Cyware Monthly Threat Intelligence

Monthly Threat Briefing • Sep 30, 2019
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Monthly Threat Briefing • Sep 30, 2019
The Good
September just rolled by, and it’s time to recollect the happenings of the past month in cyberspace. Microsoft, Hewlett Foundation, MasterCard, and other corporations have jointly launched the ‘CyberPeace Institute’, a non-profit organization that protects victims from cyberattacks. A new technique called ‘Splintering’ that makes hacking passwords more difficult has been developed by researchers at Tide. In other news, the United States Department of Defense has launched a counter-insider threat program to educate analysts on malicious insider risks.
Microsoft, Hewlett Foundation, MasterCard, along with other major corporations have launched the non-profit organization called the CyberPeace Institute, which is designed to protect victims against cyberattacks.
Researchers at Tide have developed a new technique dubbed ‘Splintering’ to protect usernames and passwords. This technique takes encrypted passwords within an authentication system, breaks them up into multiple fragments, and stores them on a decentralized distributed network from where they can be reassembled when required. Researchers claim that Splintering is 14 million percent more difficult to hack when compared to other techniques.
The U.S. Department of Defense (DOD) has launched a counter-insider threat program. The objective of this program is to educate analysts on how to identify potential insider threats and detect suspicious behavior. The Defense Counterintelligence and Security Agency's Center for Development of Security Excellence has also provided resources for employees about insider threats.
Hitachi Europe Ltd. has announced a new biometric technology dubbed ‘Hand gesture biometric authentication’. This technology couples Hitachi's proven secure finger vein technology with any device that has a camera. This authentication system replaces passwords, fingerprint scanning, and facial recognition systems for authorizing transactions.
The United States Healthcare and Public Health Sector Coordinating Council (HSCC) has launched a cybersecurity matrix for information sharing. This online resource, called the Health Industry Cybersecurity Matrix of Information Sharing Organizations (HIC-MISO), provides a list of organizations that facilitate information sharing. Each of these sources comes with its mission and other related details.
The Joint Artificial Intelligence Center is creating a framework for collecting, sharing and storing the military’s cybersecurity data, which will lay the foundation for AI-powered cyber defense tools. This would help train AI to monitor military networks for potential threats.
The Bad
This month saw a fair number of cyber attacks and data exposures. An unsecured server with at least 419 million records of phone numbers linked to various Facebook users was discovered by researchers. Meanwhile, a notorious hacker who goes by the name Gnosticplayers has hacked the popular word puzzle game called ‘Words With Friends’, compromising the data of more than 218 million users. On the other hand, a leaky Elasticsearch database belonging to a consulting company called Novaestrat exposed the personal information of over 20 million Ecuador citizens.
A security researcher uncovered an unguarded server that contained at least 419 million records of phone numbers linked to several Facebook users including celebrities. The exposed records included users’ unique Facebook ID and their associated phone numbers. Some of the exposed records also included Facebook users’ names, gender, and country.
A popular word puzzle game named ‘Words With Friends’ developed by mobile social game company Zynga Inc has been breached. The hacker, who goes by the name Gnosticplayers, gained unauthorized access to a database of more than 218 million users. The compromised information includes names, email addresses, login IDs, and Zynga account IDs among others.
The personal information of over 20 million Ecuador citizens was exposed because of a leaky Elasticsearch database. The exposed data, belonging to a company called Novaestrat, includes personal information of individuals and family members, financial information, employment details, and other data. The database contained around 18GB of data, that appeared to be sourced from Ecuadorian government registries, an automotive association called Aeade, and an Ecuadorian national bank named Biess among others.
Attackers infected the City of New Bedford in Massachusetts with Ryuk ransomware and demanded a ransom payment of $5.3 million. The city made a counteroffer of $400,000, which was subsequently declined by the attackers. The city has now decided to restore its data from back-ups.
Security researchers discovered an Elasticsearch database belonging to DK-Lok, that was left publicly accessible without any authentication. The leaky database exposed DK-Lok's internal and external communication records including emails sent between staff and their clients. Some of the exposed email records were marked as “private” and “confidential”. Apart from emails, the personal information of staff and clients such as names of employees and clients, their email addresses, employee/user IDs, and phone numbers were also exposed.
Attackers launched a massive DDoS attack against Wikipedia and took down its website across various countries. The attack, launched on September 6, 2019, targeted several countries including the U.K., France, Germany, Italy, The Netherlands, Poland, and parts of the Middle East.
An unprotected database belonging to a cybercriminal network has exposed almost 17 million email addresses. The breach allowed access to the personal details of users purchasing tickets from any website using the Neuroticket software. This impacted popular ticket vendors such as Groupon, Ticketmaster, and Tickpick apart from various small independent venues.
Yves Rocher exposed the information of over 2.5 million Canadian customers due to an unprotected database managed by Aliznet. A majority of affected customers were located in Canada. The exposed information includes names, phone numbers, email addresses, birth dates, zip codes, and FID numbers. FID numbers are used by several countries for international shipping or tax purposes.
An unprotected Elasticsearch database belonging to Dealer Leads has exposed almost 198 million records containing information about potential car buyers. The exposed data includes names, email addresses, phone, addresses, IP addresses, ports, pathways, storage information, loan and finance inquiries, and details of vehicles that were for sale.
Magecart card-skimming attack hit hotel chains across 14 countries. Mobile users of these hotel chains were targeted to steal payment card details and other sensitive information. Both the hotel websites were observed to be developed by a Spain-based company named Roomleader, whose module was compromised to inject malicious code.
Data of 24.3 million Lumin PDF users was found on a hacking forum. The data, which is in a 2.25GB ZIP file includes names, gender, Google Access tokens, email addresses, locale settings, and hashed password strings.
Two unsecured MongoDB databases with 1,444,375 records of email accounts, 2,196,840 passwords strings, and 752,645 entries of usernames were discovered. The databases were found to belong to a criminal group that is responsible for the Gootkit malware.
Hackers have infected Click2Gov payment portals in 8 cities. Almost 20,000 payment records have been compromised and are said to be available on the dark web for sale. The affected cities include Deerfield Beach, Palm Bay, Milton, and Coral Springs in Florida to name a few.
For the second time this month, the personal details of nearly 20 million Ecuadorian citizens were exposed. The unprotected server, reportedly located in Germany, belongs to an Ecuadorian company called Databook. The compromised information includes names, workplaces, family member details, phone numbers, vehicle information, and emails.
DoorDash, a food delivery service, has disclosed a data breach that affected nearly 5 million customers. The breach exposed customer details such as names, phone numbers, delivery addresses, email addresses, payment information, and more. The company said that full credit card information and full bank details were not exposed.
Researchers have discovered a phishing campaign launched by an Iran-linked hacker group called Cobalt Dickens that has targeted over 380 universities across over 30 countries. This campaign has predominantly affected the universities in Canada, Australia, the US, and the UK. The hacker group has targeted universities in order to steal intellectual property that can be used for financial gain.
Researchers analyzed over 2300 Picture Archiving and Communication System (PACS) servers and found out that at least 590 systems were unsecured, exposing more than 24.3 million patient records. The servers were spread across 59 countries including the United States, Brazil, Italy, and India.
The personal data of customers of major airline companies owned by Lion Air and Malindo Air was found in an open AWS storage bucket. The exposed data includes names, email addresses, phone numbers, physical addresses, passport numbers, passport expiration dates, dates of birth, and passenger and reservation IDs.
New Threats
Various new malware activities and vulnerabilities were reported in September. The infamous threat group Fancy bear has reappeared in the threat landscape with an updated set of tools. Emotet botnet has also returned after a break since June. On the other hand, the TrickBot trojan has been distributed in a massive phishing attack targeting various U.S. states.