Cookie Settings

This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.

Cyware Monthly Cyber Threat Intelligence

Cyware Monthly Cyber Threat Intelligence January 2019 - Featured Image

Monthly Threat Briefing Feb 1, 2019

The Good

As January comes to an end, let’s brush up all that happened in the cybersecurity landscape over the month. Let’s first start with all the good events that happened in the past month. USB Type-C Authentication Program was launched to protect against non-compliant chargers and malicious devices.T-Mobile announced caller verification technology to combat Spammers. Researchers have developed a machine named ‘Mayhem’ that detects software vulnerabilities and patches them. Meanwhile, Google is working on a feature that provides protection against ‘drive-by-download’ attacks.

  • USB Implementers Forum (USB-IF) announced the launch of its USB Type-C Authentication Program, which aims to provide host systems the opportunity to protect against non-compliant USB chargers and mitigate risks from maliciously embedded hardware or software in USB devices.

  • Google introduces new, secure features for G Suite. These features are introduced as a measure to alert admins on activities such as phishing and data exfiltration. Google said that the alert center in G Suite now comes with improvements in security-related notifications and alerts.

  • T-Mobile announced Caller Verification technology to alert users on incoming calls that are non-authentic. This caller verification technology is based on STIR and SHAKEN standards which deter spam or spoof calls. The technology will be available to T-Mobile customer who uses Samsung Galaxy Note 9.

  • Emsisoft has a released a browser extension that will block you from interacting with known phishing, malware, or scam sites. This browser extension is currently available for Chrome and Firefox, with plans to have one available for Microsoft Edge in the future.

  • Whatsapp is in the process of bringing fingerprint security for Android and iOS users. Only smartphones with a biometric scanner can make use of this feature. WABetaInfo suggests that the feature will be introduced in version 2.19.3.

  • Yubico Creates Physical Security Key for iPhones. Instead of entering a password and a code sent to a mobile device, you log in by plugging in the physical key to gain account access. In case hackers get ahold of user passwords, they wouldn't be able to login without the key.

  • Mitsubishi Electic Corporation has developed as multi-layered defense technology that protects connected vehicles from cyber attacks by strengthening their head unit’s defense capabilities. This multi-layer defense technology helps achieve more secure vehicle systems in accordance with the increasing popularity of vehicles that are equipped for connection to external networks.

  • Red Hat has announced the release of its open-source Podman project on January 17, 2019. The Podman project has integrated multiple core security capabilities which enables organizations to run their containers securely. The core security capabilities include rootless containers and improved username space support for better container isolation.

  • Researchers have developed a machine named ‘Mayhem’ that detects software vulnerabilities and patches them. Mayhem identifies possible weaknesses and generates a working exploit. This machine can work directly on a binary code, which means that Mayhem can analyze a program without the help of a human.

  • Google is in the process of adding drive-by-download protection feature to all the versions of Chrome. The feature is already active in the current Chrome Canary edition. However, a more stable version will be available on Chrome 73, scheduled for release in March or April.

The Bad

January witnessed numerous data breaches and cyber attacks that saw the exposure of millions of people's personal information across the globe. BlackMediaGames suffered a data breach compromising almost 7 million user accounts. Oklahoma Securities Commission accidentally leaked 3 TB data including internal documents belonging to FBI. An online Casino group inadvertently exposed over 108 million records containing information such as bets, wins, deposits, and more. Collection #1 breach totaled 773 million email addresses and almost 22 million unique passwords. Last but not least, followed by Collection #1, the new Collection #2-5 breach totals 2 billion unique usernames and passwords.

  • BlackMediaGames was hit by a massive data breach compromising almost 7,633,234 user accounts. The breach was discovered after Dehashed, a Data-Mining and Hacked Database Search Engine, received an email that included the evidence of server access and provided details of the exposed database. The information compromised in the data breach included usernames, emails, passwords, IP addresses, Game & Forum activities, and payment information.

  • Abine Blur password manager suffered a data breach compromising private data of over 2.4 million users. The information compromised in the breach included users’ email addresses, first and last names, last and second-to-last IP addresses used to login to Blur, encrypted Blur passwords.

  • A new hacking campaign by TheHackerGiraffe hacked thousands of exposed Chromecasts, Smart TVs, and Google Home devices in order to stream a YouTube video promoting PewDiePie's YouTube channel, urging the users to subscribe to the channel and fix their devices.

  • Ethereum Classic token was hit by 51% attack, with deep chain reorganizations and double spends amounting to over $1 Million. ETC market cap fell by around 6% since the discovery of the attack.

  • Chinese fraudsters stole $18.6 million dollars from Tecnimont S.p.A. Tecnimont S.p.A’s India head was the primary victim of this attack. Attackers used spam emails to convince the Indian chief of a possible ‘acquisition’ in China and successfully sourced the money from the chief.

  • An unsecured storage server belonging to the Oklahoma Securities Commission exposed 3TB data files including sensitive FBI investigations. The exposed files included years of FBI data including FBI interviews, emails among people involved with investigations, bank transaction history, and letters from witnesses.

  • Set of email IDs and passwords of up to 2,692,818,238 rows from various sources were found to be hosted on cloud service MEGA. Out of which, 773 million were email addresses and almost 22 million were unique passwords. The large collection of files on the MEGA cloud service totaled over 12,000 separate files with almost 87GB data.

  • A misconfiguration issue in NASA web app that uses JIRA server has exposed sensitive information of employees and projects. The data exposed included usernames, email addresses and job roles of employees. The exposed server also contained the name of current projects and upcoming milestones.

  • An ElasticSearch server of an online casino group was left publicly available without a password, accessible to anyone. The leaky server exposed almost 108 million records containing information such as bets, wins, deposits, withdrawals, including payment card details.

  • An unprotected ElasticSearch database was left publicly available online without authentication for at least a period of two weeks which resulted in the exposure of almost 24 million bank loan and mortgage documents. The exposed documents included documents from Citigroup, Wells Fargo, Capital One, and the Department of Housing and Urban Development among others.

  • Followed by Collection #1 that totaled 773 million username-password leaks, Collection #2-5 totals 2.2 billion unique usernames and passwords. This confidential data is said to be distributed in online hacker forums and torrent websites. All of these leaked data seemed to have been drawn from earlier breaches of Yahoo, LinkedIn, and Dropbox.

  • Universiti Teknologi Mara (UiTM) has suffered a data breach affecting the records of around 1,164,450 students. The breach included the records of those students who were or are in the institute from 2008 to 2018. The leaked data included details such as students’ names, MyKad numbers, student IDs, campus codes, residence addresses and more.

New Threats

Several new malware, ransomware, vulnerabilities, and threat groups, emerged over the past month. A new Android malware dubbed ANDROIDOS_MOBSTSPY was found affecting users in almost 196 countries. Magecart group 12 recently compromised an advertising script to inject malicious code into hundreds of websites. A new ransomware family tracked as ‘Anatova’ was discovered by security researchers. In the meantime, researchers uncovered a critical bug in Apple iOS devices that could allow Facetime users to access the microphone and front camera of recipients.

  • A new Android malware was spotted hidden behind six android applications that were available for download in Google Play. The six apps include Flappy Birr Dog, Flappy Bird, FlashLight, Win7Launcher, Win7imulator, and HZPermis Pro Arabe. Out of these six apps, five have been removed from Google Play since February 2018. However, these apps have been installed at least 100,000 times by users across 196 countries.
  • Attackers are using a combination of Vidar Malware and GandCrab Ransomware to attack victims. Security researchers investigated the campaign and detected that several exploit kits such as Fallout and GrandSoft were used to initially install Vidar malware and then a secondary payload containing GandCrab ransomware was used.
  • Researchers detected a new malware strain dubbed as ‘IcePick-3PC’ which is capable of stealing device IP addresses by hacking a website’s third-party tools. The malware has affected several publishers and e-commerce businesses including industries such as retail and healthcare.
  • Magecart Group 12 compromised a script belonging to a French advertising company Adverline, in order to inject Magecart code into its client's websites. The injected Magecart code was designed to steal payment card details entered in checkout pages.
  • New JavaScript trojan dubbed as “TROJAN.JS.PLOPROLO.THOAOGAI” was discovered by researchers. This trojan downloads entities such as GandCrab ransomware, SmokeLoader, AZORult Trojan, Phorpiex spambot, and a Monero cryptocurrency miner.
  • A new version of NanoCore RAT has been found targeting Windows systems. Dubbed as NanoCore 1.2.2.0, the sample is capable of performing various nefarious activities. The NanoCore 1.2.2.0 capabilities include registry edit, process control, upgrade, file transfer, keylogging, password stealing, and more.
  • The infamous banking trojan Emotet has emerged again with a new form. This time, it packs a new feature that evades spam filters allowing attackers to send more emails. The Trojan spreads itself with different genuine-looking email addresses.
  • A new strain of ransomware dubbed as ‘hAnt’ has been spotted targeting Bitcoin mining rigs, primarily in China. The ransomware infected mining rigs include Antminer S9 and T9 devices used for Bitcoin mining and Antimer L3 rigs used for Litecoin mining. In a few instances, Avalon miner equipment used for Bitcoin mining was also affected.
  • A new malware campaign distributing Ursnif banking Trojan was detected by researchers. The malware campaign uses PowerShell to achieve fileless persistence to avoid detection. The campaign uses an already well-known payload delivery method which employs Microsoft Word documents containing a malicious VBA macro.
  • A new attack campaign distributing a new variant of RogueRobin trojan has been observed by security researchers. The attack was performed by DarkHydrus threat actor group against targets in the Middle East. The new variant was propagated via a malicious macro that comes embedded within an Excel document.
  • A new strain of ransomware dubbed Phobos has been spotted targeting businesses worldwide since mid-December. This ransomware shares similarity with Dharma ransomware. Like Dharma, Phobos ransomware exploits open or poorly secured RDP ports to sneak inside networks and execute a ransomware attack.
  • A new ransomware family tracked as ‘Anatova’ has been spotted by security researchers recently. Infections with the ransomware have been observed all over the world, most of them being in the United States, followed by some countries in Europe.
  • Researchers uncovered a critical bug in Apple iOS devices that could allow Facetime users to access the microphone and front camera of who they are calling even if the call recipient does not answer the call. Researchers confirmed that this bug exists in iOS 12.1.2 version.
  • Researchers recently observed the AZORult information stealer malware disguised as a Google Updater program and achieving persistence by replacing the legitimate Google Updater program on the compromised systems.
  • The newly discovered Mac malware dubbed as CookieMiner targets Mac users to steal the contents of cryptocurrency wallets. Researchers named the malware as CookieMiner because of its ability to steal browser cookies associated with cryptocurrency exchanges and wallet service sites visited by the victim.

Related Threat Briefings

Jan 3, 2025

Cyware Monthly Threat Intelligence, December 2024

The cloud revolution isn’t just about convenience anymore; it’s now the frontline of defense. With CISA's new directive mandating cloud environment fortification, federal agencies face a race against time to safeguard Microsoft 365 and other services. Meanwhile, proposed updates to the HIPAA security rules push healthcare organizations toward stronger PHI protection with advanced technical controls and detailed incident planning. On the global front, Operation PowerOFF turned the tables on DDoS attackers, dismantling 27 illegal platforms and curbing festive-season chaos. The cyber battlefield sees no intermission as new threats take center stage. A phishing campaign, dubbed Aggressive Inventory Zombies (AIZ), exploited brand trust by mimicking retail giants and crypto platforms. Meanwhile, the resurrected BADBOX botnet has compromised 192,000 Android devices globally, sneaking into supply chains to wreak havoc with ad fraud and account abuse. Adding to the turbulence, Poison Ivy (APT-C-01) resurged, targeting critical sectors with advanced phishing techniques and deploying Sliver RAT to breach systems and steal sensitive data. This month, new threats targeted IoT, banking, and app ecosystems, with threat actors unleashing diverse attacks. Iranian hackers deployed IOCONTROL malware to compromise IoT and OT systems, targeting critical infrastructure like gas stations. Meanwhile, the DroidBot banking malware infiltrates cryptocurrency and banking apps across Europe, leveraging MaaS operations for tailored attacks. Adding to the chaos, SpyLoan malware apps, with over eight million installs, exploited users in South America, Southeast Asia, and Africa, highlighting the escalating risks within app marketplaces. For detailed Cyber Threat Intel, click ‘Read More’.

Dec 4, 2024

Cyware Monthly Threat Intelligence, November 2024

The TSA reshaped the cybersecurity landscape for pipeline and railroad operators with proposed rules mandating incident reporting and risk management plans. Estimated to cost $2.1 billion over the next decade, the rules aimed to address growing cyber threats while balancing flexibility with resilience. Meta dismantled a sprawling web of over two million accounts tied to pig butchering scams in Southeast Asia and the UAE. Africa’s cybercrime ecosystem faced a decisive blow with Operation Serengeti, as over 1,000 suspects were arrested, and 134,000 malicious networks taken offline. TAG-110, a Russia-aligned threat group, launched a cyber-espionage campaign targeting governments and organizations in Asia and Europe. Using malware like HATVIBE and CHERRYSPY, it aimed to monitor geopolitical developments and assert influence. A botnet powered by Ngioweb malware converted 35,000 IoT devices into residential proxies. These compromised devices, found largely in the U.S., were sold on platforms like NSOCKS for malicious purposes. Water Barghest compromised over 20,000 IoT devices by exploiting known vulnerabilities. The group used Shodan to identify targets and deployed Ngioweb malware to connect them to its monetized network. LIMINAL PANDA, a Chinese cyberespionage group, has been targeting telecoms in South Asia and Africa since 2020. Using tools like SIGTRANslator and PingPong, the group exploits telecom protocols to steal critical data while staying undetected. NodeStealer has resurfaced, targeting Facebook Ads Manager accounts to steal credit card details and browser credentials. It uses Windows Restart Manager and Python scripts to execute its attacks, with stolen data sent via Telegram. BabbleLoader, a stealthy malware loader, delivers WhiteSnake and Meduza stealers. Disguised as accounting software, it targets English and Russian speakers, evading antivirus systems with advanced techniques.