Cookie Settings

This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.

Cyware Monthly Threat Intelligence

Cyware Monthly Threat Intelligence - Featured Image

Monthly Threat Briefing Nov 4, 2019

The Good

As October comes to an end, let’s recap all that happened in the world of cyberspace over the last month. We’ll start with the positive developments. The U.S. National Security Agency has launched the Cybersecurity Directorate to improve the country’s cyberdefenses. The cyberspace research had a good month with the announcement of researchers working on the Cyber Anomaly Detection System to detect cyber intrusion on drones and military helicopters. It was also reported that researchers are working on a new cybersecurity method inspired by the human body.

  • The United States National Security Agency (NSA) has announced the launch of a new Cybersecurity Directorate. This new organization will improve the country’s cyberdefenses by bringing NSA’s threat detection operations, technologies, and cybersecurity personnel together. Initially, the directorate’s focus will be on the defense industrial base and weapon security.

  • Researchers are working on a new technology called Cyber Anomaly Detection System that can detect cyber intrusion on drones and military helicopters. This new warning system can detect attacks as of now. Future versions are expected to fight against attacks and possibly repair the damage.

  • Researchers are developing a new cybersecurity method that is inspired by the human body. Using machine learning, the system would be taught to recognize various cyber threats. This method is expected to predict an attack before it happens by observing changes in the environment.

  • Researchers from Intel have designed a new type of CPU memory dubbed ‘SAPM memory’ that offers protection against speculative execution side-channel attacks. SAPM offers the flexibility of storing only sensitive data in dedicated memory regions. This memory type will implement hardware-level protection and works with physical and virtual memory addresses.

  • Microsoft and the National Institute of Standards and Technology (NIST) are working together to develop a new guide that makes enterprise patch management easier. The project will focus on building common enterprise patch management reference architectures and processes. The results are expected to be shared in the NIST Special Publication 1800 practice guide after the relevant vendors validate the implementation instructions in the NCCoE lab.

  • Researchers from North Carolina State University have developed an open-source tool called VisibleV8 that can track and record JavaScript program behavior without alerting websites that run the programs. This tool runs in the Chrome browser and can detect malicious programs, that may not be detected by malware detection systems. This tool is said to contain only 600 lines of code.

The Bad

October also witnessed two cybersecurity providers disclose details of breaches they suffered and an underground store being hacked. Avast went public with the details of a CCleaner 2017 incident-like breach that was detected in September this year. In similar news, NordVPN disclosed a data breach that affected its data center in March 2018. Meanwhile, one of the largest troves of stolen card data, BriansClub, was hacked.

  • Internet security software provider Avast disclosed that a security breach was detected on September 23, 2019. The attackers compromised an employee’s VPN credentials to gain access to an account that was not protected using a multi-factor authentication solution. The attack was said to be similar in nature to the infamous CCleaner 2017 incident.

  • NordVPN disclosed a data breach that affected one of its data centers in March 2018. The company said that the breach happened because of poor configuration on a third-party data center. No other servers or user credentials were said to be impacted.

  • One of the largest underground stores for stolen online credit card data, BriansClub, was hacked. The trove contained more than 26 million credit and debit records that have been stolen from retailers in the past 4 years. This data could allow hackers to create fake cards to illegally purchase goods from stores.

  • Amazon Web Services was hit by a distributed denial-of-service (DDoS) attack that lasted for around 8 hours. The attack primarily impacted the company's Router 53 DNS web service. This caused service outages for many websites and parts of AWS being taken off the internet.

  • More than 500 million UC Browser Android users have been exposed to man-in-the-middle (MiTM) attacks because of an Android Package Kit (APK) download. This download was from a third-party server over unprotected channels. This violated Google’s policy that requires apps distributed via Google Play to modify, replace, or update only through Google Play’s mechanism.

  • The T? Ora Compass Health notified of a cyber attack on its website that put the medical data of a million New Zealanders at risk. The possibly compromised information included names, dates of birth, ethnicity, addresses, National Health Index Number, and enrolment information at medical centers. The attack occurred in August and officials were unable to confirm if any information was accessed.

  • Russian internet service Beeline fell victim to a data breach that resulted in the data of 8.7 million customers being sold online. The data contained personal information including names, phone numbers, and addresses. Beeline said that the compromised data belonged to Russian customers who opted for home broadband connections before November 2016.

  • Ten hospitals, three in Alabama, and seven in Australia have fallen victim to a ransomware attack. The attack has forced the hospitals to shut down IT infrastructure and limit patient intake. Emergency procedures were implemented in several hospitals to ensure safe operations.

  • Comodo Forums suffered a data breach impacting over 170,000 users. The breach leveraged a vulnerability in the vBulletin software that is used to power the forum. The compromised data that included usernames, passwords, and email addresses, was reportedly traded online.

  • An Elasticsearch database that was not password protected exposed the data of around 7.5 million Adobe Creative Cloud users. The exposed information included customer account details, and no passwords or financial information were compromised. The team from Adobe secured the database the day they were notified about it.

  • Georgia was hit by a massive cyberattack, that impacted over 15,000 websites in the country including government and media sites. This attack, which is the country’s largest cyberattack so far, was launched by breaching the network of Pro-Service, a local web hosting provider.

  • One of India’s largest power plants, the Kudankulam Nuclear Power Plant (KNPP) was infected by malware, said its parent company NPCIL. The malware was said to have infected only the administrative network and not the critical internal network.

New Threats

Several malware strains and vulnerabilities were spotted this month. The Emotet Trojan was observed to be propagated using fake Microsoft Office Activation Wizard documents. A decryptor for the Nemty ransomware was published this month. In other news, a security bypass vulnerability in Sudo, the Linux command, was identified by researchers.

  • The Emotet Trojan was reported to be spread by fake Microsoft Office Activation Wizard documents. The spam emails tricked potential victims to enable macros in the document. Once the macros were enabled, a script was executed to download and install the Emotet Trojan.
  • Researchers have published a decryptor for the Nemty ransomware that allows victims to recover files at no cost. The decryptor currently works only for certain file types such as AVI, GIF, and MP4 among others. The generation of the decryption key is done on the researchers’ servers to prevent hackers from analyzing the decryptor.
  • Researchers have discovered a security bypass flaw in Sudo, a widely used Linux command. This flaw can potentially allow an attacker to execute random commands as root on the targeted Linux system without requiring passwords. Linux users who use sudo versions prior to 1.8.28 are impacted by this flaw.
  • A new variant of the infamous Adwind RAT is targeting the United States petroleum industry. The malware is distributed through malspam campaigns that spread malicious URLs or attachments. Researchers observed that the malware functionality has remained the same as previous versions, but it’s obfuscation technique has changed.
  • A vulnerability was discovered in Whatsapp for Android that allows remote attackers to potentially execute arbitrary code on vulnerable devices. The flaw resides in the library used to create GIF file preview when a user opens the Gallery view in Whatsapp to send media files.
  • A BitPaymer ransomware campaign that exploits a zero-day vulnerability in the iTunes for Windows has been observed. Researchers found the campaign targets public and private sectors in the U.S. The security flaw is in the Bonjour Updater that delivers updates.
  • The United Kingdom’s National Cyber Security Centre (NCSC) has issued a warning that Advanced Persistent Threat (APT) groups are exploiting recently disclosed vulnerabilities in VPN products from Fortinet, Palo Alto Networks, and Pulse Secure. The vulnerabilities potentially allow attackers to retrieve files containing sensitive data including authentication credentials.
  • The US Department of Defense (DoD) and HackerOne announced that the US Cyber Command’s ‘Hack the Proxy’ bug bounty program uncovered more than 30 vulnerabilities. This is the Department of Defense’s eighth bug bounty program, sponsored by the US Cyber Command. Of the vulnerabilities discovered across the Department of Defense proxies, virtual private networks, and virtual desktops, 9 were high severity vulnerabilities and 1 was a critical vulnerability.
  • The recently discovered Simjacker vulnerability is said to be impacting hundreds of SIM cards issued by around 61 mobile operators in 29 countries. Researchers said that all Android, iOS, and IoT devices that work on the SIM card technology are vulnerable to the Simjacker attack. It is believed that the SS7 threat actor group that works with the government to monitor individuals’ activity is behind the attack.
  • The US Federal Bureau of Investigation (FBI) has issued a warning about Magecart or web-skimming attacks. This warning is specifically for small and medium-sized businesses and government agencies that accept card payments online. Recommendations and mitigations also accompanied this warning.
  • The National Security Agency (NSA) and the UK’s National Cyber Security Centre (NCSC) have released a joint statement about Turla, the Russian threat actor compromising the infrastructure of an Iranian threat group to launch cyberattacks on several countries. Turla is believed to have exfiltrated data including directory listings and files, keylogger output that contains operational activity and connections to Iranian C2 domains from the Iranian APT.
  • A Linux security flaw in the ‘rtlwifi’ (Realtek WiFi) driver has been disclosed. Tracked as CVE-2019-17666, this bug potentially allows attackers to entirely compromise the machines. The Linux team has developed a patch that is under revision and is yet to be incorporated.
  • A security researcher identified vulnerabilities in the API and firmware of Xiaomi FurryTail smart pet feeders. Without a password, the feeding schedules on 10,950 devices could be reportedly modified by exploiting these vulnerabilities. It was also said that malicious attackers could hijack the pet feeders into an IoT DDoS botnet by leveraging these flaws.

Related Threat Briefings

Jan 3, 2025

Cyware Monthly Threat Intelligence, December 2024

The cloud revolution isn’t just about convenience anymore; it’s now the frontline of defense. With CISA's new directive mandating cloud environment fortification, federal agencies face a race against time to safeguard Microsoft 365 and other services. Meanwhile, proposed updates to the HIPAA security rules push healthcare organizations toward stronger PHI protection with advanced technical controls and detailed incident planning. On the global front, Operation PowerOFF turned the tables on DDoS attackers, dismantling 27 illegal platforms and curbing festive-season chaos. The cyber battlefield sees no intermission as new threats take center stage. A phishing campaign, dubbed Aggressive Inventory Zombies (AIZ), exploited brand trust by mimicking retail giants and crypto platforms. Meanwhile, the resurrected BADBOX botnet has compromised 192,000 Android devices globally, sneaking into supply chains to wreak havoc with ad fraud and account abuse. Adding to the turbulence, Poison Ivy (APT-C-01) resurged, targeting critical sectors with advanced phishing techniques and deploying Sliver RAT to breach systems and steal sensitive data. This month, new threats targeted IoT, banking, and app ecosystems, with threat actors unleashing diverse attacks. Iranian hackers deployed IOCONTROL malware to compromise IoT and OT systems, targeting critical infrastructure like gas stations. Meanwhile, the DroidBot banking malware infiltrates cryptocurrency and banking apps across Europe, leveraging MaaS operations for tailored attacks. Adding to the chaos, SpyLoan malware apps, with over eight million installs, exploited users in South America, Southeast Asia, and Africa, highlighting the escalating risks within app marketplaces. For detailed Cyber Threat Intel, click ‘Read More’.

Dec 4, 2024

Cyware Monthly Threat Intelligence, November 2024

The TSA reshaped the cybersecurity landscape for pipeline and railroad operators with proposed rules mandating incident reporting and risk management plans. Estimated to cost $2.1 billion over the next decade, the rules aimed to address growing cyber threats while balancing flexibility with resilience. Meta dismantled a sprawling web of over two million accounts tied to pig butchering scams in Southeast Asia and the UAE. Africa’s cybercrime ecosystem faced a decisive blow with Operation Serengeti, as over 1,000 suspects were arrested, and 134,000 malicious networks taken offline. TAG-110, a Russia-aligned threat group, launched a cyber-espionage campaign targeting governments and organizations in Asia and Europe. Using malware like HATVIBE and CHERRYSPY, it aimed to monitor geopolitical developments and assert influence. A botnet powered by Ngioweb malware converted 35,000 IoT devices into residential proxies. These compromised devices, found largely in the U.S., were sold on platforms like NSOCKS for malicious purposes. Water Barghest compromised over 20,000 IoT devices by exploiting known vulnerabilities. The group used Shodan to identify targets and deployed Ngioweb malware to connect them to its monetized network. LIMINAL PANDA, a Chinese cyberespionage group, has been targeting telecoms in South Asia and Africa since 2020. Using tools like SIGTRANslator and PingPong, the group exploits telecom protocols to steal critical data while staying undetected. NodeStealer has resurfaced, targeting Facebook Ads Manager accounts to steal credit card details and browser credentials. It uses Windows Restart Manager and Python scripts to execute its attacks, with stolen data sent via Telegram. BabbleLoader, a stealthy malware loader, delivers WhiteSnake and Meduza stealers. Disguised as accounting software, it targets English and Russian speakers, evading antivirus systems with advanced techniques.