Cookie Settings

This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.

Cyware Monthly Cyber Threat Intelligence

Cyware Monthly Cyber Threat Intelligence October 2018 - Featured Image

Monthly Threat Briefing Nov 1, 2018

The Good

As we bid adieu to October, its time to summarize all the major breaches, attacks, malware, as well as new technologies that have emerged over the past month. Lets begin by lauding all the new positive developments that have occurred in the past month, California passed a new law that aims at boosting IoT security, researchers from the MIT created a new system to protect against Meltdown and Spectre attacks. Meanwhile, the US Cyber Command is dogging the heels of Russian online trolls attempting to distribute disinformation campaigns and warning them that they are being watched.

  • Google plans to enforce more stringent roles on developers to block malicious Chrome extensions. The new measures will give the users of extensions more control over which sites extensions can access. Google is also prohibiting extensions using obfuscated code. Extension developers will also have to do more to protect their developer accounts. For instance, starting 2019, extension developers will have to enable two-factor authentication for their accounts.

  • California passed a new law that aims at boosting IoT security. The new law makes it illegal for connected device manufacturers to ship devices with default passwords. The law also makes it mandatory for manufacturers to create a unique credential for each device, or ensure that the user is forced to create a unique password when they boot up the device for the first time.

  • The Wall Street Journal launched a programme designed to help small businesses improve their security. The WSJ Pro Cybersecurity program offers small business information about cyberthreats, security response methods, and more via its website and newsletters.

  • Researchers from MIT have created a new system which is able to reduce the risk of memory-based attacks such as Meltdown and Spectre. Lebedev and his team at MIT CSAIL are working on a system which they say is a more effective alternative to protecting modern PC architecture against timing attacks, and the invention has proven to be more secure than Intel's "Cache Allocation Technology" (CAT). The system labeled as the Dynamically Allocated Way Guard (DAWG) splits the cache into multiple buckets.

  • Passengers checking into flights at Shanghai's Hongqiao International Airport can now use their face to prove their identity thanks to the rollout of facial recognition technology. The airport this week unveiled self-service kiosks for flight and baggage check-in, security clearance, and boarding powered by facial recognition technology.

  • The Army’s Research, Development and Engineering Command is laying the groundwork for its artificial intelligence plans with a newly crafted strategy. The RDECOM strategy, which has not been made public, details where the command currently is regarding the development of AI capabilities, where it wants to go in the future, and defines taxonomy associated with the technology.

  • The European Union is gearing up to create new regulations that would impose economic sanctions on cybercriminals. In the face of increasingly sophisticated cyberespionage and cybercriminals campaigns, EU leaders are now mulling imposing sanctions on hackers to stem the flow of destructive cyberattacks.

  • The US Cyber Command is dogging the heels of Russian online trolls attempting to distribute disinformation campaigns and warning them that they are being watched. The operation is aimed at deterring more sophisticated Russian cyberattacks targeting US infrastructure.

  • Apple launched a new T2 security chip that is designed to stop attackers from spying on users. This new security feature is capable of disconnecting the microphone whenever the lid of the MacBook is closed. It is designed to help protect a device’s encryption keys, storage, fingerprint data, and secure boot features.

  • Google launched reCAPTCHA v3 that aims to better protect websites from spam and make the security procedure more user-friendly. The latest version of the security tool is designed to run an adaptive risk analysis in the background and provide websites with a score that shows how suspicious an interaction is.

The Bad

Over the past month, numerous destructive data breaches, leaks and cyberattacks were observed. These attacks affected numerous government and private entities. Facebook acknowledged suffering a massive breach. Google plans to shut down Google Plus next year after a breach exposed 500,000 customers’ data. A water company already dealing with the aftermath of Hurricane Florence was attacked by a ransomware campaign resulting in one-of-its-kind a joint physical and a cyber disaster. Meanwhile, The HealthCare.gov’s sign-up system was hit by hackers who stole the data of around 75,000. Switzerland-based cryptocurrency exchange Trade.io was hacked and $7.5 million worth of cryptocurrencies was stolen.

  • The biggest data breach of the week award goes to Facebook. The tech giant acknowledged suffering a massive breach that compromised over 50 million user accounts. The attackers exploited a flaw that first appeared in July 2017, when Facebook made some changes in the video uploading feature. This is Facebook’s second breach in 2018. The previous breach made headlines after profile details of 87 million users were improperly accessed by the political data firm Cambridge Analytica.

  • Sales engagement startup, Apollo was hit by hackers who stole a database that contained 200 million contact records. The stolen database contained the contact details of prospective customers from 10 million companies. The compromised data includes customers’ names, email addresses, company names, and other business information.

  • Brazilian banks suffered a massive attack by cybercriminals who used a 100,000-strong botnet. The attack targeted users attempting to access the online banking sites of Brazilian banks were being redirected to phishing sites. The cybercriminals behind the GhostDNS botnet campaign are still scanning the internet for Brazilian routers with weak or no passwords.

  • Google will shut down Google Plus next year after a breach exposed 500,000 customers’ data. The breach was caused by an API bug, which, if exploited, could allow third-party apps to gain access to public profile information of Google Plus users’ friends.

  • The Slovak Foreign and European Affairs Ministry has become the target of a massive cyber attack, Slovak Prime Minister Peter Pellegrini said on Wednesday, adding that at the moment it's not possible to specify who is behind the attack. The prime minister added that the issues concerning the identity of attackers and the subject of their interest are currently the main objective of the ongoing investigation.

  • Around 35 million US voter records from the year 2018, were found on a popular hacking forum for sale. The seller was demanding $42,200 dollars for all the records from 19 states. The advertisement on the hacking forum says that the data sold is from updated statewide voter lists and contains vulnerable information including phone numbers, full addresses, and names of millions of US residents.

  • A water company in the US state of North Carolina already dealing with the aftermath of Hurricane Florence was left to juggle a complete database rebuild because of a nasty ransomware infection. ONWASA said that the attack began on October 4 when Emotet was first spotted on the utility's network. IT staff had thought to have contained the initial infection, only to see a second attack kick off in the wee hours of Saturday, October 13.

  • The HealthCare.gov’s sign-up system was hit by hackers who stole the data of around 75,000. The hackers gained access to the HealthCare.gov’s sign-up system, called the Federally Facilitated Exchange (FFE), which is used by the HealthCare insurance agents and brokers to enroll users into Obamacare plans.

  • Switzerland-based cryptocurrency exchange Trade.io was hacked and $7.5 million worth of cryptocurrencies was stolen. The stolen funds were stored in a cold storage wallet. The cryptocurrency exchange discovered the breach after it observed a large number of cryptocurrencies being transferred from one of the accounts associated with its cold storage wallets.

  • Hong Kong-based airline Cathay Pacific was hit by a massive data breach that compromised 9.4 million passengers’ data. Passengers' personal details including names, nationality, dates of birth, phone numbers, email addresses, passport numbers, identity card numbers, frequent flyer membership numbers, custom service remarks, and travel history might have been stolen by hackers.

  • Eurostar detected a breach and began resetting users passwords. The firm said that the cybercriminals behind the attack used Eurostar account holders’ usernames and passwords to infiltrate systems. It is still unclear as to how many users have been affected by the breach and whether the attackers succeeded in exfiltrating any sensitive corporate or user data.

New Threats

October saw various new malware, vulnerabilities and other threats come out of the woodwork. White-hat hackers discovered 150 bugs in websites of the US Marine Corps. A previously unknown threat group called Gallmaker was brought to light by security experts. A new data reconnaissance campaign leveraging attack techniques dating back to the year 2010 and first used by APT1 was discovered. Meanwhile, a new Android malware dubbed TimpDoor was recently discovered and has already infected around 5,000 victims in the US.

  • A flaw in Telegram exposed users’ IP addresses. The breach was caused by a bug in the desktop version of the Telegram app, which inadvertently leaked users’ IP addresses during voice calls.
  • The Fallout exploit kit has switched from spreading the GandCrab ransomware to distributing the Kraken Cryptor ransomware. The EK began distributing the Kraken Cryptor ransomware (version 1.5) earlier this week. Kraken Cryptor appeared in the Ransomware as a Service (RaaS) arena and is now being actively distributed in the wild by multiple sources.
  • White-hat hackers discovered 150 bugs in websites of the US Marine Corps. Around 100 security researchers participated in the “Hack The Marine Corps” bug bounty program and took home a total of $150,000. The bugs were reported for the US Marine Corps Cyberspace Command team, during a three-week-long bug bounty program.
  • The DanaBot banking malware is back in action. A new campaign was discovered targeting victims in the US. The malware was first discovered in May 2018, when it was targeting victims in Australia. Since then, DanaBot has been updated several times and has also switched targets from Australia to Europe, and now to the US.
  • A previously unknown threat group called Gallmaker was brought to light by security experts. Gallmaker has been active since 2017 and was found targeting government, military and defense agencies across the globe.The hacker group uses living-off-the-land (LotL) tactics - employing publicly available hacking tools, instead of malware in its operations.
  • A new phishing campaign delivering the URSNIF malware has been discovered. The cybercriminals behind the campaign used hijacked email accounts to send malware inserted within email responses, that are a part of ongoing conversations.
  • A new data reconnaissance campaign, named Oceansalt, targeting Korean-speaking users has now spread to US and Canada. The threat actors involved in these campaigns are linked to the Chinese military. The campaign was found majorly targeting South Korea in the month of May, where five waves of campaigns were launched targeting various organization in the country.
  • Oracle has released a wide range of critical security updates (CPU) to address a total of 301 CVE-listed vulnerabilities, in its different enterprise products. The updates have been released as part of Q3 2018, October edition of the updates. Out of the 301 vulnerabilities, 45 had a severity rating of 9.8 (on a scale of 10). One of the vulnerability also received the maximum severity rating score of 10.
  • A new Android malware dubbed TimpDoor was recently discovered and has already infected around 5,000 victims in the US. The Android malware has been active since March and could turn infected Android devices into mobile backdoors, which, in turn, could be leveraged by attackers to infiltrate home and corporate networks.
  • The Ramnit banking malware was found distributed via a new malware downloader called sLoad. The new campaign has been targeting financial institutions across Italy, Canada and the UK. The malware comes packed with sophisticated reconnaissance capabilities and has also been distributing other malware variants like Gootkit, Ursniff and more.
  • A new ransomware called CommonRansom has been discovered. Unlike other ransomware variants, CommonRansom not only demands a Bitcoin payment but also demands that victims provide remote desktop protocol (RDP) access.
  • A new DDoS-for-hire service called ‘0x-booter’ has been spotted in the wild, which has launched over 300 DDoS attacks in just two weeks. Ox-booter has been advertised as containing over 500Gbps of bandwidth and 20,000 bots. The malicious service can launch DDoS attacks without direct contact between the user and the botmaster.

Related Threat Briefings

Feb 10, 2025

Cyware Monthly Threat Intelligence, January 2025

The U.K took a proactive stance on cyber resilience with its Cyber Local initiative, injecting £1.9 million into 30 projects across England and Northern Ireland. The effort focuses on closing the cyber skills gap, fortifying small businesses, and supporting underrepresented groups. India tightened its grip on data privacy with new draft rules designed to give citizens more control over their personal information. The proposed regulations mandate clearer data processing disclosures, stricter security protocols, and swift breach reporting. Hackers turned to SparkRAT, an open-source GoLang RAT, to target macOS users and government entities. Initially released in 2022, its modular design and cross-platform capability have made it a cybercriminal favorite. More than 10,000 WordPress sites were hijacked in a large-scale malware campaign delivering AMOS to macOS users and SocGholish to Windows users. Attackers exploited outdated plugins to inject fake browser update prompts. Lumma Stealer is made its way through GitHub in a new malware campaign that abuses the platform’s release infrastructure. Attackers deployed malware like SectopRAT and Vidar, using secure-looking download links to exfiltrate data while evading detection. Cybercriminals deployed the Coyote banking trojan against financial firms in Brazil, using malicious Windows LNK files to execute PowerShell scripts. This malware established secure connections with C2 servers, enabling keylogging and data theft. A two-year-long phishing campaign targeted Microsoft’s advertising platform users through malicious Google Search ads. A Mirai-based botnet exploited zero-day vulnerabilities in industrial routers and smart home devices. With 15,000 active nodes daily, it launched high-intensity DDoS attacks surpassing 100 Gbps, posing a growing threat across multiple countries.

Jan 3, 2025

Cyware Monthly Threat Intelligence, December 2024

The cloud revolution isn’t just about convenience anymore; it’s now the frontline of defense. With CISA's new directive mandating cloud environment fortification, federal agencies face a race against time to safeguard Microsoft 365 and other services. Meanwhile, proposed updates to the HIPAA security rules push healthcare organizations toward stronger PHI protection with advanced technical controls and detailed incident planning. On the global front, Operation PowerOFF turned the tables on DDoS attackers, dismantling 27 illegal platforms and curbing festive-season chaos. The cyber battlefield sees no intermission as new threats take center stage. A phishing campaign, dubbed Aggressive Inventory Zombies (AIZ), exploited brand trust by mimicking retail giants and crypto platforms. Meanwhile, the resurrected BADBOX botnet has compromised 192,000 Android devices globally, sneaking into supply chains to wreak havoc with ad fraud and account abuse. Adding to the turbulence, Poison Ivy (APT-C-01) resurged, targeting critical sectors with advanced phishing techniques and deploying Sliver RAT to breach systems and steal sensitive data. This month, new threats targeted IoT, banking, and app ecosystems, with threat actors unleashing diverse attacks. Iranian hackers deployed IOCONTROL malware to compromise IoT and OT systems, targeting critical infrastructure like gas stations. Meanwhile, the DroidBot banking malware infiltrates cryptocurrency and banking apps across Europe, leveraging MaaS operations for tailored attacks. Adding to the chaos, SpyLoan malware apps, with over eight million installs, exploited users in South America, Southeast Asia, and Africa, highlighting the escalating risks within app marketplaces. For detailed Cyber Threat Intel, click ‘Read More’.

Dec 4, 2024

Cyware Monthly Threat Intelligence, November 2024

The TSA reshaped the cybersecurity landscape for pipeline and railroad operators with proposed rules mandating incident reporting and risk management plans. Estimated to cost $2.1 billion over the next decade, the rules aimed to address growing cyber threats while balancing flexibility with resilience. Meta dismantled a sprawling web of over two million accounts tied to pig butchering scams in Southeast Asia and the UAE. Africa’s cybercrime ecosystem faced a decisive blow with Operation Serengeti, as over 1,000 suspects were arrested, and 134,000 malicious networks taken offline. TAG-110, a Russia-aligned threat group, launched a cyber-espionage campaign targeting governments and organizations in Asia and Europe. Using malware like HATVIBE and CHERRYSPY, it aimed to monitor geopolitical developments and assert influence. A botnet powered by Ngioweb malware converted 35,000 IoT devices into residential proxies. These compromised devices, found largely in the U.S., were sold on platforms like NSOCKS for malicious purposes. Water Barghest compromised over 20,000 IoT devices by exploiting known vulnerabilities. The group used Shodan to identify targets and deployed Ngioweb malware to connect them to its monetized network. LIMINAL PANDA, a Chinese cyberespionage group, has been targeting telecoms in South Asia and Africa since 2020. Using tools like SIGTRANslator and PingPong, the group exploits telecom protocols to steal critical data while staying undetected. NodeStealer has resurfaced, targeting Facebook Ads Manager accounts to steal credit card details and browser credentials. It uses Windows Restart Manager and Python scripts to execute its attacks, with stolen data sent via Telegram. BabbleLoader, a stealthy malware loader, delivers WhiteSnake and Meduza stealers. Disguised as accounting software, it targets English and Russian speakers, evading antivirus systems with advanced techniques.