Cyware Weekly Cyber Threat Intelligence July 9 - July 13, 2018

Weekly Threat Briefing • Jul 13, 2018
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Weekly Threat Briefing • Jul 13, 2018
It’s Friday the 13th, and time to round up some of the cyber horrors that plagued people around the world this week - from APTs and malware to data breaches and hacks. It is also worth celebrating some of this week’s cybersecurity wins by law enforcement, government and tech firms. China arrested 20 suspects in a major cryptojacking case. Ukraine’s Secret Service said it stopped a VPNFilter attack on a chlorine distillation plant. Google Chrome added a new Spectre fix while YouTube is fighting fake news with links to ‘authoritative’ news.
In China, 20 suspects were arrested in connection to a major cryptojacking case that affected 3.89 million computers since 2015 and generated 15 million yuan ($2.2 million) in illicit profits. Chinese tech giant Tencent discovered the malware embedded in software designed to help gamers cheat was actually used to mine cryptocurrency. Free downloadable plugins were also used to hijack users’ computers. Authorities were alerted in January and a dedicated task force was created to handle the probe.
The Ukranian Secret Service said it detected and shut down a cyberattack that used the infamous VPNFilter malware to target a chlorine distillation station. The malware strain targets a large number of router models, can survive device reboots, monitor and intercept traffic, and even brick infected devices. The agency accused Russia of operating VPNFilter and launching the attack.
Google announced that its latest Chrome 67 release comes with a new Site Isolation feature to protect against side-channel attacks like Spectre. Enabled by default, this fix will help prevent attackers from using speculative execution features of most processors to access parts of memory that should otherwise be restricted. However, the fix does increase Chrome RAM usage by about 10-13 percent.
YouTube announced a few new features coming to its website and app designed to tackle fake news and the spread of misinformation. Information cards will now be included atop YouTube search results that include information from third parties on historical or scientific topics that are prone to misinformation or conspiracy theories - like the Moon landing or the Oklahoma City bombing. Eventually, similar info cards will be introduced for news-related search results too.
Several data breaches came to light this week impacting companies like Macy’s, TimeHop, Domain Factory and Thomas Cook. Polar Flow exposed the locations of spies and military personnel worldwide. Hackers stole 600 gallons of gas while Reaper drone documents were spotted for sale on the Dark Web. Meanwhile, MyEtherWallet was hit by an attack.
Retail giant Macy’s informed some online customers with profiles on Macys.com or Bloomingdales.com an unauthorized party accessed “a small number” of accounts between April 26 to June 12 using “valid usernames and passwords.” Compromised data included home addresses, credit card numbers, expiration dates and phone numbers. The breached accounts have been blocked and affected customers are advised to reset passwords and contact their credit card companies.
TimeHop revealed it suffered a data breach on July 4 that affected 21 million accounts - 3.3 million of which had their names, email addresses and phone numbers compromised. It later added that dates of birth and gender were also exposed. However, the popular service that resurfaces memories from past social media posts said users’ financial data and personal content or “memories” stored in the app were not impacted.
German hosting provider Domain Factory said it experienced a data breach in January that compromised customer data such as names, account numbers, physical and email addresses, phone numbers and dates of birth. Account passwords, bank names and account numbers such as IBAN and BIC were also included. Customer have been advised to change their account passwords as well as MySQL, SSH, FTP, and Live disk passwords.
A major vulnerability in Thomas Cook Airlines’ booking system was found to have exposed customers’ names, email addresses and flight details. Norwegian security researcher Roy Solberg uncovered the flaw that allowed anyone to retrieve the data using just a reference number. The firm said the flaw only affected its Nordic division and has since been fixed.
The fitness app Polar Flow exposed the names, home addresses and locations of high-ranking intelligence and military personnel to the public on its network. Researchers found it was possible to exploit Polar Flow’s Explore function to discover 6400 users’ full names, profile pictures and geolocation data across 69 nationalities, along with locations of secret military sites. This function has now been turned off.
Hackers managed to attack a gas pump in Detroit to steal 600 gallons of gas worth roughly $1800. Investigators said the attackers used a device that allowed them to remotely block the attendant’s control of the pump from a dedicated console while a total of 10 cars used the pump during the 90-minute hack.
Researchers confirmed a hacker has been selling non-classified, but sensitive materials on the US Air Force’s NQ-9 Reaper drone for $150-$200 on the Dark Web. The attacker also posted information on US Army vehicles and tactics for sale too. The intruder used a 2-year-old FTP vulnerability in Netgear routers to break into a computer at the Creech Air Force Base in Nevada.
Popular crypto service MyEtherWallet (MEW) suffered an attack after a widely-used VPN service Hola was compromised for five hours, during which any Hola users who navigated to MEW and accessed their wallet may have been affected. Users who used and Hola during the time frame were advised to transfer their tokens to a new wallet account.
Threat actors have been working on some sneaky techniques and malicious ware. A new variant of Spectre was discovered while Dorkbot banking malware made a comeback. A unique extortion scam that uses hacked passwords to scare victims is making the rounds. Meanwhile, Bankbot Anubis is back via 10 fake apps.