Cookie Settings

This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.

Cyware Monthly Threat Intelligence

Cyware Monthly Threat Intelligence - Featured Image

Monthly Threat Briefing Jul 1, 2019

The Good

As we gear up to a new month of 2019, let’s quickly glance through all that happened over the past month. Before we get into the cybersecurity incidents and the new threats, let’s first acknowledge all the positive events that happened over the past month. Google announced its expansion of Android’s security key technology to iOS devices.

SK Telecom developed a new technology that allows quantum password keys to be switched and routed to different networks. Meanwhile, Microsoft announced a new feature called ‘OneDrive Personal Vault’ that adds a security layer to protect sensitive files.

  • Apple unveiled a new ‘Find My’ app, which is available on its Mac and iOS platforms. The new app is a merged version of ‘Find My Friends’ and ‘Find My iPhone’ apps. The purpose of the app is to help the users to locate their lost macOS and iOS devices even when they are not connected to Wi-Fi or a cellular network. The app leverages nearby Bluetooth-enabled Apple devices to accomplish the task.

  • Google announced that it is expanding Android’s security key technology to iOS devices. This implies that iPhone and iPad users could use Android smartphones as a security key while logging into their Google accounts on an iOS device. For this to work, users should have Bluetooth enabled on both their iOS and Android devices.

  • Instagram is testing a new in-app account recovery process to help its users recover their accounts in the event of hacks. This recovery process method would help users recover their accounts even if the hacker changed the user name and contact details.

  • The Commonwealth Scientific and Industrial Research Organisation's (CSIRO) Data61 announced that its researchers have developed a technique dubbed ‘Vaccination’ to protect AI and machine learning algorithms from adversarial attacks. This technique is currently used to identify spam emails, diagnose diseases from X-rays, and predict crop yields.

  • SK Telecom announced that it has developed a new technology that allows quantum password keys to be switched and routed to different networks. This technology allows networks to transfer a quantum password key to another network when the network being used is down. It will also allow routing of the transfer when connected to multiple networks.

  • Microsoft announced a new security layer for protecting sensitive files with its new feature ‘OneDrive Personal Vault’. This feature is a protected area in OneDrive that can be accessed only with the Microsoft Authenticator app or a second step of identity verification, such as fingerprint, face recognition, PIN, or authentication code. This feature is supported in web, Android, iOS, and Windows 10.

  • Financial services company Moody’s Corporation collaborated with cybersecurity think-tank Team8 for developing a framework to measure businesses’ defenses and preparedness against cyber attacks. This framework will help companies that engage in mergers and acquisitions or when purchasing cyber insurance policies.

The Bad

June witnessed numerous data breaches and cyber attacks that saw the exposure of millions of people's personal information across the globe. A cybersecurity firm revealed that a Chinese threat group had launched cyberattacks against several telecommunication companies across 30 countries since 2017. In another instance, the Chinese cyber-espionage campaign ‘Cloud Hopper’ compromised almost eight tech services companies. Meanwhile, the US Customs and Border Protection agency disclosed that the photos of travelers and license plates have been compromised in a cyber attack at one of its contractors.

  • The web payment page breach at American Medical Collection Agency (AMCA) has impacted millions of individuals of Quest Diagnostics, Laboratory Corporation of America Holdings (LabCorp) and Opko Health Inc. While Quest Diagnostics saw the compromise of personal & financial information of nearly 11.9 million patients, LabCorp disclosed that 7.7 million customers were affected in the breach. In addition, the data breach affected around 422,600 patients of OPKO Health Inc.

  • Private details of almost 100,000 Australian bank customers have been exposed in a cyber attack on WestPac’s PayID. An investigation revealed that the attack had begun on April 7, 2019. The company confirmed that no financial information was compromised in the attack.

  • A security lapse at IT giant Tech Data had exposed its customer and billing data. The incident occurred due to an unprotected database. The database contained a swath of customer personal data and records related to payment cards. After being informed by a research team from vpnMentor, the database was secured by Tech Data.

  • The Australian National University confirmed that around 200,000 people have been impacted in a data breach that took place in late 2018. The unauthorized party accessed a significant amount of personal data related to staff and students and visitors. The data is believed to be as old as 19 years.

  • An unprotected Elasticsearch database belonging to FMC Consulting had exposed millions of resumes and company data. The leaky database contained 884,178 internal emails, 5,392,816 company records, 110,000 customer records and 73,000 client messages. Upon learning this, CNCERT/CC immediately took down the unsecured database.

  • ASCO, one of the largest airplane parts manufacturer, suffered a ransomware attack crippling production in factories across four countries including Belgium, Germany, Canada, and the United States. ASCO’s factory in Zaventem, Belgium was hit by a ransomware infection causing major downtime as most of the plant’s IT systems were infected. As a result, almost 1,000 of its 1,400 workers were sent home.

  • A Distributed Denial of Service (DDoS) attack on Telegram messenger caused service outages and connection problems for users primarily in South and North America and other parts of the world. A botnet formed of compromised computers sent huge traffic to Telegram servers which resulted in unstable connections as the messenger could not handle all the requests. The attack originated from China during the Hong Kong protests.

  • E-invitations platform Evite admitted that it suffered a data breach in February. The stolen user data was actually put up for sale in the Dream Market marketplace by the infamous hacker ‘Gnosticplayers’. Evite also provided additional details about the breach. The social planning website revealed that an unauthorized third party gained access to an inactive data storage file that contained Evite user accounts prior to 2013.

  • The retro gaming site ‘Emuparadise’ suffered a data breach in April 2018, which led to the exposure of account details of almost 1.1 million Emuparadise forum members. The exposed account information included members’ email addresses, IP addresses, usernames, and passwords stored as salted MD5 hashes.

  • The US Customs and Border Protection agency (CBP) disclosed that the photos of travelers and license plates have been compromised in a cyber attack at one of its contractors. CBP said that one of its contractors transferred copies of license plate images and traveler photos collected by CBP to the company’s network, which was later compromised by an attacker. The agency did not reveal the name of the contractor, however, CBP’s public statement sent to the Washington Post included the name “Perceptics” in the title: “CBP Perceptics Public Statement”, indicating that the contractor was Perceptics.

  • Desjardins, one of the world’s largest banks suffered a security breach after a rogue employee stole the data of 2.9 million customers and disclosed to individuals outside Desjardins without authorization. The data leak impacted almost 2.7 million home users and 173,000 business customers. The financial institution fired the employee who was responsible for the data leak.

  • Mermaids UK disclosed that it had inadvertently published part of its email database on the internet between 2016 and 2017 that contained 1000 pages of confidential emails. The exposed emails included the private details of transgender children and young people.

  • A cybersecurity firm revealed that a Chinese threat group had launched cyberattacks against several telecommunication companies across 30 countries since 2017. The tools used in the attacks are linked to the APT10 threat group. The attackers attempted to obtain CDR data such as call logs, cell tower locations, etc. and attempted to compromise the critical assets of the telecom companies.

  • A hacker stole 9.3 million Ripple (XRP) coins worth $4.25 million and 2.5 million Cardano (ADA) coins worth $225,000 from the Bitrue cryptocurrency exchange platform. Bitrue administrators detected the hack and immediately shut down trading on their platform. The exchange also worked closely with HuobiGlobal, Bittrex exchange, ChangeNOW to freeze the affected funds and accounts.

  • The City Hall in Lake City, Florida which suffered a ‘Triple Threat’ ransomware attack on June 10, 2019, paid the attackers 42 bitcoins worth nearly $500,000 in order to recover the encrypted files. The city’s insurance provider had made the payment on June 25, 2019. Soon after, the attackers provided the decryption key to retrieve the city’s files and data.

  • Taiwan’s Ministry of Civil Service (MOCS) suffered a data breach compromising the personal information of almost 243, 376 civil servants including both local and central government officers. The compromised information included ID numbers, names, national identification card numbers, agency information, job designation, and the agencies the civil servants work for.

  • A ‘human hacking’ forum, Social Engineered had been breached and the user data has been published on a rival website. The data includes 89,000 unique email addresses linked to 55,000 forum account holders, usernames, IP addresses, and passwords. The data breach was due to a security hole in ‘My BB’ open-source software.

  • Unprotected Amazon Web Services cloud-computer servers belonging to Attunity exposed the company’s passwords and network information. The leaky servers also exposed sensitive information of some of its high-profile customers including Ford Motor Company and the Toronto-Dominion Bank.

  • Chinese hackers’ global hacking campaign ‘Cloud Hopper’ compromised almost eight tech services companies. The impacted companies include Ericsson, Hewlett Packard Enterprise, IBM, Fujitsu, Tata Consultancy Services, NTT Data, Dimension Data, Computer Sciences Corporation, and DXC Technology

  • Attackers stole the administrative credentials of the cloud solutions provider PCM which was used to manage client accounts within Office 365. A security expert at a PCM customer said that the attackers prime motive was to steal client information that could be used to conduct gift card fraud at various retailers and financial institutions.

New Threats

Several new malware, ransomware, vulnerabilities, and threat groups emerged over the past month. Researchers spotted a new variant of DanaBot that comes with a new ransomware module. A new variant of Mirai botnet that uses 18 exploits to target IoT devices was spotted in the wild. Meanwhile, a critical vulnerability was uncovered in Outlook for Android app that impacted over 100 million users.

  • A newly discovered GoldBrute botnet compiled over 1.5 million unique systems that have RDP connections. The attack begins by gaining access to the system using a brute-force attack. If successful, a ZIP file containing the GoldBrute malware code is downloaded onto the system.
  • Researchers spotted a new malware dubbed ‘Silex’. This malware is capable of corrupting IoT devices’ storage, deleting the network configuration, dropping firewall rules, and halting the device. It was also identified that the malware was a bot designed for bricking IoT devices. ZDNet found that around 2000 devices were inoperable in an hour after the malware’s discovery.
  • Researchers spotted a new malware dubbed ‘GolfSpy’ which is capable of stealing system information from an infected Android device. This malware is also capable of listing, deleting, and renaming files, taking screenshots, recording audio and video, and self-updation.
  • Over 440 million Android phones have been infected by BeiTaPlugin adware. The adware is distributed via 238 unique applications on Google Play. It forcibly displays ads on the users’ screen even when the phone is locked as well as triggers unwanted video and audio advertisements on victims’ phones.
  • Researchers have uncovered a new variant of Mirai botnet that uses 18 exploits to target IoT devices. This variant includes eight new exploits apart from the 10 existing exploits. It is capable of targeting devices ranging from wireless presentation systems to set-top-boxes, SD-WANs, and even smart home controllers. It also includes exploits targeting the Oracle WebLogic Server RCE vulnerability.
  • FIN8 threat group is back with a new variant of ShellTea/PunchBuggy backdoor targeting the hospitality industry. The ShellTea malware is capable of creating and executing files, writing the data or shellcode it received from the C&C server, and executing the shellcode. The malware leverages a hashing algorithm to evade detection from antivirus tools.
  • Twitter URLs could be abused by bad actors for various nefarious activities including distributing malware, spread fake news, and redirecting users to a phishing page. Bad actors could abuse a tweet URL by simply changing the username but using a status ID that points to a tweet from an account controlled by them. In this way, attackers could spread fake news or malicious content as users click on the tweet thinking it is from a trusted source.
  • Researchers have uncovered a crypto jacking campaign, wherein attackers used NSA hacking tools to compromise vulnerable computers of businesses across the globe. The NSA hacking tools used in this campaign include EternalBlue and EternalChampion. Using these tools, attackers target unpatched Windows computers to install XMRig Monero miners.
  • Researchers spotted a new variant of Ryuk ransomware that blacklists IP addresses to avoid encrypting already infected computers. The partial IP address strings that are searched by the ransomware are 10.30.4, 10.30.5, 10.30.6, and 10.31.32. The new Ryuk variant also compares the computer name to the strings ‘SPB’, ‘spb’, ‘MSK’, ‘Msk’ and ‘msk’ to simplify its infection process.
  • A cybersecurity firm along with Europol, DIICOT, FBI and the Metropolitan Police released a free decryptor tool for the infamous GandCrab ransomware. This decryption key was released shortly after the developers of the ransomware announced their plan to retire. The key works for all the versions of ransomware, from v5.0 through v5.2.
  • Researchers spotted a new variant of DanaBot that comes with a new ransomware module. On top of this, the updated variant also includes new plugins, configuration files, string encryptions, file name generation algorithms as well as a different communication protocol.
  • A critical vulnerability in Outlook for Android app impacts more than 100 million users. The security flaw is a spoofing vulnerability that could allow attackers to conduct cross-site scripting(XSS) attacks on devices installed with the app. The flaw is the result of an issue with email parsing. This vulnerability impacted older versions prior to 3.0.88 of Outlook for Android.
  • Researchers have uncovered a new variant of the Mirai botnet dubbed Echobot. This new variant uses a total of 26 exploits to target IoT devices. Its targets include network-attached storage devices (NAS), routers, network video recorders (NVR), IP cameras, IP phones, and wireless presentation systems.
  • Researchers observed multiple malspam campaigns that distribute LokiBot and NanoCore trojans. These malspam emails are disguised as an invoice and an ISO disk file attachment, which upon opening drops the Lokibot and NanoCore trojans on the victims’ systems.
  • Several vulnerabilities have been detected in Electronic Arts’ Origin platform. These vulnerabilities exposed 300 million gamers to account takeover attacks by abusing authentication tokens and related trust mechanisms. However, these vulnerabilities have been fixed by EA.
  • Sodinokibi ransomware, also known as REvil is distributed via malvertising that leads to the RIG exploit kit. Sodinokibi is now using exploit kits to infect victims. The malvertising campaigns that distributed Sodinokibi were done on the PopCash ad network.

Related Threat Briefings

Feb 10, 2025

Cyware Monthly Threat Intelligence, January 2025

The U.K took a proactive stance on cyber resilience with its Cyber Local initiative, injecting £1.9 million into 30 projects across England and Northern Ireland. The effort focuses on closing the cyber skills gap, fortifying small businesses, and supporting underrepresented groups. India tightened its grip on data privacy with new draft rules designed to give citizens more control over their personal information. The proposed regulations mandate clearer data processing disclosures, stricter security protocols, and swift breach reporting. Hackers turned to SparkRAT, an open-source GoLang RAT, to target macOS users and government entities. Initially released in 2022, its modular design and cross-platform capability have made it a cybercriminal favorite. More than 10,000 WordPress sites were hijacked in a large-scale malware campaign delivering AMOS to macOS users and SocGholish to Windows users. Attackers exploited outdated plugins to inject fake browser update prompts. Lumma Stealer is made its way through GitHub in a new malware campaign that abuses the platform’s release infrastructure. Attackers deployed malware like SectopRAT and Vidar, using secure-looking download links to exfiltrate data while evading detection. Cybercriminals deployed the Coyote banking trojan against financial firms in Brazil, using malicious Windows LNK files to execute PowerShell scripts. This malware established secure connections with C2 servers, enabling keylogging and data theft. A two-year-long phishing campaign targeted Microsoft’s advertising platform users through malicious Google Search ads. A Mirai-based botnet exploited zero-day vulnerabilities in industrial routers and smart home devices. With 15,000 active nodes daily, it launched high-intensity DDoS attacks surpassing 100 Gbps, posing a growing threat across multiple countries.

Jan 3, 2025

Cyware Monthly Threat Intelligence, December 2024

The cloud revolution isn’t just about convenience anymore; it’s now the frontline of defense. With CISA's new directive mandating cloud environment fortification, federal agencies face a race against time to safeguard Microsoft 365 and other services. Meanwhile, proposed updates to the HIPAA security rules push healthcare organizations toward stronger PHI protection with advanced technical controls and detailed incident planning. On the global front, Operation PowerOFF turned the tables on DDoS attackers, dismantling 27 illegal platforms and curbing festive-season chaos. The cyber battlefield sees no intermission as new threats take center stage. A phishing campaign, dubbed Aggressive Inventory Zombies (AIZ), exploited brand trust by mimicking retail giants and crypto platforms. Meanwhile, the resurrected BADBOX botnet has compromised 192,000 Android devices globally, sneaking into supply chains to wreak havoc with ad fraud and account abuse. Adding to the turbulence, Poison Ivy (APT-C-01) resurged, targeting critical sectors with advanced phishing techniques and deploying Sliver RAT to breach systems and steal sensitive data. This month, new threats targeted IoT, banking, and app ecosystems, with threat actors unleashing diverse attacks. Iranian hackers deployed IOCONTROL malware to compromise IoT and OT systems, targeting critical infrastructure like gas stations. Meanwhile, the DroidBot banking malware infiltrates cryptocurrency and banking apps across Europe, leveraging MaaS operations for tailored attacks. Adding to the chaos, SpyLoan malware apps, with over eight million installs, exploited users in South America, Southeast Asia, and Africa, highlighting the escalating risks within app marketplaces. For detailed Cyber Threat Intel, click ‘Read More’.

Dec 4, 2024

Cyware Monthly Threat Intelligence, November 2024

The TSA reshaped the cybersecurity landscape for pipeline and railroad operators with proposed rules mandating incident reporting and risk management plans. Estimated to cost $2.1 billion over the next decade, the rules aimed to address growing cyber threats while balancing flexibility with resilience. Meta dismantled a sprawling web of over two million accounts tied to pig butchering scams in Southeast Asia and the UAE. Africa’s cybercrime ecosystem faced a decisive blow with Operation Serengeti, as over 1,000 suspects were arrested, and 134,000 malicious networks taken offline. TAG-110, a Russia-aligned threat group, launched a cyber-espionage campaign targeting governments and organizations in Asia and Europe. Using malware like HATVIBE and CHERRYSPY, it aimed to monitor geopolitical developments and assert influence. A botnet powered by Ngioweb malware converted 35,000 IoT devices into residential proxies. These compromised devices, found largely in the U.S., were sold on platforms like NSOCKS for malicious purposes. Water Barghest compromised over 20,000 IoT devices by exploiting known vulnerabilities. The group used Shodan to identify targets and deployed Ngioweb malware to connect them to its monetized network. LIMINAL PANDA, a Chinese cyberespionage group, has been targeting telecoms in South Asia and Africa since 2020. Using tools like SIGTRANslator and PingPong, the group exploits telecom protocols to steal critical data while staying undetected. NodeStealer has resurfaced, targeting Facebook Ads Manager accounts to steal credit card details and browser credentials. It uses Windows Restart Manager and Python scripts to execute its attacks, with stolen data sent via Telegram. BabbleLoader, a stealthy malware loader, delivers WhiteSnake and Meduza stealers. Disguised as accounting software, it targets English and Russian speakers, evading antivirus systems with advanced techniques.