Cookie Settings

This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.

Cyware Monthly Threat Intelligence

Cyware Monthly Threat Intelligence - Featured Image

Monthly Threat Briefing Sep 3, 2019

**The Good **

As we bid adieu to August, its time to recap all that happened in cyberspace over the month. Researchers from the Georgia Institute of Technology developed a tool dubbed SkyWalker to check vulnerabilities in mobile apps. The Global Cyber Alliance launched a cybersecurity development platform named AIDE for the Internet of Things (IoT) products. Meanwhile, major tech companies including Alibaba, Google Cloud, IBM, Intel, Microsoft, joined the Confidential Computing Consortium.

  • Microsoft has launched the Azure Security Lab and doubled its Azure bug-bounty reward to $40,000 in an effort to further strengthen cloud security. The newly-launched Azure Security lab is isolated from the main Azure framework in order to prevent hacking attempts and tests from disrupting the normal functionality.

  • The Global Cyber Alliance, an international cross-sector effort designed to address cyber risks, launched the Automated IoT Defence Ecosystem (AIDE), a cybersecurity development platform for the Internet of Things (IoT) products. AIDE enables small businesses, manufacturers, service providers, and individuals to identify and patch vulnerabilities, and secure IoT devices against cyber threats.

  • Major tech companies including Alibaba, ARM, Baidu, Google Cloud, IBM, Intel, Microsoft, Red Hat, Swisscom, and Tencent joined a new industry group named the Confidential Computing Consortium, which focuses on promoting secure computing practices. This consortium plans to bring together hardware vendors, developers, and others to promote the use of confidential computing, and better protect data.

  • Google has announced a new bug bounty program named ‘Developer Data Protection Reward Program’ (DDPRP) through which researchers can report cases of data abuse in Android apps, OAuth projects, and Chrome extensions. The tech giant has also announced the expansion of its ‘Google Play Security Rewards Program’ (GPSRP) to include all Android apps from the Google Play Store with over 100 million or more installs.

  • A team from the Georgia Institute of Technology has developed a tool dubbed SkyWalker to check vulnerabilities in mobile apps that use multiple cloud services. The tool lets app developers audit various cloud-based tools and find vulnerabilities before they integrate them into their products.

The Bad

This month witnessed numerous data breaches and cyber attacks that led to the exposure of millions of people's personal information across the globe. Twenty-two local government entities in Texas fell victim to a coordinated ransomware attack. Magecart attackers have compromised over 80 e-commerce websites that were running an outdated version of Magento. Last but not least, Silence hackers targeted banks across 30 countries including China, Russia, the United Kingdom, Bangladesh, and Bulgaria, among others.

  • A coordinated ransomware attack targeted almost twenty-two local government entities in Texas. The impacted organizations are not revealed because of security concerns, however, two of the impacted municipalities, the City of Borger and the City of Keene publicly disclosed that they’ve been impacted by the ransomware attack. The threat actor who attacked Texas governments demanded a collective ransom payment of $2.5 million.

  • Security researchers have discovered that Magecart attackers have compromised over 80 eCommerce websites that were running an outdated version of Magento. 25% of these compromised websites are large brands in the motorsports industry and luxury retail.

  • CafePress suffered a data breach compromising over 23 million customer accounts, email addresses, and other records containing personal information. According to HaveIBeenPwned, CafePress was hacked in February 2019 and almost 493,000 accounts are being sold on hacker forums.

  • Researchers have found several misconfigured Jira servers that have been leaking information about internal projects and users belonging to large organizations such as Google, NASA, Yahoo, and Lenovo, among others. The leaked data includes names, roles, and email addresses of employees who are involved in various projects of an organization, along with the current state and development of those projects.

  • An unprotected server belonging to Boeing had exposed full code designed to run on the Boeing 737 and Boeing 787 passenger jets. The leaked code for a component of the Boeing 787 passenger jet has security flaws in it. These vulnerabilities can be abused by an attacker to send malicious commands to far more sensitive components that control the plane’s safety-critical systems, including its engines, brakes, and sensors.

  • A fraudster bribed AT&T employees over $1 million to unlock mobile phones and install unauthorized devices on the company's internal network for over five years between 2012 and 2017. This resulted in millions of mobile phones being removed from AT&T’s service or payment plans. However, the fraudster has been arrested and extradited to the U.S.

  • According to a new report published by Group-IB, Silence hackers launched 16 campaigns against banks across 30 countries including China, Russia, the United Kingdom, Bangladesh, and Bulgaria, among others. Within a span of 3 years, from June 2016 to June 2019, Silence hackers have stolen at least 4.2 million US dollars.

  • New Payments Platform Australia (NPP) disclosed that PayID records and associated data in the Addressing Service were exposed in a data breach caused by a vulnerability in one of the financial institutions sponsored by Cuscal Limited. The exposed PayID records include PayID names and the associated account numbers. However, NPP confirmed that none of the exposed data can enable the withdrawal of funds from a customer’s account.

  • An unprotected database belonging to a popular movie-ticket subscription service MoviePass exposed almost 161 million records of customer credit card data. The exposed records revealed details such as debit card numbers, expiry date, customer card balance, and card activation date. Researchers also said that more than 58,000 records contained customer card data and the customer count was growing by every minute.

  • Hostinger, a web hosting provider, has been hit with a data breach incident, that has impacted nearly 14 million customers. The data breach occurred after an unauthorized third party gained access to its internal API server. The compromised server contained clients’ first names, usernames, email addresses, hashed passwords, and IP addresses.

  • Mastercard suffered a security incident, exposing customers’ information on the internet after its Priceless Specials loyalty program was breached. The exposed information includes customers' names, dates of birth, gender, email addresses, phone numbers, home addresses, payment card numbers, and the time of first registration with Priceless Specials.

  • Imperva has disclosed that it suffered a data breach incident impacting the users of its Cloud Web Application Firewall (WAF) product, previously known as Incapsula. The data exposure has impacted a subset of customers of its WAF product who had accounts registered up until September 15, 2017. The exposed Incapsula customer database included email addresses and hashed and salted passwords. A few Incapsula customers also had their API keys and customer-provided SSL certificates exposed.

  • Largest lodging franchisor Choice Hotels suffered a data breach which resulted in the exposure of some 700,000 customers’ records. The cybercriminals had managed to gain access to the unprotected MongoDB database to steal the records and left behind a ransom note, asking a ransom of $3,800.

  • Another publicly accessible database had leaked biometric data of over 1 million people who used Biostar 2 app. The exposed information included fingerprint records, facial recognition information and other personal details.

  • Hundreds of dental practice offices in the US had their data and patient records encrypted by Sodinokibi ransomware. On August 26, 2019, Sodinokibi aka Revil infected DDS Safe, an online backup product from Digital Dental Record (DDS), through its cloud management provider, PercSoft. Over 400 dental practices have been impacted by the ransomware attack.

New Threats

Several new malware, ransomware, vulnerabilities, and threat groups emerged this month. Researchers uncovered a new version of the Trickbot that steals PIN codes from Verizon Wireless, T-Mobile, and Sprint users. Researchers uncovered a new speculative-execution vulnerability dubbed ‘SWAPGS’ that impacts CPUs in Windows and Linux based machines. Meanwhile, new variants of Neko, Mirai and Bashlite botnets affecting various router models and IoT devices were detected by researchers.

  • Secureworks Counter Threat Unit (CTU) researchers uncovered a new version of the Trickbot trojan that steals PIN codes from Verizon Wireless, T-Mobile, and Sprint users. CTU researchers monitored the TrickBot operations operated by the GOLD BLACKBURN threat group and uncovered that new dynamic webinjects were added to TrickBot to target mobile carriers in the US.
  • Researchers spotted a new variant of LokiBot info-stealer malware that uses steganography technique to hide its code required for unpacking routine. It hides the encrypted binary inside the image file until the main LokiBot code is decrypted in memory. This technique not only enables LokiBot to evade detection but also helps it gain persistence on the infected system.
  • Security researchers have uncovered a new speculative-execution vulnerability dubbed ‘SWAPGS’ that impacts CPUs in Windows and Linux based machines. SWAPGS vulnerability, tracked as CVE-2019-1125, can be exploited via side-channel attacks. This vulnerability allows attackers to access privileged data in the machine.
  • Researchers uncovered a new version of NanoCore v1.2.2. Its capabilities include stealing passwords, keylogging, recording audio/video from a web camera, remotely control the mouse and open web pages. This RAT also has the ability to remotely shutdown or restart the machine.
  • A security researcher disclosed a privilege escalation zero-day vulnerability in Steam that impacts over 96 million Windows users. The vulnerability could allow an attacker to launch a three-stage attack by exploiting a vulnerability in a Steam game, a Windows app, and the OS, and gain SYSTEM permissions on the compromised machine. This would allow attackers to disable firewall, antivirus and rootkit installation, steal any Windows user’s private data, hide the process-miner, and more.
  • A major botnet operation related to Neutrino was found to be active for more than a year. The botnet is hijacking web shells of other malware operations to install a cryptocurrency-mining malware. The botnet has been quite successful in infecting Windows servers running phpStudy.
  • Researchers uncovered a new phishing campaign that distributes Quasar RAT onto Windows systems via fake resume attachments. Quasar RAT is capable of opening remote desktop connections, keylogging, stealing credentials, taking screenshots, recording video from webcams, downloading or exfiltrating files, and managing processes on infected machines.
  • TA505 has been observed using ISO image attachments to distribute a new version of ServHelper and a DLL variant of FlawedAmmyy RAT. The group has also expanded its operations to new countries such as Turkey, Serbia, Romania, Korea, Canada, the Czech Republic, and Hungary.
  • Researchers from Microsoft Research, the Chinese University of Hong Kong, Seoul National University, and Pennsylvania State University have found out malicious clickjacking scripts that intercept user clicks on at least 613 popular websites. Researchers noted that while some of the scripts were used to intercept clicks and perform clicks on ads for generating ad revenue, other scripts were used to redirect users to malicious sites, tech support scams, and others.
  • Antivirus maker Avast and the French National Gendarmerie have announced today that they've taken down the backend infrastructure of Retadup malware and have disinfected at least 85000 Windows systems.
  • New variants of Neko, Mirai and Bashlite botnets affecting various router models and IoT devices were detected by researchers. These botnets included several exploits to infect the devices.
  • The latest variant of Bolik banking trojan dubbed ‘Win32.Bolik.2’ is distributed via a cloned NordVPN website. Users visiting the cloned website in search of a download link for the NordVPN client will be infected with NordVPN installers that install the NordVPN client while dropping the Win32.Bolik.2 Trojan malicious payload in the background.

Related Threat Briefings

Jan 3, 2025

Cyware Monthly Threat Intelligence, December 2024

The cloud revolution isn’t just about convenience anymore; it’s now the frontline of defense. With CISA's new directive mandating cloud environment fortification, federal agencies face a race against time to safeguard Microsoft 365 and other services. Meanwhile, proposed updates to the HIPAA security rules push healthcare organizations toward stronger PHI protection with advanced technical controls and detailed incident planning. On the global front, Operation PowerOFF turned the tables on DDoS attackers, dismantling 27 illegal platforms and curbing festive-season chaos. The cyber battlefield sees no intermission as new threats take center stage. A phishing campaign, dubbed Aggressive Inventory Zombies (AIZ), exploited brand trust by mimicking retail giants and crypto platforms. Meanwhile, the resurrected BADBOX botnet has compromised 192,000 Android devices globally, sneaking into supply chains to wreak havoc with ad fraud and account abuse. Adding to the turbulence, Poison Ivy (APT-C-01) resurged, targeting critical sectors with advanced phishing techniques and deploying Sliver RAT to breach systems and steal sensitive data. This month, new threats targeted IoT, banking, and app ecosystems, with threat actors unleashing diverse attacks. Iranian hackers deployed IOCONTROL malware to compromise IoT and OT systems, targeting critical infrastructure like gas stations. Meanwhile, the DroidBot banking malware infiltrates cryptocurrency and banking apps across Europe, leveraging MaaS operations for tailored attacks. Adding to the chaos, SpyLoan malware apps, with over eight million installs, exploited users in South America, Southeast Asia, and Africa, highlighting the escalating risks within app marketplaces. For detailed Cyber Threat Intel, click ‘Read More’.

Dec 4, 2024

Cyware Monthly Threat Intelligence, November 2024

The TSA reshaped the cybersecurity landscape for pipeline and railroad operators with proposed rules mandating incident reporting and risk management plans. Estimated to cost $2.1 billion over the next decade, the rules aimed to address growing cyber threats while balancing flexibility with resilience. Meta dismantled a sprawling web of over two million accounts tied to pig butchering scams in Southeast Asia and the UAE. Africa’s cybercrime ecosystem faced a decisive blow with Operation Serengeti, as over 1,000 suspects were arrested, and 134,000 malicious networks taken offline. TAG-110, a Russia-aligned threat group, launched a cyber-espionage campaign targeting governments and organizations in Asia and Europe. Using malware like HATVIBE and CHERRYSPY, it aimed to monitor geopolitical developments and assert influence. A botnet powered by Ngioweb malware converted 35,000 IoT devices into residential proxies. These compromised devices, found largely in the U.S., were sold on platforms like NSOCKS for malicious purposes. Water Barghest compromised over 20,000 IoT devices by exploiting known vulnerabilities. The group used Shodan to identify targets and deployed Ngioweb malware to connect them to its monetized network. LIMINAL PANDA, a Chinese cyberespionage group, has been targeting telecoms in South Asia and Africa since 2020. Using tools like SIGTRANslator and PingPong, the group exploits telecom protocols to steal critical data while staying undetected. NodeStealer has resurfaced, targeting Facebook Ads Manager accounts to steal credit card details and browser credentials. It uses Windows Restart Manager and Python scripts to execute its attacks, with stolen data sent via Telegram. BabbleLoader, a stealthy malware loader, delivers WhiteSnake and Meduza stealers. Disguised as accounting software, it targets English and Russian speakers, evading antivirus systems with advanced techniques.