Cyware Monthly Cyber Threat Intelligence

Cyware Monthly Cyber Threat Intelligence November 2018 - Featured Image

Monthly Threat Briefing November 30, 2018

The Good

As November comes to an end, it brings to a close another month buzzing with cyber activity, including new breaches, malware strains and more. However, there are always positive advancements, that are as important, if not more than all the negatives. Security researchers have created a new AI system that is capable of accurately predicting cyberattacks. The US Congress approved a bill that approves the creation of a new centralized, federal cybersecurity agency. The US army’s scientists are working on a quantum networking experiment aimed at offering soldiers more secure and reliable communications on the battlefield. Meanwhile, security researchers developed a powerful new tool to root out security flaws.

  • Security researchers have created a new AI system, named DARKMENTION, that is capable of accurately predicting cyberattacks. The AI system is capable of monitoring online and dark web forums and gathers intelligence. DARKMENTION also contains a repository of over 500 cyberattacks that have previously occurred.
  • Google’s automated Fuzz bot has spotted over 9,000 security vulnerabilities over the past two years. Google launched OSS-Fuzz was in December 2016. The automated tool is capable of hunting for vulnerabilities in applications by applying a technique called fuzzing.
  • The US Congress approved a bill that approves the creation of a new centralized, federal cybersecurity agency. The move would reconfigure the Department of Homeland Security’s National Protection and Programs Directorate into the Cybersecurity and Infrastructure Security Agency (CISA).
  • Google, Microsoft, and other tech giants have backed French President Emmanuel Macron’s call for greater internet security. The initiative, known as the “Paris Call for Trust and Security in Cyberspace,” is aimed at tightening internet regulations and boosting protections against cyberattacks, election interference, and more.
  • Researchers are working on using brainwaves as the new generation of passwords. Biometrics are increasingly replacing traditional passwords and the new research involves developing a flexible and secure biometric alternative to current, traditional passwords.
  • The US army’s scientists, working out of the corporate research lab (ARL), are working on a quantum networking experiment aimed at offering soldiers more secure and reliable communications on the battlefield.
  • The Federal Communications Commission (FCC) has launched an all-out war against scammers and robo-callers in a new initiative. US network providers are now being forced to implement a new technology called SHAKEN/STIR (Secure Handling of Asserted information using toKENs/Secure Telephony Identity Revisited).
  • Security researchers developed a powerful new tool to root out security flaws. AFLSmart is a fuzzing software built on the powerful American Fuzzy Lop toolkit. It can detect twice as many bugs as AFL over a 24 hour period and has already uncovered a total of 42 zero-day vulnerabilities and has banked 17 CVE-listed holes.

The Bad

November was peppered with numerous data breaches and leaks that saw the exposure of millions of people's personal information across the globe. Two of the biggest breaches of the year occurred this month. A misconfigured ElasticSearch server leaked the personal information of 57 million US citizens. Marriott was hit by a breach that compromised the personal data of 500 million guests. Hackers hit every bank in Pakistan in a massive attack. The data of around 700,000 customers of American Express India was left inadvertently exposed in an unsecured MongoDB server. Google services went down briefly after the tech giant’s internet traffic was hijacked. Meanwhile, a California-based communications firm exposed a massive database containing millions of text messages and more. The US Postal Service (USPS) was also impacted by a breach that may have exposed over 60 million customers’ data.

  • Hackers hit every bank in Pakistan in a massive attack. The data of nearly 8,000 bank account holders from 10 different banks have been put up for sale on the dark web. Although it is still unclear as to how this breach came about, PakCERT believes that some locals may have been involved in aiding the cybercriminals behind the attack, who are suspected to have been located outside the country.
  • The data of around 700,000 customers of American Express India was left inadvertently exposed in an unsecured MongoDB server. The unsecured database contained 689,272 records in plaintext. The data exposed included full names, email addresses, phone numbers, card details and more.
  • Google services went down briefly after the tech giant’s internet traffic was hijacked by a Nigerian ISP. Google’s user traffic was routed via Russia and Nigeria before the tech giant’s IP prefixes were leaked to the Chinese state-owned telecom provider called China Telecom.
  • A California-based communications firm called Voxox exposed a massive database containing millions of text messages and more. The breach was caused by an unprotected Amazon Elasticsearch server. The database contained tens of millions of text messages, including password reset links, two-factor codes, shipping notifications and more.
  • Amazon suffered a massive breach just days before Black Friday. The breach resulted in the compromise of names and email addresses of some of its customers. The tech giant has been tight-lipped about the details surrounding the matter, only revealing that the breach was caused due a technical error in its website.
  • The US Postal Service (USPS) was also impacted by a breach that may have exposed over 60 million customers’ data. The breach was caused by a year-old API flaw, that not only allowed anyone with a USPS account to view other users’ data but also alter their information without their knowledge or consent.
  • Daniel’s Hosting, one of the most popular dark web hosting services, was knocked offline by rival hackers. The attack occurred on November 15, 2018, and has resulted in the loss of 6500 plus Dark Web services hosted on the platform.
  • San Diego-based communications company Vovox exposed around 26 million text messages, as well as other sensitive customer data like phone numbers, password reset links and security codes, two-factor verification codes, shipping notification and more.
  • A misconfigured ElasticSearch server leaked the personal information of 57 million US citizens. The database was left online for nearly two weeks. The leaky database contained over 73GB data, including first names, last names, employer IDs, job titles, email addresses, physical addresses, state, ZIP codes, phone numbers, and IP addresses.
  • The Marriott was hit by a breach that compromised the personal data of 500 million guests. The hotel chain discovered that its networks had been accessed by unauthorized parties since 2014. This breach is now being considered to be one of the largest to have ever been discovered.
  • A new phishing campaign was spotted targeting French industries. The campaign began in October and has targeted the French banking, aviation, IT, chemical manufacturing, automotive and other sectors.
  • Over 2 million patients’ personal data was impacted in a breach that affected Charlotte-based Atrium Health. The information compromised in the breach includes patients’ names, addresses, dates of birth, invoice numbers, account balances, dates of service, insurance policy information, and Social Security numbers.
  • SKY Brazil accidentally leaked 32 million customers’ personal information online. The data was left exposed online long enough for hackers to have likely stolen information. The leaked data also included the personal information of high-profile politicians, which may have already been accessed by hackers.
  • Dunkin’ Donuts was hit by hackers recently. The breach was caused by hackers who launched a credential stuffing attack. The information that may have been accessed by the hackers could include customers’ first and last names, email addresses, 16-digit DD Perks account numbers and more.

New Threats

Dozens of new malware, ransomware, vulnerabilities, threat groups, scams and other malicious activity emerged over the past month. A 100,000-bot strong IoT botnet BCMUPnP_Hunter is currently pushing out massive spam email campaigns. The TA505 threat actor was found testing out a new reconnaissance malware dubbed tRAT. A new malware called DarkGate, that can function as a keylogger, a ransomware and cryptominer, has been discovered. Over a dozen malware-laced Android apps were discovered on the Google Play Store. Meanwhile, a new variant of the Rotexy malware, that combined the capabilities of both a banking malware and a ransomware, was discovered. A new Linux cryptominer that can steal root passwords and disable antivirus software was discovered. A cryptominer called KingMiner was uncovered that has already infected victims from Mexico to India and from Norway to Israel. Meanwhile, a new zero-day vulnerability in surveillance cameras was found affecting Nuuo’s surveillance firmware.

  • Security researchers discovered a new stealthy cryptomining malware. Dubbed “Coinminer.Win32.MALXMR.TIAOODAM”, the malware is delivered onto victim machines as a Windows Installer MSI file. It is also capable of bypassing security filters and comes with a self-destruction mechanism.
  • A 100,000-bot strong IoT botnet BCMUPnP_Hunter is currently pushing out massive spam email campaigns. The botnet’s operators were spotted using a five-year-old vulnerability, which allows attackers to remotely execute malicious code on vulnerable routers. Although the botnet is targeting victims globally, so far, it has primarily infected victims in India, China, and the US.
  • The Outlaw hacker group was found wielding the Shellbot botnet to target IoT devices and Linux systems. The botnet is capable of allowing attackers to launch DDoS attacks, conduct port scans and more.
  • The TA505 threat actor was found testing out a new reconnaissance malware dubbed tRAT. tRAT is a modular malware, written in Delphi, that is currently being used in a reconnaissance campaign targeting financial institutions.
  • A new malware called DarkGate, that can function as a keylogger, a ransomware, and cryptominer, has been discovered. The malware is currently being delivered via Torrent files and is targeting victims in Spain and France. The malware also uses several advanced anti-analysis techniques, such as using vendor-specific checks, to evade detection.
  • The Mylobot botnet was found distributing the Khalesi malware. Mybolot belongs to a sophisticated malware family and is classified as a downloader. Meanwhile, Khalesi is considered to be one of the fastest growing malware variants of the year.
  • A new Trickbot variant was discovered being distributed as part of a new campaign posing as coming from Llyods bank. The malware is capable of exfiltrating data such as passwords, browsing history, bank & other financial details and logins from the infected systems.
  • Over a dozen malware-laced Android apps were discovered on the Google Play Store. 13 malicious gaming apps, developed by the same person, were installed over 560,000 times. Once downloaded, the malicious apps, posing as driving games were designed to crash each time they were opened.
  • A new variant of the Rotexy malware, that combined the capabilities of both a banking malware and a ransomware, was discovered. Between August to October 2018, Rotexy launched over 70,000 attacks, primarily against victims in Russia.
  • Texas-based Altus Baytown Hospital (ABH) was hit by a ransomware attack that may have led to hackers compromising patient records and their personal data. The hospital fell victim to the prolific Dharma ransomware.
  • A new Linux cryptominer that can steal root passwords and disable antivirus software was discovered. The cryptominer dubbed Linux.BtcMine.174 contains over 1,000 lines of code and is also capable of searching for other miners and removing it.
  • A cryptominer called KingMiner was uncovered that has already infected victims from Mexico to India and from Norway to Israel. The malware targets Windows servers and mines for Monero.
  • A new zero-day vulnerability in surveillance cameras was found affecting Nuuo’s surveillance firmware. The bug could allow hackers to take control over surveillance cameras and tamper with footage and live feeds. It could also allow attackers to execute malicious code remotely after gaining root privileges to systems.
  • A new variant of the Bladabindi malware was discovered. The new variant of the RAT, Worm.Win32.BLADABINDI.AA., spread via removable drives and installs a fileless variant of the Bladabindi backdoor. Bladabindi comes with a variety of data-stealing capabilities. It can steal browser credentials, capture webcam footage, as well as download additional malicious files.

Related Threat Briefings

Jul 1, 2025

Cyware Monthly Threat Intelligence, June 2025

Jun 1, 2025

Cyware Monthly Threat Intelligence, May 2025

May 1, 2025

Cyware Monthly Threat Intelligence, April 2025

Apr 2, 2025

Cyware Monthly Threat Intelligence, March 2025

ETSI has rolled out a new quantum-safe encryption standard featuring Covercrypt, a novel key encapsulation scheme with built-in access controls. By tying decryption permissions to user attributes, Covercrypt delivers speed and post-quantum security. The code caves of GitHub got a cleanup crew courtesy of Microsoft. A sprawling malvertising campaign that snagged nearly a million devices worldwide has been knocked down a peg. The race to outpace quantum threats is officially on. The NCSC has issued guidance to help organizations transition to post-quantum cryptography by 2035, with a focus on NIST-approved algorithms and planned support for critical sectors.  A fresh face in the cybercrime underworld is juggling a bag of nasty surprises. EncryptHub is hitting users of QQ Talk, WeChat, Google Meet, and more with trojanized apps and slick multi-stage attacks. Lucid isn’t just phishing - it’s engineering trust through your inbox. This advanced PhaaS platform weaponizes the built-in features of iMessage and RCS to create hyper-realistic scams. A botnet is turning home routers into attack platforms. The Ballista botnet is exploiting an unpatched TP-Link Archer router flaw (CVE-2023-1389) to spread stealthily, using Tor domains and remote command execution to launch DDoS attacks worldwide.

Mar 4, 2025

Cyware Monthly Threat Intelligence, February 2025

Google ramped up its defenses against the quantum threat. The company rolled out quantum-resistant digital signatures in Cloud KMS, following NIST’s post-quantum cryptography standards. Cyber defenders sharpened their tools, this month, and EARLYCROW is the latest weapon against stealthy APT operations. This method detects C2 activity over HTTP(S) using a novel traffic analysis format called PAIRFLOW. PyPI adopted a "dead but not gone" approach to abandoned software with Project Archival, a new system that flags inactive projects while keeping them accessible. Developers will see warnings about outdated dependencies, helping them make smarter security choices and avoid relying on unmaintained code. China’s Salt Typhoon made itself right at home in global telecom networks. The group was caught using JumbledPath, a custom-built spying tool, to infiltrate ISPs in the U.S., Italy, South Africa, and Thailand. Russia’s Sandworm hackers are using pirated software as bait. Their latest attack on Ukrainian Windows users disguises malware inside trojanized KMS activators and fake Windows updates. The CISA flagged major security holes in Microsoft Outlook and Sophos XG Firewall. One flaw allows remote code execution in Outlook, while another exposes firewall users to serious risks. A new payment card skimming campaign turned Stripe’s old API into a weapon. Hackers inserted malicious scripts into checkout pages, validating stolen card details through Stripe before exfiltration. A new malware named Ratatouille is stirring up trouble by bypassing UAC and using I2P for anonymous communications. Spreading through phishing emails and fake CAPTCHA pages, it tricks victims into running an embedded PowerShell script. A new version of ValleyRAT was also spotted, using stealthy techniques to infiltrate systems. Researchers found the malware being spread through fake Chrome downloads.

Feb 10, 2025

Cyware Monthly Threat Intelligence, January 2025

The U.K took a proactive stance on cyber resilience with its Cyber Local initiative, injecting £1.9 million into 30 projects across England and Northern Ireland. The effort focuses on closing the cyber skills gap, fortifying small businesses, and supporting underrepresented groups. India tightened its grip on data privacy with new draft rules designed to give citizens more control over their personal information. The proposed regulations mandate clearer data processing disclosures, stricter security protocols, and swift breach reporting. Hackers turned to SparkRAT, an open-source GoLang RAT, to target macOS users and government entities. Initially released in 2022, its modular design and cross-platform capability have made it a cybercriminal favorite. More than 10,000 WordPress sites were hijacked in a large-scale malware campaign delivering AMOS to macOS users and SocGholish to Windows users. Attackers exploited outdated plugins to inject fake browser update prompts. Lumma Stealer is made its way through GitHub in a new malware campaign that abuses the platform’s release infrastructure. Attackers deployed malware like SectopRAT and Vidar, using secure-looking download links to exfiltrate data while evading detection. Cybercriminals deployed the Coyote banking trojan against financial firms in Brazil, using malicious Windows LNK files to execute PowerShell scripts. This malware established secure connections with C2 servers, enabling keylogging and data theft. A two-year-long phishing campaign targeted Microsoft’s advertising platform users through malicious Google Search ads. A Mirai-based botnet exploited zero-day vulnerabilities in industrial routers and smart home devices. With 15,000 active nodes daily, it launched high-intensity DDoS attacks surpassing 100 Gbps, posing a growing threat across multiple countries.

Jan 3, 2025

Cyware Monthly Threat Intelligence, December 2024

The cloud revolution isn’t just about convenience anymore; it’s now the frontline of defense. With CISA's new directive mandating cloud environment fortification, federal agencies face a race against time to safeguard Microsoft 365 and other services. Meanwhile, proposed updates to the HIPAA security rules push healthcare organizations toward stronger PHI protection with advanced technical controls and detailed incident planning. On the global front, Operation PowerOFF turned the tables on DDoS attackers, dismantling 27 illegal platforms and curbing festive-season chaos. The cyber battlefield sees no intermission as new threats take center stage. A phishing campaign, dubbed Aggressive Inventory Zombies (AIZ), exploited brand trust by mimicking retail giants and crypto platforms. Meanwhile, the resurrected BADBOX botnet has compromised 192,000 Android devices globally, sneaking into supply chains to wreak havoc with ad fraud and account abuse. Adding to the turbulence, Poison Ivy (APT-C-01) resurged, targeting critical sectors with advanced phishing techniques and deploying Sliver RAT to breach systems and steal sensitive data. This month, new threats targeted IoT, banking, and app ecosystems, with threat actors unleashing diverse attacks. Iranian hackers deployed IOCONTROL malware to compromise IoT and OT systems, targeting critical infrastructure like gas stations. Meanwhile, the DroidBot banking malware infiltrates cryptocurrency and banking apps across Europe, leveraging MaaS operations for tailored attacks. Adding to the chaos, SpyLoan malware apps, with over eight million installs, exploited users in South America, Southeast Asia, and Africa, highlighting the escalating risks within app marketplaces. For detailed Cyber Threat Intel, click ‘Read More’.

Dec 4, 2024

Cyware Monthly Threat Intelligence, November 2024

The TSA reshaped the cybersecurity landscape for pipeline and railroad operators with proposed rules mandating incident reporting and risk management plans. Estimated to cost $2.1 billion over the next decade, the rules aimed to address growing cyber threats while balancing flexibility with resilience. Meta dismantled a sprawling web of over two million accounts tied to pig butchering scams in Southeast Asia and the UAE. Africa’s cybercrime ecosystem faced a decisive blow with Operation Serengeti, as over 1,000 suspects were arrested, and 134,000 malicious networks taken offline. TAG-110, a Russia-aligned threat group, launched a cyber-espionage campaign targeting governments and organizations in Asia and Europe. Using malware like HATVIBE and CHERRYSPY, it aimed to monitor geopolitical developments and assert influence. A botnet powered by Ngioweb malware converted 35,000 IoT devices into residential proxies. These compromised devices, found largely in the U.S., were sold on platforms like NSOCKS for malicious purposes. Water Barghest compromised over 20,000 IoT devices by exploiting known vulnerabilities. The group used Shodan to identify targets and deployed Ngioweb malware to connect them to its monetized network. LIMINAL PANDA, a Chinese cyberespionage group, has been targeting telecoms in South Asia and Africa since 2020. Using tools like SIGTRANslator and PingPong, the group exploits telecom protocols to steal critical data while staying undetected. NodeStealer has resurfaced, targeting Facebook Ads Manager accounts to steal credit card details and browser credentials. It uses Windows Restart Manager and Python scripts to execute its attacks, with stolen data sent via Telegram. BabbleLoader, a stealthy malware loader, delivers WhiteSnake and Meduza stealers. Disguised as accounting software, it targets English and Russian speakers, evading antivirus systems with advanced techniques.

Sep 30, 2024

Cyware Monthly Threat Intelligence

The Good The government took significant steps to strengthen cybersecurity resilience across various sectors. The DHS allocated $279.9 million in grants for the FY 2024 State and Local Cybersecurity Grant Program (SLCGP) to help state, local, and t

Sep 2, 2024

Cyware Monthly Threat Intelligence

The Good In a series of proactive measures aimed at bolstering global cybersecurity resilience, significant strides were made in the education and law enforcement sectors to safeguard critical systems against evolving threats. The NASA Katherine Jo

Aug 1, 2024

Cyware Monthly Threat Intelligence

The Good The collaborative efforts and enhanced protocols by different government bodies represent significant steps forward in strengthening cybersecurity on a global scale. French authorities, in collaboration with Europol, have launched a "disin

Jul 1, 2024

Cyware Monthly Threat Intelligence

The Good Recent developments showcase a proactive stance in bolstering cybersecurity across critical sectors. The collaboration between the U.K’s National Crime Agency (NCA) and the FBI to dismantle the Qilin ransomware gang highlights internationa