Cyware Monthly Cyber Threat Intelligence

Monthly Threat Briefing • Jul 2, 2018
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Monthly Threat Briefing • Jul 2, 2018
As yet another month comes to an end, it’s time to take a look at the notable breaches, attacks and new techniques leveraged by attackers in June. However, it is also worth celebrating the new ideas, technologies and advancements wielded by researchers to protect both systems against cyberattacks. Europol disrupted the hacker group Rex Mundi while French authorities took down the Dark Web site Black Hand. In the US, the FBI arrested 74 scammers in a massive BEC crackdown. Verizon agreed to stop selling users’ location data, prompting competitors to follow suit. VirusTotal introduced a tool to reduce false positives while Mozilla teamed up with “Have I Been Pwned” for a data breach alert tool. Meanwhile, US lawmakers reintroduced the ENCRYPT bill and approved another to safeguard critical infrastructure. On the research side, the WPA3 security standard was unveiled, MIT researchers developed a transmitter to protect IoT devices and UTSA researchers created a framework to help protect connected cars from attacks.
Europol signed two memorandums of understanding in June - one with the World Economic Forum and another with the European Defense Agency, European Union Agency for Network and Information Security and CERT-EU.
The French Minister of Public Action said they dismantled Black Hand, one of the largest Dark Web forums that saw the trade of illegal goods and services such as weapons, narcotics, stolen data and more. Authorities said the site’s administrator--a 28-year-old mother from Northern France--and several other accomplices were arrested in a string of coordinated police raids across the country.
The FBI arrested 74 scammers in a massive global business email compromise (BEC) crackdown that involved attempts to steal data and funds from individuals and businesses. Thanks to a six-month long global operation named Operation Wire Wire, 42 scammers were arrested in the US, 29 in Nigeria and 3 in Canada, Poland and Mauritius.
US carrier Verizon agreed to stop selling customers’ real-time location data to third party data brokers following serious concerns over user privacy and security. Senator Ron Wyden praised Verizon’s initial move before chastising its competitors for not following suit. Eventually, AT&T, T-Mobile and Sprint also announced similar commitments.
Google is looking to make sure apps downloaded from Play Store and shared offline will be verified as safe. The company will add a small security metadata into APKs to mark the app as “authentic” and originally coming from the Google Play Store.
VirusTotal introduced a new service to allow software developers to privately check and monitor their programs against antivirus detection engines in a bid to reduce false positives. Developers can use the new VirusTotal Monitor to upload new files, check their code and receive alerts if their program has incorrectly been flagged as malicious.
Mozilla’s Firefox browser unveiled a new security tool with security researcher Troy Hunt’s data breach service, Have I Been Pwned, baked in to alert users of new data breaches. The website called FireFox Monitor will allow users to enter their email address and find out if their account was part of a known data breach.
UTSA researchers have developed an authorization framework to protect connected cars against cyberattacks. Using this framework, researchers are looking to create and use security authorization policies in different access control decision points to prevent any unauthorized access to smart car sensors and data, and protecting it against attacks.
Twitter announced support for physical USB security keys to give accounts an additional layer of protection. Using the physical key, users can securely sign into their accounts as part of the two-factor authentication process, rather than entering a text message sent to their phone.
The Wi-Fi Alliance announced the new WPA3 Security standard for wireless connections, routers and wireless devices. Replacing the aging WPA2 protocol, the new WPA3 standard will make it harder for threat actors to run common hacking attacks on wireless networks and make passwords much harder to crack.
California passed the country’s toughest data privacy law on Thursday. The new law, which will take effect on January 1, 2020, will require companies to tell customers upon request what personal data they collect, why and what categories of third party firms have received it as well.
The US House Homeland Security Committee has approved a bill to expand efforts to secure industrial control systems used to power critical infrastructure and services such as power and water systems, manufacturing and transportation.
MIT researchers developed a novel “frequency-hopping” transmitter to help protect IoT devices against hackers. The transmitter frequency hops every individual 1 or 0 bit of a data packet that a device sends out to a unique, random frequency. This is done every microsecond, thus preventing attackers from intercepting or manipulating the data.
June saw a fresh wave of data breaches, malicious attacks and accidental data leaks. Coca-Cola suffered a data breach at the hands of an ex-staffer. MyHeritage, Dixons Carphone, Transamerica and Liberty disclosed data breaches while Weight Watchers, AgentRun, accidentally leaked thousands of users data. Exactis exposed 340 million records while Ticketmaster said 5% of all users were affected in a major breach. Cryptocurrencies Bitcoin Gold, Verge and Monacoin were hit with massive 51% attacks while Bithumb lost $32 million in a cyberheist. A Chilean bank was hit with a disk-wiping malware. Chinese hackers stole undersea warfare data from a US Navy contractor. La Liga app was caught using smartphones to detect illegal football broadcasts. ProtonMail was hit with a major DDoS attack that briefly took down its email service.
Coca-Cola said it suffered a data breach in September 2017 after an ex-employee possessed an external hard drive that contained some employees’ personally identifiable information. The company said that about 8000 workers were affected but there is no evidence the data was used to commit identity theft.
Dixons Carphone disclosed a massive data breach that compromised 5.9 million customer cards and 1.2 million personal records. Although 5.8 million of the cards compromised have chip and pin protection, 105,000 payments from outside the EU do not and were thus compromised.
Weight Watchers accidentally exposed sensitive data about its IT infrastructure on a Kubernetes server without any password protection. Kromtech researchers found the server contained administrator’s root access, keys for 102 domains, data of users with administrative credentials and more.
Honda India exposed the personal data of over 50,000 customers in two unsecured Amazon AWS S3 storage buckets. The data of Honda Connect app users included names, passwords, trusted contacts information, VIN, Connect IDs and more.
Insurance startup AgentRun exposed sensitive personal and medical details of thousands of insurance policy holders in a misconfigured AWS S3 storage bucket. The misconfigured bucket contained insurance policy documents, sensitive health information like individual prescriptions and dosages as well as scans of identification documents like Social Security cards, Medicare cards, voter IDs and more.
DNA testing site MyHeritage suffered a breach compromising the personal data, email addresses and hashed passwords of over 92 million users. A security researcher notified the firm after discovering a file named “myheritage” on a private server outside of the firm.
Transamerica said it suffered a breach with hackers stealing around 45,000 customers’ personal and financial data, employment details and Social Security numbers.
Marketing firm Exactis is said to have exposed a huge database containing nearly 340 million in-depth records of Americans and businesses on a publicly accessible server. The data included a trove of personal information from people’s phone numbers and home addresses to interests, smoking habits and more.
Popular medical appointment booking website HealthEngine was caught sharing patients’ private data with a third-party law firm as part of a “referral partnership pilot.”
Ticket-selling giant Ticketmaster said it suffered a breach due to a customer support tool on its website by Inbenta that was exploited to harvest users’ personal and payment data. About 5% of Ticketmaster customers were impacted by the breach with several people already reported being scammed out of money as a result of the incident.
Hotel-booking software provider FastBooking said hackers managed to exploit a vulnerability in a web application hosted on its server to install malware and steal data. The breach compromised the personal information and credit card data from guests of hundreds of affected hotels around the world.
ProtonMail was hit with a powerful DDoS attack that affected the email service for several hours with sporadic outages that lasted minutes at a time. The company said it was “unlike the more ‘generic’ DDoS attacks” it usually deals with. A group claiming to have links to Russia, claimed responsibility for the attack.
Ticketfly was targeted by hackers last week who defaced its website and stole users’ personal data. Several Ticketfly database files were later found posted to a public server containing over 26 million email addresses as well as users’ names, phone numbers, home and billing addresses.
A popular quiz app on Facebook called “Nametests” was found with a flaw that let anyone access information on more than 120 million people, even after the app was deleted. Security researcher Inti de Cuekelaire reported the issue via Facebook’s Data Abuse Bounty Program launched in April.
Chinese hackers reportedly swiped about 614GB worth of sensitive undersea warfare data from a US Navy contractor. The Washington Post reported the stolen data included secret plans regarding a US project to build a supersonic anti-ship missile, signals and sensor data, submarine radio room information and more.
Kenna security researchers found widespread Google Group misconfigurations exposing organizations’ internal data. As many as 10,000 firms were found publicly exposing some form of sensitive data after many Google Groups visibility were accidentally configured to “public”.
Atlanta’s police department admitted “years” worth of police dashcam footage were destroyed in the recent SamSam ransomware attack that crippled the city’s municipal services in March. Atlanta Police Chief Erika Shields said the data loss could potentially compromise DUI cases “if the officer’s testimony is not where it needs to be.”
Researcher Ruben Santamarta managed to successfully hack into in-flight airplane WiFi networks from the ground. The IO/Active researcher said he accessed on-board WiFi networks including passengers’ Internet activity and read the planes’ satcom equipment.
Ad-blocking service Ghostery suffered an embarrassing gaffe after it sent out notification emails about its GDPR compliance. However, it accidentally exposed recipients’ email addresses in the “Happy GDPR Day” email by sending the emails in batches of 500 users and CCing hundreds of recipients in every email.
Multiple cryptocurrencies including Bitcoin Gold, Verge and Monacoin suffered nasty 51 percent attacks using overwhelming computing power to gain control of their network and alter transactions on its blockchain to steal millions worth of cryptocurrency.
Spanish football league La Liga’s app was caught using fans’ smartphone mics and GPS to identify pirate broadcasts of football games. The app could quietly detect the location of users to see if they were in a bar and record audio clips to find out if the establishment had paid for a license to show the match. The league later justified its actions saying illegal streaming costs it millions in losses.
The past 30 days also saw a wide range of new malware, threats and botnets pop up. ESET detailed a banking malware that uses unique methods to drain bank accounts. The VPNFilter malware, which prompted the FBI to ask users to reboot their routers, was found to be worse than previously thought. The Olympic Destroyer that hit the 2018 Winter Olympics is targeting biochem protection groups. While Mylobot sported a fresh bag of tricks, a new A new SamSam ransomware variant requires a special password before infection. The US warned of three North Korean malware - Joanap, Brambul and Typeframe. Many Android devices are still being shipped with debug ports exposed. A Wannacry ransomware scam is duping victims into paying up without infecting systems. Over 60000 devices were infected by a battery-saving app that steals data. In other Android-related news, a new RAMpage attack affects every Android device since 2012.