Cookie Settings

This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.

Cyware Monthly Threat Intelligence

Cyware Monthly Threat Intelligence - Featured Image

Monthly Threat Briefing Jan 2, 2020

The Good

2019 was a busy year in the world of cybersecurity with many new reports of malware, vulnerabilities, and data breaches. For the month of December, let’s first begin with the positive developments in cyberspace. A group of researchers developed a new cryptography method for full secrecy based on a One-time pad (Vernam Cypher). Meanwhile, the U.S. Congress passed the TRACED Act to curb robocall spam menace. Also, global law enforcement took down the network of the notorious Imminent Monitor RAT (IM-RAT).

  • A group of researchers presented a new cryptography method for full secrecy based on a One-time pad (Vernam Cypher). The complex time-varying irreversible structures of silicon chips can be used as the one-time key, which cannot be recreated and intercepted as it is never stored anywhere. Also, the method is compatible with the existing optical communication infrastructure.

  • Apple opened its bug bounty program to all security researchers, shifting from an invitation-based bug bounty program. The company will now accept vulnerability reports for a much wider spectrum of products that includes iPadOS, macOS, tvOS, watchOS, and iCloud. In addition, the company has also increased its maximum bug bounty reward from $200,000 to $1,500,000, of course depending on the exploit chain's complexity and severity.

  • The US Congress passed the Telephone Robocall Abuse Criminal Enforcement and Deterrence (TRACED) Act to fight against spam robocalls. The bill includes penalties of up to $10,000 per incident for robocallers that break the law and it pushes telcos to implement stricter call authentication technologies. It will make it easier for consumers to identify robocalls so that they can avoid answering them.

  • Google announced that it will offer financial aid to motivate volunteer work done by the open-source community for improving cybersecurity. The tech giant will help them arrange additional resources while prioritizing the security of its products. The support is available for both small teams ($5,000) as well as for a large team ($30,000) of developers.

  • The global law enforcement authorities dismantled the infrastructure behind the Imminent Monitor RAT (IM-RAT), a notorious remote access tool (RAT). Since first appearing in 2012, it was dubbed as the fastest remote administration tool ever created using new—and never used before—socket technology. According to Europol, the tool had more than 14,500 buyers across 124 countries and had been used to infect tens of thousands of victims.

The Bad

The month saw multiple data breaches and incidents that impacted organizations across the world. Smart home device maker Wyze confirmed a server leak that exposed the details of about 2.4 million customers. In other news, the online music streaming service Mixcloud exposed the information of over 21 million user accounts, which was also put up for sale on a dark web forum. Also, sophisticated Chinese hackers managed to steal $1 million during a transfer from a VC firm to a start-up.

  • Smart home tech makers Wyze Labs confirmed a data leak impacting over 2.4 million of its users. The incident had occurred due to an unguarded Elasticsearch database. The database was left open for over three weeks, from December 4 to December 26. Wyze products include smart devices like security cameras, smart plugs, smart lightbulbs, and smart door locks.

  • San Antonio’s Center for Health Care Services (CHSC) and Roosevelt General Hospital (RGH) in New Mexico, were forced to take down their computing systems following malware attacks. RGH suffered malware infection on November 14 and also requested its patients to monitor their credit reports for potential identity theft or fraud attempts.

  • The operators of Maze ransomware publicly released 2GB (of 32 GB) files that were stolen by them during the attack at the city of Pensacola. The crooks had demanded a $1 million ransom to decrypt the locked files. The attackers stated that they released the stolen data to prove to the media that they stole more than just a few files during the attack.

  • A database containing more than 267 million Facebook users’ IDs, phone numbers, and names was left exposed on the web without a password or any other authentication. Experts think this may be the result of an illegal scraping operation wherein bots might be used to copy sensitive information online. More sophisticated attacks could be also planned through this data since it includes both a phone number and an email address.

  • A data breach exposed personal data of nearly 6,000 students of Montgomery County, Maryland. Initially, what looked like a security incident affecting 1,344 accounts at one school, was later found to be affecting nearly 6,000 accounts, during multiple hack attempts involving more schools. The suspect reportedly performed a brute force attack.

  • Around 260 passengers were left stranded after RavnAir canceled at least a half-dozen flights in Alaska due to a cyberattack on its computer systems. Airlines said operations were expected to be slowed or disrupted for the next week because of the necessity of shutting down the IT network. The airline serves more than 100 communities in Alaska, many of which are not accessible by road.

  • A thief reportedly stole multiple unencrypted physical hard drives from a Facebook payroll staffer's car. Some tens of thousands of current and former Facebook employees were impacted. The company also faced criticism due to how long it took to come clean—the break-in took place on 17 November 2019. According to Bloomberg, banking information of 29,000 Facebook employees in the U.S. was compromised.

  • Online music streaming service Mixcloud suffered a data breach exposing the information of over 21 million user accounts. The exposed data was put up for sale for $4,000, or about 0.5 bitcoin, on a dark web forum. The data contained usernames, email addresses, and passwords that were hashed and salted using the SHA-2 algorithm.

  • The details of over 15 million Iranian bank cards were published online after hundreds of bank branches were set on fire last month by demonstrators. Experts suspect a state-sponsored cyberattack and the largest financial scam in Iran’s history. The breach, which mostly targeted Iran’s three largest banks, affected close to one-fifth of the population.

  • Chinese hackers managed to steal $1 million from being wired from a Chinese VC firm to an Israeli startup. The stolen funds were part of an upcoming multi-million dollar seeding fund for the startup. The hacker reportedly sent a total of 18 emails to the Chinese VC firm and 14 to the Israeli startup ahead of the compromised bank transfer.

New Threats

The discovery of new security threats made several headlines this month. A critical flaw in Citrix Application Delivery Controller and Citrix Gateway put 80,000 corporate LANs at risk. On the other hand, at least 200 equipment manufacturers across the world fell victim to a malware campaign called ‘Gangnam Industrial Style’. Moreover, Facebook-owned Whatsapp addressed a severe bug allowing a group member to crash the messaging app for other group members.

  • A critical vulnerability in Citrix Application Delivery Controller and Citrix Gateway put almost 80,000 companies in 158 countries potentially at risk. The bug could allow an attacker to perform arbitrary code execution even without proper authentication. The company had not immediately released a patch but it recommended mitigation techniques that could be implemented until a firmware fix arrives.
  • Researchers identified a phishing campaign targeting PayPal customers with emails camouflaged as ‘unusual activity’ alerts warning them of suspicious logins. The phishers scared the potential victims with limited account access and that they need to secure it by confirming their identity. People clicking on the link in the email were being redirected to a PayPal phishing login page to enter their details.
  • Security researchers discovered three critical remote code execution vulnerabilities in Ruckus Wireless routers. The flaws could let malicious hackers bypass the routers and take control of it remotely. The vulnerabilities existed in the web-based interface. Ruckus has fixed the security flaws with the release of a new 200.7.10.202.92 version. Customers were advised to update their router and apply the patch.
  • A vulnerability was discovered in the Twitter app for Android that attackers could have exploited to obtain sensitive information or take control of accounts. A security researcher said he matched 17 million phone numbers to Twitter user accounts by exploiting the flaw. He matched records from users in Israel, Turkey, Iran, Greece, Armenia, France, and Germany until Twitter put a break on his efforts.
  • Intel CPUs were discovered having a critical flaw called ‘Plundervolt’ that directly breaches Secure Guard Extensions' (SGX) integrity guarantees. The flaw exploits a dynamic voltage scaling feature that CPUs already have, and that can be triggered from software through a special Model Specific Register (MSR). Here, attackers could extract sensitive data, including full RSA encryption keys.
  • The Emotet trojan gang took to Christmas-themed emails with an intent to infect users. The emails are disguised as a Christmas party invite and use subjects like ‘Christmas Party next week’ or ‘Christmas party.’ These invites ask the recipients to view an attached malicious Word document with names like ‘Christmas party.doc’ and ‘Party menu.doc.’ The document once opened, unleashes the embedded macros that will later install the trojan in Windows.
  • At least 200 critical infrastructure equipment manufacturers across the world fell victim to a malware campaign called ‘Gangnam Industrial Style.’ The APT group behind the campaign used industry sector-themed spear-phishing emails and a combination of free tools to steal confidential information through a new variant of Separ malware. However, 60 percent of the affected companies were in South Korea alone.
  • WhatsApp addressed a severe bug that could have allowed a malicious group member to crash the messaging app for all members of the same group. An attacker can trigger the vulnerability by sending a maliciously crafted message to a targeted group. The issue resided in XMPP, a communication protocol for instant messaging.
  • At least 47 million kids’ smart tracker watches were found having multiple vulnerabilities allowing attackers to retrieve or change the real-time GPS position, or to steal audio recordings. The biggest flaw lied in a common shared cloud platform used to power millions of cellular-enabled smartwatches. The researchers commented that it is only the tip of the iceberg.

Related Threat Briefings

Jan 3, 2025

Cyware Monthly Threat Intelligence, December 2024

The cloud revolution isn’t just about convenience anymore; it’s now the frontline of defense. With CISA's new directive mandating cloud environment fortification, federal agencies face a race against time to safeguard Microsoft 365 and other services. Meanwhile, proposed updates to the HIPAA security rules push healthcare organizations toward stronger PHI protection with advanced technical controls and detailed incident planning. On the global front, Operation PowerOFF turned the tables on DDoS attackers, dismantling 27 illegal platforms and curbing festive-season chaos. The cyber battlefield sees no intermission as new threats take center stage. A phishing campaign, dubbed Aggressive Inventory Zombies (AIZ), exploited brand trust by mimicking retail giants and crypto platforms. Meanwhile, the resurrected BADBOX botnet has compromised 192,000 Android devices globally, sneaking into supply chains to wreak havoc with ad fraud and account abuse. Adding to the turbulence, Poison Ivy (APT-C-01) resurged, targeting critical sectors with advanced phishing techniques and deploying Sliver RAT to breach systems and steal sensitive data. This month, new threats targeted IoT, banking, and app ecosystems, with threat actors unleashing diverse attacks. Iranian hackers deployed IOCONTROL malware to compromise IoT and OT systems, targeting critical infrastructure like gas stations. Meanwhile, the DroidBot banking malware infiltrates cryptocurrency and banking apps across Europe, leveraging MaaS operations for tailored attacks. Adding to the chaos, SpyLoan malware apps, with over eight million installs, exploited users in South America, Southeast Asia, and Africa, highlighting the escalating risks within app marketplaces. For detailed Cyber Threat Intel, click ‘Read More’.

Dec 4, 2024

Cyware Monthly Threat Intelligence, November 2024

The TSA reshaped the cybersecurity landscape for pipeline and railroad operators with proposed rules mandating incident reporting and risk management plans. Estimated to cost $2.1 billion over the next decade, the rules aimed to address growing cyber threats while balancing flexibility with resilience. Meta dismantled a sprawling web of over two million accounts tied to pig butchering scams in Southeast Asia and the UAE. Africa’s cybercrime ecosystem faced a decisive blow with Operation Serengeti, as over 1,000 suspects were arrested, and 134,000 malicious networks taken offline. TAG-110, a Russia-aligned threat group, launched a cyber-espionage campaign targeting governments and organizations in Asia and Europe. Using malware like HATVIBE and CHERRYSPY, it aimed to monitor geopolitical developments and assert influence. A botnet powered by Ngioweb malware converted 35,000 IoT devices into residential proxies. These compromised devices, found largely in the U.S., were sold on platforms like NSOCKS for malicious purposes. Water Barghest compromised over 20,000 IoT devices by exploiting known vulnerabilities. The group used Shodan to identify targets and deployed Ngioweb malware to connect them to its monetized network. LIMINAL PANDA, a Chinese cyberespionage group, has been targeting telecoms in South Asia and Africa since 2020. Using tools like SIGTRANslator and PingPong, the group exploits telecom protocols to steal critical data while staying undetected. NodeStealer has resurfaced, targeting Facebook Ads Manager accounts to steal credit card details and browser credentials. It uses Windows Restart Manager and Python scripts to execute its attacks, with stolen data sent via Telegram. BabbleLoader, a stealthy malware loader, delivers WhiteSnake and Meduza stealers. Disguised as accounting software, it targets English and Russian speakers, evading antivirus systems with advanced techniques.