List of Data Breaches, Malware, Vulnerabilities, Scams, and Issued Patches in October 2018
Ransom.Python.PYLOCKY.B • Nov 5, 2018
We use cookies to improve your experience. Do you accept?
Ransom.Python.PYLOCKY.B • Nov 5, 2018
Just like the previous month, October too witnessed a volley of cybersecurity-related incidents that affected several organizations, systems, processes and more.
Researchers uncovered several new malware families apart from exploring the latest version of the existing malware. iTranslator, GreyEnergy, MartyMcFly and Chalubo botnet are the new malware found targeting several industries in different sectors, while AZORult Trojan 3.3, Ransom.Python.PYLOCKY.B and Kraken Crypto Ransomware 2.6.0 were uncovered with enhanced capabilities. In addition, security experts also demonstrated a new attack method dubbed as the NFCdrip attack that could allow attackers to exfiltrate data from air-gapped devices via NFC frequency.
Hackers were found exploiting authentication bypass vulnerability, remote code execution vulnerability and other critical security flaws to gain access to systems, servers and networks of organizations.
Talking about breaches, security experts discovered records of around 35 million US voters being sold on Dark Web for a price of up to $42,200.
Scammers were as usual found leveraging common social engineering techniques to trick users into revealing personal and financial data.
Here's an aggregated list of all breaches, malware, vulnerabilities, patches and scams reported in October.
Breaches
British ministers' phone numbers leaked in app flaw
Hackers Are Selling Botnets and Stolen ‘Fortnite’ Accounts Over Instagram
Website flaw Exposed a Canadian ISP’s Entire Customer Database
Cybercriminals impersonate Sequoia; request capital call to get money wired to Mexico
Gwinnett Medical Center investigates possible data breach
Russia Accused in Cyberattacks on Investigators Pursuing Doping and Poisoning Cases
Experian flaw reveals PINs protecting credit data
Annapolis Library Computers Infected with Emotet, Almost 5K Customers Affected
Google+ to be shut down after data breach exposed sensitive details of over half a million users
Ukraine's State Fiscal Service Disrupted by Cyber Attack
Naughty Hacker Steals $38k from SpankChain CryptoCurrency
Hackers target the Queensland government with online attacks
DDoS Attacks Target Multiple Games including Final Fantasy XIV
New Magecart hack detected at Shopper Approved
Rebound Orthopedics & Neurosurgery phishing attack results in data breach
PINs and needled: Experian site blabbed codes to unlock credit accounts for fraudsters
Largest Cyber Attack Against Iceland Driven by Fareit-Remcos Combo
Facebook Data Breach Update: Hacker Accessed Personal Details for 29 Million Accounts
Madison County Idaho hit with ransomware attack
Pentagon says cyber breach of travel records may affect up to 30,000 Defense Department employees
Scottish Ambulance Service Exposed Employees' Data Online
US voter records from 19 states sold on hacking forum
Double Whammy: Ransomware menace soaks water-logged utility ravaged by Hurricane Florence
Security flaw in libssh leaves thousands of servers at risk of hijacking
Hackers accused of ties to Russia hit three East European companies: cybersecurity firm
Facepunch 2016 breach exposed 343,000 users
VestaCP users warned about possible server compromise
Thousands of Neoflam Clients Had Their Data Leaked After Buying Frying Pans
Medicare & Medicaid Service Suffers Data Breach; 75000 People Affected
Trade.io loses $7.5Mil worth of cryptocurrency in mysterious cold wallet hack
Gamma ransomware compromises data on 16,000 patients at California hernia institute
Hackers deface website of Saudi investment forum
Adult Website Hack Exposes 1.2 Million Users
A Washington ISP exposed the ‘keys to the kingdom’ after leaving a server unsecured
Canadian satellites vulnerable to cyberattack, Defence note warns
Cathay Pacific flags data breach affecting 9.4 million passengers
Data leak at consulting firm handling fundraisers for the Democratic party
Pocket iNet Leaves 73 GB of Sensitive Data Exposed
Canadian Crypto-Exchange Shutters After $6m ‘Hack’
Girl Scouts Alerted to Possible Data Breach
Data breach compromises 64,000 Tomorrowland festival attendees | SC Media
Pakistani bank denies losing $6 million in country's 'biggest cyber attack'
Iranian Hackers Hit U.K. Universities Offering Cybersecurity Courses
Predictive Policing Tool’s Website Exposes Login Pages for 17 US Police Departments
Check this out: Radisson Hotel Group 'fesses up to 'security incident'
Social Security Numbers, PII Stolen in NorthBay Healthcare Data Breach
Malware
Sites Trick Users Into Subscribing to Browser Notification Spam
Gigantic 100,000-strong botnet used to hijack traffic meant for Brazilian banks
Phishing campaign targets developers of Chrome extensions
Roaming Mantis: iOS crypto-mining and spreading via malicious content delivery system
Dark Web Azorult Generator Offers Free Binaries to Cybercrooks
North Korean Hackers Are Back With New Malware Exploiting Word Macros
Nine NAS Bugs Open LenovoEMC, Iomega Devices to Attack
GrandCrab Ransomware Spreads Using Multiple Known Vulnerabilities
New ATM Attack Uses Custom Skimmers to Steal Credit Card Data and PINs
Researchers use Android password managers to make phishing attacks more practical
The ‘Gazorp’ Azorult Builder emerged from the Dark Web
Astaroth Trojan Malware Returns to Infect South American Users
DanaBot Gains Popularity and Targets US Organizations in Large Campaigns
Analyzing the GandCrab v5 ransomware
Hackers can use Microsoft Sway to carry out phishing attacks 'without fear of detection'
Fortnite Cheaters Targeted Using Data Stealer
South African phones targeted by notorious ‘governments only’ spyware
Rise in data-stealing Betabot malware
Phishing gets more complex as decoy PDF pops up with Microsoft-issued SSL certificate
Researchers Link New NOKKI Malware to North Korean Actor
New Danabot Banking Malware campaign now targets banks in the U.S.
SharePoint scam, and Word-delivered ransomware target users
Malware Has a New Way to Hide on Your Mac
Betabot trojan packed with anti-malware evasion tools
Attacking a Mac: Detecting MacOS Post-Exploitation
Phishing Attacks Distributed Through CloudFlare's IPFS Gateway
Fake News Domains Spoof UK News Sites
Viro Botnet Uses Spamming and Keylogging Capabilities to Spread Ransomware
Fallout Exploit Kit Now Installing the Kraken Cryptor Ransomware
AirNaine Uses New ARS RAT Strain Named ZeroEvil Against Canadian Businesses
Crypto-jacking epidemic spreads to 30K routers across India
Gazorp Malware Builder Offers Free, Customized AZORult Attacks on the Dark Web
Man the harpoons: The KRACK-en reawakens in updated WPA2 attack
PoC Attack Escalates MikroTik Router Bug to 'As Bad As It Gets'
Security Researchers Bypass Windows 10 Ransomware Protection Using DLL Injection
Over nine million cameras and DVRs open to APTs, botnet herders, and voyeurs
Panda Banker Trojan becomes part of Emotet threat distribution platform
URSNIF Phishing Campaign Spreads Malware by Replying to Existing E-mail Threads
Researchers KRACK Wi-Fi Again, More Efficiently This Time
The Many Faces of Necurs: How the Botnet Spewed Millions of Spam Emails for Cyber Extortion
German-language threats span phishing, BEC, malware, and more
Innovative Phishing Tactic Makes Inroads Using Azure Blob
Security researchers find solid evidence linking Industroyer to NotPetya
New Android Trojan Gplayed Adapts to Attacker's Needs
GandCrab ransomware on roll: Operators team up with crypter service
iTranslator Malware Installs Two Drivers to Perform a MitM Attack
Fake browser update seeks to compromise more MikroTik routers
Hackers hide cryptocurrency mining malware in Adobe Flash updates
Malware Lands on the Windows 10 Store Disguised as Google App
Android Apps Pretend to Mine Unmineable CryptoCurrencies to Just Show Ads
New Technique Recycles Exploit Chain to Keep Antivirus Silent
A simple message containing certain symbols could crash the Sony PlayStation 4
Breaking Down the Rapidly Evolving GandCrab Ransomware
Malicious Redirects from NewShareCounts.com Tweet Counter
Vending Machine App Hacked for Unlimited Credit
Researchers Develop NFCdrip Attack to Exfiltrate Data Over Long Ranges
Password and credit card-stealing Azorult malware adds new tricks
SettingContent-ms can be Abused to Drop Complex DeepLink and Icon-based Payload
Kraken Cryptor Ransomware Connecting to BleepingComputer During Encryption
Godzilla Loader and the Long Tail of Malware
The Emergence of the New Azorult 3.3
DarkPulsar and other NSA hacking tools used in hacking operations in the wild
Updated Azorult malware for sale on the Dark Web
Indiana National Guard hit by ransomware
jQuery? More like preyQuery: File upload tool can be exploited to hijack at-risk websites
GPlayed Android Trojan Imitates Google Apps to Spy On and Steal Data From Victims
sLoad and Ramnit pairing in sustained campaigns against UK and Italy
Burned malware returns: Fingers pointed towards Hacking Team
Advertisers can track users across the Internet via TLS Session Resumption
Chalubo DDoS Botnet Compromises Linux SSH Servers Using Brute-Force Attacks
Two new supply-chain attacks come to light in less than a week
Mac malware intercepts encrypted web traffic for ad injection
This is how government spyware StrongPity uses security researchers' work against them
Malware Targeting Brazil Uses Legitimate Windows Components WMI and CertUtil as Part of its Routine
sLoad Banking Trojan Downloader Displays Sophisticated Recon and Targeting
Free GrandCrab Ransomware Decryption Tool Released by Bitdefender
Google Play Apps Infected with Banking Trojans Found on Thousands of Devices
Worrying Windows 10 wrecking-ball weapon weirdly wanders wildly on worldwide web
New DDoS botnet goes after Hadoop enterprise servers
Side-Channel Attack Exposes User Accounts on Facebook, XBox, Other Social Sites
Misconfigured Container Abused to Deliver Cryptocurrency-mining Malware
Malware Distributors Adopt DKIM to Bypass Mail Filters
New FilesLocker Ransomware Offered as a Ransomware as a Service
PoC Attack Leverages Microsoft Office and YouTube to Deliver Malware
New Campaign Uses RTF Files to Drop Agent Tesla Trojan and Other Malware
HTTP-Botnets: The Dark Side of a Standard Protocol!
Same Old yet Brand-new: New File Types Emerge in Malware Spam Attachments
Kraken Ransomware Emerges from the Depths: How to Tame the Beast
GandCrab 1,4 and 5 Decryptor Available
New SamSam ransomware campaign aims at targets across the US
CommonRansom Ransomware Demands RDP Access to Decrypt Files
Emotet malware gang is mass-harvesting millions of emails in mysterious campaign
New iPhone Passcode Bypass Found Hours After Apple Releases iOS 12.1
Assault and battery: Malvertising campaign checks user device' charge as anti-detection technique
Vulnerabilities
Telegram CVE-2018-17780 flaw causes the leak of IP addresses when initiating calls
Vulnerabilities in PureVPN Client Leak User Credentials
Google to no longer allow Chrome extensions that use obfuscated code
Adobe Acrobat Reader DC Collab reviewServer Remote Code Execution Vulnerability
TP-Link router vulnerable to remote takeover flaw
The one serious MacBook Pro security flaw that nobody is talking about
BlackVue dashcams share cars' mapped GPS locations, stream video feeds
Google PDFium JBIG2 Image ComposeToOpt2WithRect Information Disclosure Vulnerability
Experts found 9 NAS flaws that expose LenovoEMC, Iomega Devices to hack
You dirty DRAC: IT bods uncover Dell server firmware security slip
After two decades of PHP, sites still expose sensitive details via debug mode
Cisco: Two critical bugs in DNA network software need these urgent patches
A 'Scarily Simple' Bug Put Millions of Cox Communications Customer Accounts at Risk
Google Criticizes Apple Over Safari Security, Flaw Disclosures
Code Execution Flaws Found in WECON Industrial Products
Researchers Find 18 Security Vulnerabilities in Foxit PDF Reader
Microsoft now faces a big Windows 10 quality test after botched update
Vulnerability in the Intel Unified Shader compiler for the Intel Graphics Accelerator
Zero-day exploit (CVE-2018-8453) used in targeted attacks
IBM FileNet Content Manager affected by Apache PDFBox security vulnerability
WhatsApp Security Flaw Could Crash Your iPhone
Many Siemens Products Affected by Foreshadow Vulnerabilities
Threat Actors Prey on Drupalgeddon Vulnerability to Mass-Compromise Websites and Underlying Servers
KeyBoy Abuses Popular Office Exploits for Malware Delivery
Kaspersky reports new security exploit in Microsoft Windows OS
Researchers find 5G security holes, but suggest fixes before launch
IBM yanks buggy application server security fix from admins
DOM-XSS Bug Affecting Tinder, Shopify, Yelp, and More
Proof-of-concept code published for Microsoft Edge remote code execution bug
Microsoft Zero-Day Patch for JET Bug Incomplete, Claims Firm
Google Accidentally Pushed Internal November 2018 Security Update to Pixel User
FDA Warns of Flaws in Medtronic Programmers
New iPhone Bug Gives Anyone Access to Your Private Photos
Linksys ESeries Multiple OS Command Injection Vulnerabilities
CVE-2018-3211: Java Usage Tracker Local Elevation of Privilege on Windows
Brazil expert discovers Oracle flaw that allows massive DDoS attacks
Critical Vulnerabilities Allow Takeover of D-Link Routers
GreyEnergy: New malware campaign targets critical infrastructure companies
MartyMcFly Malware: new Cyber-Espionage Campaign targeting Italian Naval Industry
GandCrab Devs Release Decryption Keys for Syrian Victims
SEO Poisoning Campaign Targeting U.S. Midterm Election Keywords
Researchers build memory walls to protect against Meltdown, Spectre attacks
Systems running Windows found vulnerable to RID hijacking
Vulnerable controllers could allow attackers to manipulate marine diesel engines
Branch.io Flaws may have affected as many as 685 million individuals
Flaws in telepresence robots allow hackers access to pictures, video feeds
Critical Flaws Found in Amazon FreeRTOS IoT Operating System
Zero-day in popular jQuery plugin actively exploited for at least three years
VLC Media Player and MPlayer contain critical vulnerability bug
Microsoft Windows zero-day disclosed on Twitter, again
New security flaw impacts most Linux and BSD distros
Bug leaves construction machinery vulnerable to evil command injection
Sophos HitmanPro.Alert memory disclosure and code execution vulnerabilities
New Privilege Escalation Flaw Affects Most Linux Distributions
Windows 10 UWP app bug could steal your data without you knowing
MKVToolNix mkvinfo read_one_element Code Execution Vulnerability
Systemd flaw could cause the crash or hijack of vulnerable Linux machines
X.Org Flaw Exposes Unix-Like OSes to Attacks
Microsoft Office Vulnerability Found, Check Point Research To The Rescue
Researchers exploit Microsoft Word using embedded video feature
Square, PayPal POS Hardware Open to Multiple Attack Vectors
Unpatched MS Word Flaw Could Allow Hackers to Infect Your Computer
Thousands of critical energy and water systems exposed online for anyone to exploit
Patches
Google Fixes 26 Vulnerabilities in the Android Security Patch for October 2018
Patch Marathon by Adobe: 47 Critical Flaws in Acrobat and DC Fixed
Canonical Outs New Linux Kernel Security Patch for All Supported Ubuntu Releases
Major Debian GNU/Linux 9 "Stretch" Linux Kernel Patch Fixes 18 Security Flaws
Google Patches Critical Vulnerabilities in Android OS
Mozilla patches critical vulnerabilities in Firefox 62.0.3 and Firefox ESR 60.2.2
Cisco updates address 36 vulnerabilities, three critical
Mozilla Patches Critical Vulnerability in Thunderbird 60.2.1
VMware, Apache, Mozilla push out patches
D-Link Patches RCE Bugs in Wireless Access Point Gear
Debian-Based antiX Linux Gets L1TF/Foreshadow, Meltdown, and Spectre Mitigations
Apple Releases Security Updates for iOS and iCloud, Fixes Passcode Bypass
Tumblr fixes security flaw that exposed account info
The Git Project addresses a critical arbitrary code execution vulnerability in Git
Debian-Based antiX Linux Gets L1TF/Foreshadow, Meltdown, and Spectre Mitigations
Microsoft October 2018 Patch Tuesday fixes zero-day exploited by FruityArmor APT
WhatsApp fixes bug that let hackers take over app when answering a video call
Adobe security update fixes a handful of critical bugs, ignores Flash Player
CentOS 6 and RHEL 6 Get Important Kernel Security Update for FragmentSmack Flaw
SAP Patches Critical Vulnerability in BusinessObjects
Google's Pixel 3 is the first Android device to ship with new CFI kernel protections
VMware issues security advisory for a DoS vulnerability
A mysterious grey-hat is patching people's outdated MikroTik routers
Oracle patches 301 vulnerabilities, including 46 with a 9.8+ severity rating
Chrome 70 Updates Sign-In Options, Patches 23 Flaws
Splunk addressed several vulnerabilities in Enterprise and Light products
Code Execution Vulnerability Patched in Library Used by VLC, Other Media Players
Four zero-days found, patched in Arcserve UDP platform
Mozilla updates fix several critical and high-rated vulnerabilities
Cisco releases fix for privilege escalation bug in Webex Meetings app
Multiple Vulnerabilities Patched in ASRock Drivers
Remote Denial of Service Vulnerability Patched in Squid Proxy Cache Server
Canonical Outs Linux Kernel Patch for Ubuntu 16.04 LTS to Fix 4 Security Flaws
Scams
Government cyber agency warns about webcam blackmail scam
BEC-as-a-Service: Hacked accounts available from $150
Received phishing link from contact named "OCBC"? It's not sent by the bank
Facebook friend request 'scams' are back, or at least users think they are
$200K investigating cyberfraud loss
Trinity College spent over $200K investigating cyberfraud loss
Remove the You've made the 5-billionth search Advertisement
New Sextortionist Scam Uses Email Spoofing Attack to Trick Users
YouTube Scam Lures Eager 'Doctor Who' Fans to Reveal Personal Data
Already facing an uphill misinformation fight, Facebook loses to scammers, too
Turns out companies get email pitches from money-seeking fraudsters too
FBI Releases Document with Measures for Defending Against Payroll Phishing Scams
Hurricane Michael phishing schemes leverage Azure blob storage to rake in credentials
McAfee Tech Support Scam Harvesting Credit Card Information
Alert raised over Olympic email scam
Google: We've just hit Android ?fraudsters raking in millions by faking human traffic
Netflix users targeted in fresh scam looking for updated payment details
SEC Urges New Accounting Controls Amid BEC Scam
Scammers use old browser trick to create fake virus download
Hong Kong, Malaysian and Singaporean police bust US$14 million online romance scam ring
Microsoft removes fake Bing ad that looked like a Chrome download site