Cookie Settings

This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.

Cyware Monthly Threat Intelligence

Cyware Monthly Threat Intelligence - Featured Image

Monthly Threat Briefing Sep 30, 2019

The Good

September just rolled by, and it’s time to recollect the happenings of the past month in cyberspace. Microsoft, Hewlett Foundation, MasterCard, and other corporations have jointly launched the ‘CyberPeace Institute’, a non-profit organization that protects victims from cyberattacks. A new technique called ‘Splintering’ that makes hacking passwords more difficult has been developed by researchers at Tide. In other news, the United States Department of Defense has launched a counter-insider threat program to educate analysts on malicious insider risks.

  • Microsoft, Hewlett Foundation, MasterCard, along with other major corporations have launched the non-profit organization called the CyberPeace Institute, which is designed to protect victims against cyberattacks.

  • Researchers at Tide have developed a new technique dubbed ‘Splintering’ to protect usernames and passwords. This technique takes encrypted passwords within an authentication system, breaks them up into multiple fragments, and stores them on a decentralized distributed network from where they can be reassembled when required. Researchers claim that Splintering is 14 million percent more difficult to hack when compared to other techniques.

  • The U.S. Department of Defense (DOD) has launched a counter-insider threat program. The objective of this program is to educate analysts on how to identify potential insider threats and detect suspicious behavior. The Defense Counterintelligence and Security Agency's Center for Development of Security Excellence has also provided resources for employees about insider threats.

  • Hitachi Europe Ltd. has announced a new biometric technology dubbed ‘Hand gesture biometric authentication’. This technology couples Hitachi's proven secure finger vein technology with any device that has a camera. This authentication system replaces passwords, fingerprint scanning, and facial recognition systems for authorizing transactions.

  • The United States Healthcare and Public Health Sector Coordinating Council (HSCC) has launched a cybersecurity matrix for information sharing. This online resource, called the Health Industry Cybersecurity Matrix of Information Sharing Organizations (HIC-MISO), provides a list of organizations that facilitate information sharing. Each of these sources comes with its mission and other related details.

  • The Joint Artificial Intelligence Center is creating a framework for collecting, sharing and storing the military’s cybersecurity data, which will lay the foundation for AI-powered cyber defense tools. This would help train AI to monitor military networks for potential threats.

The Bad

This month saw a fair number of cyber attacks and data exposures. An unsecured server with at least 419 million records of phone numbers linked to various Facebook users was discovered by researchers. Meanwhile, a notorious hacker who goes by the name Gnosticplayers has hacked the popular word puzzle game called ‘Words With Friends’, compromising the data of more than 218 million users. On the other hand, a leaky Elasticsearch database belonging to a consulting company called Novaestrat exposed the personal information of over 20 million Ecuador citizens.

  • A security researcher uncovered an unguarded server that contained at least 419 million records of phone numbers linked to several Facebook users including celebrities. The exposed records included users’ unique Facebook ID and their associated phone numbers. Some of the exposed records also included Facebook users’ names, gender, and country.

  • A popular word puzzle game named ‘Words With Friends’ developed by mobile social game company Zynga Inc has been breached. The hacker, who goes by the name Gnosticplayers, gained unauthorized access to a database of more than 218 million users. The compromised information includes names, email addresses, login IDs, and Zynga account IDs among others.

  • The personal information of over 20 million Ecuador citizens was exposed because of a leaky Elasticsearch database. The exposed data, belonging to a company called Novaestrat, includes personal information of individuals and family members, financial information, employment details, and other data. The database contained around 18GB of data, that appeared to be sourced from Ecuadorian government registries, an automotive association called Aeade, and an Ecuadorian national bank named Biess among others.

  • Attackers infected the City of New Bedford in Massachusetts with Ryuk ransomware and demanded a ransom payment of $5.3 million. The city made a counteroffer of $400,000, which was subsequently declined by the attackers. The city has now decided to restore its data from back-ups.

  • Security researchers discovered an Elasticsearch database belonging to DK-Lok, that was left publicly accessible without any authentication. The leaky database exposed DK-Lok's internal and external communication records including emails sent between staff and their clients. Some of the exposed email records were marked as “private” and “confidential”. Apart from emails, the personal information of staff and clients such as names of employees and clients, their email addresses, employee/user IDs, and phone numbers were also exposed.

  • Attackers launched a massive DDoS attack against Wikipedia and took down its website across various countries. The attack, launched on September 6, 2019, targeted several countries including the U.K., France, Germany, Italy, The Netherlands, Poland, and parts of the Middle East.

  • An unprotected database belonging to a cybercriminal network has exposed almost 17 million email addresses. The breach allowed access to the personal details of users purchasing tickets from any website using the Neuroticket software. This impacted popular ticket vendors such as Groupon, Ticketmaster, and Tickpick apart from various small independent venues.

  • Yves Rocher exposed the information of over 2.5 million Canadian customers due to an unprotected database managed by Aliznet. A majority of affected customers were located in Canada. The exposed information includes names, phone numbers, email addresses, birth dates, zip codes, and FID numbers. FID numbers are used by several countries for international shipping or tax purposes.

  • An unprotected Elasticsearch database belonging to Dealer Leads has exposed almost 198 million records containing information about potential car buyers. The exposed data includes names, email addresses, phone, addresses, IP addresses, ports, pathways, storage information, loan and finance inquiries, and details of vehicles that were for sale.

  • Magecart card-skimming attack hit hotel chains across 14 countries. Mobile users of these hotel chains were targeted to steal payment card details and other sensitive information. Both the hotel websites were observed to be developed by a Spain-based company named Roomleader, whose module was compromised to inject malicious code.

  • Data of 24.3 million Lumin PDF users was found on a hacking forum. The data, which is in a 2.25GB ZIP file includes names, gender, Google Access tokens, email addresses, locale settings, and hashed password strings.

  • Two unsecured MongoDB databases with 1,444,375 records of email accounts, 2,196,840 passwords strings, and 752,645 entries of usernames were discovered. The databases were found to belong to a criminal group that is responsible for the Gootkit malware.

  • Hackers have infected Click2Gov payment portals in 8 cities. Almost 20,000 payment records have been compromised and are said to be available on the dark web for sale. The affected cities include Deerfield Beach, Palm Bay, Milton, and Coral Springs in Florida to name a few.

  • For the second time this month, the personal details of nearly 20 million Ecuadorian citizens were exposed. The unprotected server, reportedly located in Germany, belongs to an Ecuadorian company called Databook. The compromised information includes names, workplaces, family member details, phone numbers, vehicle information, and emails.

  • DoorDash, a food delivery service, has disclosed a data breach that affected nearly 5 million customers. The breach exposed customer details such as names, phone numbers, delivery addresses, email addresses, payment information, and more. The company said that full credit card information and full bank details were not exposed.

  • Researchers have discovered a phishing campaign launched by an Iran-linked hacker group called Cobalt Dickens that has targeted over 380 universities across over 30 countries. This campaign has predominantly affected the universities in Canada, Australia, the US, and the UK. The hacker group has targeted universities in order to steal intellectual property that can be used for financial gain.

  • Researchers analyzed over 2300 Picture Archiving and Communication System (PACS) servers and found out that at least 590 systems were unsecured, exposing more than 24.3 million patient records. The servers were spread across 59 countries including the United States, Brazil, Italy, and India.

  • The personal data of customers of major airline companies owned by Lion Air and Malindo Air was found in an open AWS storage bucket. The exposed data includes names, email addresses, phone numbers, physical addresses, passport numbers, passport expiration dates, dates of birth, and passenger and reservation IDs.

New Threats

Various new malware activities and vulnerabilities were reported in September. The infamous threat group Fancy bear has reappeared in the threat landscape with an updated set of tools. Emotet botnet has also returned after a break since June. On the other hand, the TrickBot trojan has been distributed in a massive phishing attack targeting various U.S. states.

  • Notorious threat group Fancy Bear has returned with an updated set of tools. This group, known for its politically-motivated attacks, is observed to be using phishing emails. The updates include the use of a new programming language, Nim, and a backdoor written in GoLang.
  • The Emotet botnet resurfaced after a break since June. The latest campaign primarily targeted Poland and Germany among other countries. The campaign was observed to send phishing emails based on financial themes. Some of the emails were disguised as replies to previous email conversations.
  • The infamous TrickBot trojan has returned in a massive phishing attack targeting several states in the U.S. The affected states include California, Maryland, Illinois, New York, Texas, Minnesota, and New Jersey. The phishing emails included a malicious zip file attachment disguised as receipt and invoice documents. The operators of TrickBot trojan have also changed their propagation methods and are now using a JavaScript downloader dubbed ‘Ostap’ to deliver the trojan. This downloader is delivered as a Microsoft Word 2007 macro-enabled (.DOCM) document. The downloader is also equipped with anti-analysis features.
  • A security researcher who goes under the name ‘Mol69’ spotted a new malvertising campaign that distributes the Nemty ransomware via the RIG exploit kit (EK). This variant appends the ‘.NEMTY_Lct5F3C’ extension to the encrypted files. The ransomware also drops a ransom note that provides payment instructions to recover the encrypted files.
  • Researchers have identified that Android smartphones including models by Samsung, Huawei, LG, and Sony, are vulnerable to advanced phishing attacks via Open Mobile Alliance Client Provisioning (OMA CP) messages. An attacker requires IMSI numbers of mobile devices in order to carry out the attack. Once a CP is authenticated with the recipient’s IMSI number, Huawei, LG and Sony phones allow installation of malicious settings. However, attackers can send unauthenticated OMA CP messages to Samsung phones even without the need for obtaining IMSI numbers.
  • Security researchers have reported a new vulnerability in Intel chips that abuses the Data-Direct I/O (DDIO) feature. Dubbed NetCAT, this vulnerability allows attackers to observe keystrokes in SSH sessions in the compromised machines. This vulnerability, tracked as CVE-2019-11184 by Intel, is a side-channel leak that requires direct access to the vulnerable system.
  • U.S. Cyber Command has shared 11 malware samples with VirusTotal, which are believed to be linked with North Korean government hacker groups. Most of these samples are tied to the notorious Lazarus Group which has been active since at least 2009. The Cyber Command has discovered several samples similar to the well-known malware called HOPLIGHT.
  • A series of vulnerabilities have been discovered in Verizon Wireless systems that could have been exploited by to gain access to 2 million customer contracts. The customer contracts contained information such as full name, address, mobile number, and signature of customers. It also included the model and the serial number of the device brought by customers.
  • Thousands of Google Calendars were found to be leaking private information online because of a misconfiguration. It was discovered that anyone could access and add events in more than 8000 calendars that were indexed by Google’s search engine.
  • A passcode bypass flaw was reported in iOS 13, which was released on September 19, 2019. It could allow hackers to access the phone book of a victim by following a series of seemingly harmless steps. This security flaw is yet to be patched.
  • The infamous Nemty ransomware’s code has been updated to make it capable of killing processes and services. The update, that retained the same version number, was also found to have enriched the list of blacklisted countries.
  • Old Magecart domains have been observed to be purchased for malicious purposes. Most of the domains used in old Magecart attacks have been sinkholed and seized. However, some of them have been released back into the pool of available domains and are being used in malvertising campaigns by other threat actors.
  • A new malspam campaign targeting a large U.S. manufacturing company has been observed lately. The campaign distributes the infamous LokiBot trojan that is capable of stealing sensitive information. An attachment in the form of the #RFQE67Y54.7z file actually contained the LokiBot.

Related Threat Briefings

Feb 10, 2025

Cyware Monthly Threat Intelligence, January 2025

The U.K took a proactive stance on cyber resilience with its Cyber Local initiative, injecting £1.9 million into 30 projects across England and Northern Ireland. The effort focuses on closing the cyber skills gap, fortifying small businesses, and supporting underrepresented groups. India tightened its grip on data privacy with new draft rules designed to give citizens more control over their personal information. The proposed regulations mandate clearer data processing disclosures, stricter security protocols, and swift breach reporting. Hackers turned to SparkRAT, an open-source GoLang RAT, to target macOS users and government entities. Initially released in 2022, its modular design and cross-platform capability have made it a cybercriminal favorite. More than 10,000 WordPress sites were hijacked in a large-scale malware campaign delivering AMOS to macOS users and SocGholish to Windows users. Attackers exploited outdated plugins to inject fake browser update prompts. Lumma Stealer is made its way through GitHub in a new malware campaign that abuses the platform’s release infrastructure. Attackers deployed malware like SectopRAT and Vidar, using secure-looking download links to exfiltrate data while evading detection. Cybercriminals deployed the Coyote banking trojan against financial firms in Brazil, using malicious Windows LNK files to execute PowerShell scripts. This malware established secure connections with C2 servers, enabling keylogging and data theft. A two-year-long phishing campaign targeted Microsoft’s advertising platform users through malicious Google Search ads. A Mirai-based botnet exploited zero-day vulnerabilities in industrial routers and smart home devices. With 15,000 active nodes daily, it launched high-intensity DDoS attacks surpassing 100 Gbps, posing a growing threat across multiple countries.

Jan 3, 2025

Cyware Monthly Threat Intelligence, December 2024

The cloud revolution isn’t just about convenience anymore; it’s now the frontline of defense. With CISA's new directive mandating cloud environment fortification, federal agencies face a race against time to safeguard Microsoft 365 and other services. Meanwhile, proposed updates to the HIPAA security rules push healthcare organizations toward stronger PHI protection with advanced technical controls and detailed incident planning. On the global front, Operation PowerOFF turned the tables on DDoS attackers, dismantling 27 illegal platforms and curbing festive-season chaos. The cyber battlefield sees no intermission as new threats take center stage. A phishing campaign, dubbed Aggressive Inventory Zombies (AIZ), exploited brand trust by mimicking retail giants and crypto platforms. Meanwhile, the resurrected BADBOX botnet has compromised 192,000 Android devices globally, sneaking into supply chains to wreak havoc with ad fraud and account abuse. Adding to the turbulence, Poison Ivy (APT-C-01) resurged, targeting critical sectors with advanced phishing techniques and deploying Sliver RAT to breach systems and steal sensitive data. This month, new threats targeted IoT, banking, and app ecosystems, with threat actors unleashing diverse attacks. Iranian hackers deployed IOCONTROL malware to compromise IoT and OT systems, targeting critical infrastructure like gas stations. Meanwhile, the DroidBot banking malware infiltrates cryptocurrency and banking apps across Europe, leveraging MaaS operations for tailored attacks. Adding to the chaos, SpyLoan malware apps, with over eight million installs, exploited users in South America, Southeast Asia, and Africa, highlighting the escalating risks within app marketplaces. For detailed Cyber Threat Intel, click ‘Read More’.

Dec 4, 2024

Cyware Monthly Threat Intelligence, November 2024

The TSA reshaped the cybersecurity landscape for pipeline and railroad operators with proposed rules mandating incident reporting and risk management plans. Estimated to cost $2.1 billion over the next decade, the rules aimed to address growing cyber threats while balancing flexibility with resilience. Meta dismantled a sprawling web of over two million accounts tied to pig butchering scams in Southeast Asia and the UAE. Africa’s cybercrime ecosystem faced a decisive blow with Operation Serengeti, as over 1,000 suspects were arrested, and 134,000 malicious networks taken offline. TAG-110, a Russia-aligned threat group, launched a cyber-espionage campaign targeting governments and organizations in Asia and Europe. Using malware like HATVIBE and CHERRYSPY, it aimed to monitor geopolitical developments and assert influence. A botnet powered by Ngioweb malware converted 35,000 IoT devices into residential proxies. These compromised devices, found largely in the U.S., were sold on platforms like NSOCKS for malicious purposes. Water Barghest compromised over 20,000 IoT devices by exploiting known vulnerabilities. The group used Shodan to identify targets and deployed Ngioweb malware to connect them to its monetized network. LIMINAL PANDA, a Chinese cyberespionage group, has been targeting telecoms in South Asia and Africa since 2020. Using tools like SIGTRANslator and PingPong, the group exploits telecom protocols to steal critical data while staying undetected. NodeStealer has resurfaced, targeting Facebook Ads Manager accounts to steal credit card details and browser credentials. It uses Windows Restart Manager and Python scripts to execute its attacks, with stolen data sent via Telegram. BabbleLoader, a stealthy malware loader, delivers WhiteSnake and Meduza stealers. Disguised as accounting software, it targets English and Russian speakers, evading antivirus systems with advanced techniques.