Cookie Settings

This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.

Cyware Monthly Cyber Threat Intelligence

Cyware Monthly Cyber Threat Intelligence November 2018 - Featured Image

Monthly Threat Briefing Nov 30, 2018

The Good

As November comes to an end, it brings to a close another month buzzing with cyber activity, including new breaches, malware strains and more. However, there are always positive advancements, that are as important, if not more than all the negatives. Security researchers have created a new AI system that is capable of accurately predicting cyberattacks. The US Congress approved a bill that approves the creation of a new centralized, federal cybersecurity agency. The US army’s scientists are working on a quantum networking experiment aimed at offering soldiers more secure and reliable communications on the battlefield. Meanwhile, security researchers developed a powerful new tool to root out security flaws.

  • Security researchers have created a new AI system, named DARKMENTION, that is capable of accurately predicting cyberattacks. The AI system is capable of monitoring online and dark web forums and gathers intelligence. DARKMENTION also contains a repository of over 500 cyberattacks that have previously occurred.

  • Google’s automated Fuzz bot has spotted over 9,000 security vulnerabilities over the past two years. Google launched OSS-Fuzz was in December 2016. The automated tool is capable of hunting for vulnerabilities in applications by applying a technique called fuzzing.

  • The US Congress approved a bill that approves the creation of a new centralized, federal cybersecurity agency. The move would reconfigure the Department of Homeland Security’s National Protection and Programs Directorate into the Cybersecurity and Infrastructure Security Agency (CISA).

  • Google, Microsoft, and other tech giants have backed French President Emmanuel Macron’s call for greater internet security. The initiative, known as the “Paris Call for Trust and Security in Cyberspace,” is aimed at tightening internet regulations and boosting protections against cyberattacks, election interference, and more.

  • Researchers are working on using brainwaves as the new generation of passwords. Biometrics are increasingly replacing traditional passwords and the new research involves developing a flexible and secure biometric alternative to current, traditional passwords.

  • The US army’s scientists, working out of the corporate research lab (ARL), are working on a quantum networking experiment aimed at offering soldiers more secure and reliable communications on the battlefield.

  • The Federal Communications Commission (FCC) has launched an all-out war against scammers and robo-callers in a new initiative. US network providers are now being forced to implement a new technology called SHAKEN/STIR (Secure Handling of Asserted information using toKENs/Secure Telephony Identity Revisited).

  • Security researchers developed a powerful new tool to root out security flaws. AFLSmart is a fuzzing software built on the powerful American Fuzzy Lop toolkit. It can detect twice as many bugs as AFL over a 24 hour period and has already uncovered a total of 42 zero-day vulnerabilities and has banked 17 CVE-listed holes.

The Bad

November was peppered with numerous data breaches and leaks that saw the exposure of millions of people's personal information across the globe. Two of the biggest breaches of the year occurred this month. A misconfigured ElasticSearch server leaked the personal information of 57 million US citizens. Marriott was hit by a breach that compromised the personal data of 500 million guests. Hackers hit every bank in Pakistan in a massive attack. The data of around 700,000 customers of American Express India was left inadvertently exposed in an unsecured MongoDB server. Google services went down briefly after the tech giant’s internet traffic was hijacked. Meanwhile, a California-based communications firm exposed a massive database containing millions of text messages and more. The US Postal Service (USPS) was also impacted by a breach that may have exposed over 60 million customers’ data.

  • Hackers hit every bank in Pakistan in a massive attack. The data of nearly 8,000 bank account holders from 10 different banks have been put up for sale on the dark web. Although it is still unclear as to how this breach came about, PakCERT believes that some locals may have been involved in aiding the cybercriminals behind the attack, who are suspected to have been located outside the country.

  • The data of around 700,000 customers of American Express India was left inadvertently exposed in an unsecured MongoDB server. The unsecured database contained 689,272 records in plaintext. The data exposed included full names, email addresses, phone numbers, card details and more.

  • Google services went down briefly after the tech giant’s internet traffic was hijacked by a Nigerian ISP. Google’s user traffic was routed via Russia and Nigeria before the tech giant’s IP prefixes were leaked to the Chinese state-owned telecom provider called China Telecom.

  • A California-based communications firm called Voxox exposed a massive database containing millions of text messages and more. The breach was caused by an unprotected Amazon Elasticsearch server. The database contained tens of millions of text messages, including password reset links, two-factor codes, shipping notifications and more.

  • Amazon suffered a massive breach just days before Black Friday. The breach resulted in the compromise of names and email addresses of some of its customers. The tech giant has been tight-lipped about the details surrounding the matter, only revealing that the breach was caused due a technical error in its website.

  • The US Postal Service (USPS) was also impacted by a breach that may have exposed over 60 million customers’ data. The breach was caused by a year-old API flaw, that not only allowed anyone with a USPS account to view other users’ data but also alter their information without their knowledge or consent.

  • Daniel’s Hosting, one of the most popular dark web hosting services, was knocked offline by rival hackers. The attack occurred on November 15, 2018, and has resulted in the loss of 6500 plus Dark Web services hosted on the platform.

  • San Diego-based communications company Vovox exposed around 26 million text messages, as well as other sensitive customer data like phone numbers, password reset links and security codes, two-factor verification codes, shipping notification and more.

  • A misconfigured ElasticSearch server leaked the personal information of 57 million US citizens. The database was left online for nearly two weeks. The leaky database contained over 73GB data, including first names, last names, employer IDs, job titles, email addresses, physical addresses, state, ZIP codes, phone numbers, and IP addresses.

  • The Marriott was hit by a breach that compromised the personal data of 500 million guests. The hotel chain discovered that its networks had been accessed by unauthorized parties since 2014. This breach is now being considered to be one of the largest to have ever been discovered.

  • A new phishing campaign was spotted targeting French industries. The campaign began in October and has targeted the French banking, aviation, IT, chemical manufacturing, automotive and other sectors.

  • Over 2 million patients’ personal data was impacted in a breach that affected Charlotte-based Atrium Health. The information compromised in the breach includes patients’ names, addresses, dates of birth, invoice numbers, account balances, dates of service, insurance policy information, and Social Security numbers.

  • SKY Brazil accidentally leaked 32 million customers’ personal information online. The data was left exposed online long enough for hackers to have likely stolen information. The leaked data also included the personal information of high-profile politicians, which may have already been accessed by hackers.

  • Dunkin’ Donuts was hit by hackers recently. The breach was caused by hackers who launched a credential stuffing attack. The information that may have been accessed by the hackers could include customers’ first and last names, email addresses, 16-digit DD Perks account numbers and more.

New Threats

Dozens of new malware, ransomware, vulnerabilities, threat groups, scams and other malicious activity emerged over the past month. A 100,000-bot strong IoT botnet BCMUPnP_Hunter is currently pushing out massive spam email campaigns. The TA505 threat actor was found testing out a new reconnaissance malware dubbed tRAT. A new malware called DarkGate, that can function as a keylogger, a ransomware and cryptominer, has been discovered. Over a dozen malware-laced Android apps were discovered on the Google Play Store. Meanwhile, a new variant of the Rotexy malware, that combined the capabilities of both a banking malware and a ransomware, was discovered. A new Linux cryptominer that can steal root passwords and disable antivirus software was discovered. A cryptominer called KingMiner was uncovered that has already infected victims from Mexico to India and from Norway to Israel. Meanwhile, a new zero-day vulnerability in surveillance cameras was found affecting Nuuo’s surveillance firmware.

  • Security researchers discovered a new stealthy cryptomining malware. Dubbed “Coinminer.Win32.MALXMR.TIAOODAM”, the malware is delivered onto victim machines as a Windows Installer MSI file. It is also capable of bypassing security filters and comes with a self-destruction mechanism.
  • A 100,000-bot strong IoT botnet BCMUPnP_Hunter is currently pushing out massive spam email campaigns. The botnet’s operators were spotted using a five-year-old vulnerability, which allows attackers to remotely execute malicious code on vulnerable routers. Although the botnet is targeting victims globally, so far, it has primarily infected victims in India, China, and the US.
  • The Outlaw hacker group was found wielding the Shellbot botnet to target IoT devices and Linux systems. The botnet is capable of allowing attackers to launch DDoS attacks, conduct port scans and more.
  • The TA505 threat actor was found testing out a new reconnaissance malware dubbed tRAT. tRAT is a modular malware, written in Delphi, that is currently being used in a reconnaissance campaign targeting financial institutions.
  • A new malware called DarkGate, that can function as a keylogger, a ransomware, and cryptominer, has been discovered. The malware is currently being delivered via Torrent files and is targeting victims in Spain and France. The malware also uses several advanced anti-analysis techniques, such as using vendor-specific checks, to evade detection.
  • The Mylobot botnet was found distributing the Khalesi malware. Mybolot belongs to a sophisticated malware family and is classified as a downloader. Meanwhile, Khalesi is considered to be one of the fastest growing malware variants of the year.
  • A new Trickbot variant was discovered being distributed as part of a new campaign posing as coming from Llyods bank. The malware is capable of exfiltrating data such as passwords, browsing history, bank & other financial details and logins from the infected systems.
  • Over a dozen malware-laced Android apps were discovered on the Google Play Store. 13 malicious gaming apps, developed by the same person, were installed over 560,000 times. Once downloaded, the malicious apps, posing as driving games were designed to crash each time they were opened.
  • A new variant of the Rotexy malware, that combined the capabilities of both a banking malware and a ransomware, was discovered. Between August to October 2018, Rotexy launched over 70,000 attacks, primarily against victims in Russia.
  • Texas-based Altus Baytown Hospital (ABH) was hit by a ransomware attack that may have led to hackers compromising patient records and their personal data. The hospital fell victim to the prolific Dharma ransomware.
  • A new Linux cryptominer that can steal root passwords and disable antivirus software was discovered. The cryptominer dubbed Linux.BtcMine.174 contains over 1,000 lines of code and is also capable of searching for other miners and removing it.
  • A cryptominer called KingMiner was uncovered that has already infected victims from Mexico to India and from Norway to Israel. The malware targets Windows servers and mines for Monero.
  • A new zero-day vulnerability in surveillance cameras was found affecting Nuuo’s surveillance firmware. The bug could allow hackers to take control over surveillance cameras and tamper with footage and live feeds. It could also allow attackers to execute malicious code remotely after gaining root privileges to systems.
  • A new variant of the Bladabindi malware was discovered. The new variant of the RAT, Worm.Win32.BLADABINDI.AA., spread via removable drives and installs a fileless variant of the Bladabindi backdoor. Bladabindi comes with a variety of data-stealing capabilities. It can steal browser credentials, capture webcam footage, as well as download additional malicious files.

Related Threat Briefings

Jan 3, 2025

Cyware Monthly Threat Intelligence, December 2024

The cloud revolution isn’t just about convenience anymore; it’s now the frontline of defense. With CISA's new directive mandating cloud environment fortification, federal agencies face a race against time to safeguard Microsoft 365 and other services. Meanwhile, proposed updates to the HIPAA security rules push healthcare organizations toward stronger PHI protection with advanced technical controls and detailed incident planning. On the global front, Operation PowerOFF turned the tables on DDoS attackers, dismantling 27 illegal platforms and curbing festive-season chaos. The cyber battlefield sees no intermission as new threats take center stage. A phishing campaign, dubbed Aggressive Inventory Zombies (AIZ), exploited brand trust by mimicking retail giants and crypto platforms. Meanwhile, the resurrected BADBOX botnet has compromised 192,000 Android devices globally, sneaking into supply chains to wreak havoc with ad fraud and account abuse. Adding to the turbulence, Poison Ivy (APT-C-01) resurged, targeting critical sectors with advanced phishing techniques and deploying Sliver RAT to breach systems and steal sensitive data. This month, new threats targeted IoT, banking, and app ecosystems, with threat actors unleashing diverse attacks. Iranian hackers deployed IOCONTROL malware to compromise IoT and OT systems, targeting critical infrastructure like gas stations. Meanwhile, the DroidBot banking malware infiltrates cryptocurrency and banking apps across Europe, leveraging MaaS operations for tailored attacks. Adding to the chaos, SpyLoan malware apps, with over eight million installs, exploited users in South America, Southeast Asia, and Africa, highlighting the escalating risks within app marketplaces. For detailed Cyber Threat Intel, click ‘Read More’.

Dec 4, 2024

Cyware Monthly Threat Intelligence, November 2024

The TSA reshaped the cybersecurity landscape for pipeline and railroad operators with proposed rules mandating incident reporting and risk management plans. Estimated to cost $2.1 billion over the next decade, the rules aimed to address growing cyber threats while balancing flexibility with resilience. Meta dismantled a sprawling web of over two million accounts tied to pig butchering scams in Southeast Asia and the UAE. Africa’s cybercrime ecosystem faced a decisive blow with Operation Serengeti, as over 1,000 suspects were arrested, and 134,000 malicious networks taken offline. TAG-110, a Russia-aligned threat group, launched a cyber-espionage campaign targeting governments and organizations in Asia and Europe. Using malware like HATVIBE and CHERRYSPY, it aimed to monitor geopolitical developments and assert influence. A botnet powered by Ngioweb malware converted 35,000 IoT devices into residential proxies. These compromised devices, found largely in the U.S., were sold on platforms like NSOCKS for malicious purposes. Water Barghest compromised over 20,000 IoT devices by exploiting known vulnerabilities. The group used Shodan to identify targets and deployed Ngioweb malware to connect them to its monetized network. LIMINAL PANDA, a Chinese cyberespionage group, has been targeting telecoms in South Asia and Africa since 2020. Using tools like SIGTRANslator and PingPong, the group exploits telecom protocols to steal critical data while staying undetected. NodeStealer has resurfaced, targeting Facebook Ads Manager accounts to steal credit card details and browser credentials. It uses Windows Restart Manager and Python scripts to execute its attacks, with stolen data sent via Telegram. BabbleLoader, a stealthy malware loader, delivers WhiteSnake and Meduza stealers. Disguised as accounting software, it targets English and Russian speakers, evading antivirus systems with advanced techniques.