be the primary targets. Furthermore, travelers are encouraged to flee the scene and follow the authorities' instructions in case of an attack.

Also last week, a terrorist attack took place in Kenya at the d2Dusit business compound in Kileleshwa, Nairobi. The attack was perpetrated by six heavily armed men who stormed the complex by shooting security guards and throwing grenades at parked cars. The terrorists then moved into the compound's diners, attacked a bank, and finally barricaded themselves at the complex's hotel. While they were barricaded, they fought against special security forces while police officers cleared the rest of the compound. The attack left at least seven casualties, several wounded, and one detained person. The Islamic extremist group al-Shabaab claimed responsibility for the attack.

We expect the security situation in Kenya and in the neighboring country of Somalia, where Kenya initiated military expeditions in 2011, to eradicate the al-Shabaab group, to remain tense in the medium to long term. The terrorist group is affiliated with Al-Qaeda and has committed various attacks in Kenya, and against Kenyan armed forces stationed in Somalia dating back to 2013. We advise all clients traveling to or operating in Kenya and Somalia to take extreme precautions as special anti-terrorist operations and governmental retaliations are expected to take place all over the city. Additionally, clients are advised to closely monitor the authorities' recommendations and announcements on the matter.

Last week in Mexico, multiple homicides were reported in Las Virginias Bar located near the tourist area of Playa del Carmen, in Quintana Roo State. According to state authorities, seven people died on the scene after two armed people entered the location and started the shooting. According to the Ministry of Public Security of Quintana Roo, the armed attack may be related to drug trafficking gangs. The authorities also announced that there were no tourists involved in the shooting. So far, the local attorney office has confirmed the capture of two alleged criminals linked to the attack.

Pinkerton finds that violence in Quintana Roo has not diminished in recent months despite the capture of dozens of alleged criminal leaders. Instead, the crimes have increased, particularly, after the arrest of Leticia Rodriguez, also known as "Dona Lety" or "La 40," who controlled the drug trafficking and illegal activities in the Riviera Maya, which includes Cancun, Solidaridad, Tulum, Carrillo Puerto, and Puerto Morelos municipalities. Specialists had claimed that increasing violence in the region could be related to the security operations deployed in September 2018, when the new administration of the Ministry of Public Security of Quintana Roo arrived. Clients in Quintana Roo are advised to raise their situational awareness at all times.  In Argentina, a Hantavirus outbreak was reported last week at Epuyen Town in the province of Chubut, located in the Patagonia region. There have been at least nine confirmed deaths, and 24 cases, all of them reported to be in a critical situation. The virus symptoms are similar to those of the common flu at the beginning; however, the respiratory complications escalate rapidly and evolve into the dangerous Hantavirus Pulmonary Syndrome, which is usually accompanied by cardiac complications that increase the risk of death. The virus has a mortality rate of about 40% and is transmitted when people inhale the rodents' waste or have contact with their saliva. The virus may be transmitted from human to human on early stages when there is direct or indirect contact with the infected person's saliva.

We expect the outbreak to continue in the short term as various individuals in town entered in contact with infected people during a social gathering. Authorities have taken 400 samples from people inside the town, have quarantined 50 and are considering constraining 60 more into obligatory isolation. We advise all clients traveling to the province of Chubut to avoid the area as much as possible. Clients already operating in the region shall remain aware of the sanitary authorities' announcements on the matter as new restrictive measures are likely to take place. Furthermore, clients are advised to assure that they do not have rodent infestations in their installations, and if positive, to immediately contact a pest control specialist.