Cookie Settings

This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.

Cyware Weekly Threat Intelligence, January 13 - 17, 2020

Cyware Weekly Threat Intelligence, January 13 - 17, 2020 - Featured Image

Weekly Threat Briefing Jan 17, 2020

The Good

With the weekend around the corner, let’s glance through all the good, bad, and new threats in cyberspace that many in the industry talked about this week. Starting with the good, a UK-based business, Veridium sprang a new technology that could validate the identity of a user with its phone device by monitoring its habits. Further, Google’s latest update enables iPhone users to use their phone as a physical 2FA security key to log into Google accounts. Also, CSA announced a new global event ‘SECtember’ that focuses on educating the industry on the crossroads of cloud and cybersecurity.

  • Veridium, a UK-headquartered business, has developed a unique technology that could replace everyday hustle of saving, remembering, and securing passwords while improving security. It comes with the ability to verify users by monitoring the use of your phone, your fingerprint ID, and the way you type or hold your device.

  • Google has expanded its security feature for iPhone users whereby users can register their smartphones as the two-factor authentication (2FA) method for their Google accounts. Two-factor authentication, unlike Google authenticator’s six-digit verification code, provides an additional layer of security for one’s Google account avoiding remote hacking.

  • The Ministry of Public Security, Vietnam drafted a decree on personal data protection to formalize the legal rights of individuals and organizations. There were reports of increased cases of personal data theft in the country. Many new services using personal information had raised issues related to national security and social order and safety.

  • CSA announced a new global event ‘SECtember’ this week to bring focus at educating the industry on key issues and trends faced in cloud and cybersecurity. SECtember will feature in-depth training, networking opportunities and interactive sessions with global experts.

The Bad

This week, breaches and ransomware incidents turned awry for organizations and authorities. Canadian online pharmacy PlanetDrug spilled the personal and financial data of an undisclosed number of customers. In other news, Australia's P&N bank had its customer relationship management system raided by hackers and putting personal information of some 96,000 members on risk. Also, scammers siphoned off the Manor Independent School District of Texas of $2.3 million in three different transactions.

  • Canadian online pharmacy PlanetDrugsDirect is notifying its customers that their personal and financial information may have been affected in a data security incident. The exposed data includes customers’ names, email addresses, phone numbers, medical information, prescriptions, and payment information. Customers are advised to keep a close eye on their bank account and credit card activity.

  • Thousands of highly sensitive records, around 19.95 GB of data, of adult models from PussyCash was leaked on the internet in a data breach incident due to an unprotected S3 bucket. The leak has exposed the personal data and likeness of over 4,000 models apart from videos, marketing materials, photographs, clips and screenshots of video chats, and zip files.

  • P&N Bank of Australia disclosed a cyberattack in which personally identifiable information (PII) and sensitive account information was exposed. The compromised data includes names, addresses, emails, age, customer account numbers, and account balance. As many as 100,000 individuals may have been impacted by the incident that occurred during a server upgrade on December 12, 2019.

  • A hacker was found selling a huge database of 49 million business contacts on an underground forum that can be used for pitches and sales. The hacker claimed that the data belongs to LimeLeads, a San Francisco-based B2B contact database provider. The hacker managed to steal records as the firm failed to set up a password for an internal server.

  • Sensitive details including passports of thousands of British users were left exposed for years on an unsecured Amazon S3 bucket. The exposed data included tax documents, job applications, proofs of address, criminal records, and more. While the owner of the database could not be asserted, experts believed that it belonged to CHS Consulting.

  • Thousands of baby videos and images were left unsecured and exposed to the internet on an Elasticsearch server by Peekaboo Moments. The database contained more than 70 million log files and 100 GB of data. The exposed data included over 80,000 email addresses, detailed device data, and more.

  • The top blog site Boing Boing disclosed that it was hacked after it was found redirecting visitors to a “dangerous malware” error page. Following the incident, all employees of the firm were asked to change their login credentials. They have also implemented security measures to ensure hackers don’t access the website again.

  • A school district in Manor, Texas lost $2.3 million within two months in a phishing scam. The amount was transferred to scammers in three separate transactions between November and December. The Federal Bureau of Investigation (FBI) is currently investigating the matter.

  • A new Magecart attack was reported to be compromised the website collecting donations for the victims of Australia’s bushfires. Crooks planted a malicious script named ATMZOW on the website that was designed to steal the payment information of the donors. The stolen data was then sent to a domain amberlo[.]com under the control of the attackers.

  • Maze ransomware operators listed out a number of victim companies that have denied paying the ransom. The affected companies include Southwire, RBC, THEONE, Vernay, Groupe, Europe Handling SAS, Auteuil Tour Eiffel, BST & Co and more. The ransomware group has claimed to have exfiltrated 3GB of data from some of these firms.

  • Facial recognition data from millions of public surveillance cameras were left exposed since the summer of 2019. The leaked data belongs to Chinese AI startup Megvii. It is unclear how many people have been affected by the security lapse.

New Threats

Several new threats and vulnerabilities were discovered this week. Researchers found a new ransomware dubbed Ako that uses span to infect its victims. Meanwhile, Oski, a new malware, was spotted targeting browser data, and crypto-wallets in the U.S. Also, a group of researchers reported 'Cable Haunt' modem flaw in Broadcom chips affecting hundreds of millions of users.

  • Ako, a new breed of ransomware, was discovered and reported this week. However, it was unclear how the ransomware spreads. It is now found that the ransomware is distributed via malicious spam emails that pretend to be a request agreement such as ‘Agreement 2020 #1775505’. The email usually includes a password-protected zip file named agreement.zip with the password ‘2020’ being given in the email.

  • More than 800 computers of a medical firm got compromised in a cyber incident starting October 14, 2019. Threat actors reportedly exploited the WAV audio files to hide the malware modules and later distributed it to vulnerable Windows 7 machines via EternalBlue. The purpose of the infection was to mine cryptocurrencies.

  • Microsoft issued security patches for 49 vulnerabilities, out of which 7 were classified as ‘Critical’ and 41 as ‘Important’ and 1 as ‘Moderate’. One of the critical vulnerabilities termed as CryptoAPI Spoofing flaw was discovered and reported by the NSA. It could allow attackers to spoof digital certificates to perform MITM attacks.

  • A group tracked as Ancient Tortoise was found impersonating a company’s CFO in an attempt to collect aging reports from accounts receiving specialists. The group could use the collected—and updated—reports to conduct scams in later attack stages. (Aging reports are track report of outstanding invoices of customers who haven’t yet paid for goods or services they bought on credit.)

  • The infamous Emotet trojan came back after a three-week hiatus. The trojan was found targeting over eighty countries with malicious spam campaigns. The campaign leverages phishing emails that pretend to be proof-of-delivery documents, reports, agreements, and statements. These emails include either attached documents or links that can be used to download them.

  • Some 5,000 Android phones were reported to be infected by the new version Faketoken Android trojan. The trojan is used to drain its victims’ bank accounts to fuel offensive mass text campaigns targeting mobile devices from all over the world. Once installed on the victim’s device, Faketoken first checks if their bank accounts have enough money. It will then use the stolen payment cards to add credit to the victim’s mobile account.

  • At least 200 million Broadcom-based cable modems were affected by the new Cable Haunt flaw. The flaw allowed attackers to compromise a modem and gain full control over the inbound and outbound traffic. The attackers could also eavesdrop on browsing activity, re-route traffic to malicious domains, or even zombify devices to use them in botnet attacks.

  • A new malware dubbed Oski Stealer was spotted targeting browser data and crypto-wallets in the U.S. Being advertised in underground cyber-forums, including several Russian forums, the malware’s capabilities include gathering sensitive information such as credentials, credit card numbers, wallet accounts and more. It has already managed to steal over 50,000 passwords so far.

  • Proof-of-concept for the critical Citrix bug was published on GitHub, making future attacks trivial for most attackers. The vulnerability tracked as CVE-2019-19781 affects Citrix’s NetScaler ADC and NetScaler Gateway servers. It was estimated that more than 80,000 organizations could be running flawed Citrix instances.

  • Scammers were reported exploiting Remote Desktop tools to conduct SIM swapping attacks. The technique involved convincing an employee in a telecom company’s customer support center to run or install RDP software. Once the RDP software gets activated, the scammers again convince the employee to provide credentials to RDP service to remotely control the machine and reach into the company’s software to SIM swap individuals.

Related Threat Briefings

Feb 7, 2025

Cyware Weekly Threat Intelligence, February 03–07, 2025

PyPI is taking a "dead but not gone" approach to abandoned software with Project Archival, a new system that flags inactive projects while keeping them accessible. Developers will see warnings about outdated dependencies, helping them make smarter security choices and avoid relying on unmaintained code. The U.K is bringing earthquake-style metrics to cybersecurity with its new Cyber Monitoring Centre, designed to track digital disasters as precisely as natural ones. Inspired by the Richter scale, the CMC will quantify cyber incidents based on financial impact and affected users, offering clearer insights for national security planning. Kimsuky is back with another phishing trick, this time using fake Office and PDF files to sneak forceCopy malware onto victims' systems. Its latest campaign delivers PEBBLEDASH and RDP Wrapper by disguising malware as harmless shortcuts, ultimately hijacking browser credentials and sensitive data. Hackers have found a new way to skim credit card data - by hiding malware inside Google Tag Manager scripts. CISA is flagging major security holes in Microsoft Outlook and Sophos XG Firewall, urging agencies to patch them before February 27. One flaw allows remote code execution in Outlook, while another exposes firewall users to serious risks. Bitcoin scammers are switching tactics, swapping static images for video attachments in MMS to make their schemes more convincing. A recent case involved a tiny .3gp video luring victims into WhatsApp groups where scammers apply pressure to extract money or personal data. XE Group has shifted from credit card skimming to zero-day exploitation, now targeting manufacturing and distribution companies. A new version of ValleyRAT is making the rounds, using stealthy techniques to infiltrate systems. Morphisec found the malware being spread through fake Chrome downloads from a fraudulent Chinese telecom site.

Jan 10, 2025

Cyware Weekly Threat Intelligence, January 06–10, 2025

The U.K is fortifying its digital defenses with the launch of Cyber Local, a £1.9 million initiative to bridge cyber skills gaps and secure the digital economy. Spanning 30 projects across England and Northern Ireland, the scheme emphasizes local business resilience, neurodiverse talent, and cybersecurity careers for youth. Across the Atlantic, the White House introduced the U.S. Cyber Trust Mark, a consumer-friendly cybersecurity labeling program for smart devices. Overseen by the FCC, the initiative tests products like baby monitors and security systems for compliance with rigorous cybersecurity standards, ensuring Americans can make safer choices for their connected homes. China-linked threat actor RedDelta has ramped up its cyber-espionage activities across Asia, targeting nations such as Mongolia, Taiwan, Myanmar, and Vietnam with a modified PlugX backdoor. Cybercriminals have weaponized trust by deploying a fake PoC exploit tied to a patched Microsoft Windows LDAP vulnerability. CrowdStrike reported a phishing operation impersonating the company, using fake job offers to lure victims into downloading a fraudulent CRM application. Once installed, the malware deploys a Monero cryptocurrency miner. A new Mirai-based botnet, dubbed Gayfemboy, has emerged as a formidable threat, leveraging zero-day exploits in industrial routers and smart home devices. With 15,000 active bot nodes daily across China, the U.S., and Russia, the botnet executes high-intensity DDoS attacks exceeding 100 Gbps. In the Middle East, fraudsters are posing as government officials in a social engineering scheme targeting disgruntled customers. Cybercriminals have weaponized WordPress with a malicious plugin named PhishWP to create realistic fake payment pages mimicking services like Stripe. The plugin not only captures payment details in real time but also sends fake confirmation emails to delay detection.

Dec 20, 2024

Cyware Weekly Threat Intelligence, December 16–20, 2024

In a digital age where borders are blurred, governments are sharpening their strategies to outpace cyber adversaries. The draft update to the National Cyber Incident Response Plan (NCIRP) introduces a comprehensive framework for managing nationwide cyberattacks that impact critical infrastructure and the economy. Meanwhile, the fiscal year 2025 defense policy bill, recently approved by the Senate, emphasizes strengthening cybersecurity measures both at home and abroad. A deceptive health app on the Amazon Appstore turned out to be a Trojan horse for spyware. Masquerading as BMI CalculationVsn, the app recorded device screens, intercepted SMS messages, and scanned for installed apps to steal sensitive data. Malicious extensions targeting developers and cryptocurrency projects have infiltrated the VSCode marketplace and NPM. Disguised as productivity tools, these extensions employed downloader functionality to deliver obfuscated PowerShell payloads. The BADBOX botnet has resurfaced, compromising over 192,000 Android devices, including high-end smartphones and smart TVs, directly from the supply chain. Industrial control systems are facing heightened risks as malware like Ramnit and Chaya_003 targets engineering workstations from Mitsubishi and Siemens. Both malware families exploit legitimate services, complicating detection and mitigation efforts in ICS environments. The Chinese hacking group Winnti has been leveraging a PHP backdoor called Glutton, targeting organizations in China and the U.S. This modular ELF-based malware facilitates tailored attacks across industries and even embeds itself into software packages to compromise other cybercriminals. A tax-themed phishing campaign, dubbed FLUX#CONSOLE, is deploying backdoor payloads to compromise systems in Pakistan. Threat actors employ phishing emails with double-extension files masquerading as PDFs.

Dec 13, 2024

Cyware Weekly Threat Intelligence, December 09–13, 2024

Cybercrime’s web of deception unraveled in South Korea as authorities dismantled a fraud network responsible for extorting $6.3 million through fake online trading platforms. Dubbed Operation Midas, the effort led to the arrest of 32 individuals and the seizure of 20 servers. In a significant move to combat surveillance abuses, the U.S. defense policy bill for 2025 introduced measures to shield military and diplomatic personnel from commercial spyware threats. The legislation calls for stringent cybersecurity standards, a review of spyware incidents, and regular reporting to Congress. The subtle art of deception found a new stage with a Microsoft Teams call, as attackers used social engineering to manipulate victims into granting remote access. By convincing users to install AnyDesk, they gained control of systems, executing commands to download the DarkGate malware. Russian APT Secret Blizzard has resurfaced and used the Amadey bot to infiltrate Ukrainian military devices and deploy their Tavdig backdoor. In a phishing spree dubbed "Aggressive Inventory Zombies (AIZ)," scammers impersonated brands like Etsy, Amazon, and Binance to target retail and crypto audiences. Surveillance has reached unsettling new depths with the discovery of BoneSpy and PlainGnome, two spyware families linked to the Russian group Gamaredon. Designed for extensive espionage, these Android malware tools track GPS, capture audio, and harvest data. A new Android banking trojan has already caused havoc among Indian users, masquerading as utility and banking apps to steal sensitive financial information. With 419 devices compromised, the malware intercepts SMS messages, exfiltrates personal data via Supabase, and even tricks victims into entering details under the pretense of bill payment. Iranian threat actors have set their sights on critical infrastructure, deploying IOCONTROL malware to infiltrate IoT and OT/SCADA systems in Israel and the U.S.

Dec 6, 2024

Cyware Weekly Threat Intelligence, December 02–06, 2024

NIST sharpened the tools for organizations to measure their cybersecurity readiness, addressing both technical and leadership challenges. The two-volume guidance blends data-driven assessments with managerial insights, emphasizing the critical role of leadership in applying findings. The Manson Market, a notorious hub for phishing networks, fell in a sweeping Europol-led takedown. With over 50 servers seized and 200TB of stolen data recovered, the operation spanned multiple countries, including Germany and Austria. Russian APT group BlueAlpha leveraged Cloudflare Tunnels to cloak its GammaDrop malware campaign from prying eyes. The group deployed HTML smuggling and DNS fast-fluxing to bypass detection, targeting Ukrainian organizations with precision. Earth Minotaur intensified its surveillance operations against Tibetan and Uyghur communities through the MOONSHINE exploit kit. The kit, now updated with newer exploits, enables the installation of the DarkNimbus backdoor on Android and Windows devices. Cloudflare Pages became an unwitting ally in the sharp rise of phishing campaigns, with a staggering 198% increase in abuse cases. Cybercriminals exploited the platform's infrastructure to host malicious pages, fueling a surge from 460 incidents in 2023 to over 1,370 by October 2024. DroidBot has quietly infiltrated over 77 cryptocurrency exchanges and banking apps, building a web of theft across Europe. Active since June 2024, this Android malware operates as a MaaS platform, enabling affiliates to tailor attacks. Rockstar 2FA, a phishing platform targeting Microsoft 365 users, has set the stage for large-scale credential theft. With over 5,000 phishing domains launched, the platform is marketed on Telegram. The Gafgyt malware is shifting gears, targeting exposed Docker Remote API servers through legitimate Docker images, creating botnets capable of launching DDoS attacks.