Cyware Monthly Cyber Threat Intelligence April, 2018

The Good


April marks the huge step taken by Facebook, Microsoft, Oracle and 31 other technology companies in signing the Cybersecurity Tech Accord. Another major good news was, the US Department of Energy announced $25 million in grants for projects that can strengthen cyberdefenses. Several technological advancements--including an algorithm to detect fake news, new HoneyBot, and an Android sandbox technology--have been made this month, to strengthen enterprise security. The RSA conference also hoisted several security advancements such as the Adversarial Robustness Toolbox by IBM.

  • The US Department of Energy announced $25 million in grants for projects that can strengthen the cyberdefenses of the nation’s critical energy infrastructure, including its power grid, oil, and natural gas industry. The announcement comes just weeks after cyberattacks crippled electronic communications systems for several US pipeline companies.
  • Facebook, Microsoft, Oracle and 31 other technology companies signed the Cybersecurity Tech Accord this week pledging to defend all customers and products from cyberattacks. They also took a “no offense” commitment to not help governments launch cyberattacks and protect their services against tampering and exploitation at every stage, from development to distribution.
  • Researchers at Ben-Gurion University of the Negev and the University of Washington have developed a new algorithm to detect fake users on social media platforms, including Facebook and Twitter, based on the assumption that fake accounts typically establish unlikely links to other users. The algorithm features two machine learning-based iterations - one to estimate the probability of a link existing between two users and the second to generate meta-features used to construct a generic classifier to detect fake profiles.
  • At the RSA Conference in San Francisco, IBM unveiled the Adversarial Robustness Toolbox - an open-source security library designed to help support developers and users fight against cyberattacks that target AI systems. Featuring a library, interfaces, and metrics, the toolbox will help developers create and deploy practical cybersecurity defense systems for the AI sector.
  • Britain’s Home Secretary Amber Rudd has launched a police crackdown on dark web crime. During a speech at the National Cyber Security Centre’s conference, Rudd announced the Home Office will be releasing £9m to support law enforcement units that deal with cybercrime and dark web activity. Another £5m will be spent on improving local cybercrime units at a regional and local level. The funding is part of the £50 million allocated to bolster the UK’s cyber-defensive capabilities at a national, regional and local level.
  • A new £13.5 million cyber innovation centre is being developed at London’s Queen Elizabeth Olympic Park to spur growth and development in the growing East London tech cluster and the nation’s cybersecurity sector. Run by Plexal, the London Cyber Innovation Centre will offer local start-ups the infrastructure, space and technology to work closely with larger enterprises on security risks, challenges and solutions.
  • Cisco Systems with working with Canadian startup Isara, to develop new quantum-safe cryptographic algorithms that may help companies protect their internal systems, platforms and data against potentially powerful quantum threats. The two companies will be working on a proof-of-concept project to test digital certificates that operate in both classic and quantum-safe algorithm modes.
  • MIT Media Lab researchers have developed a new headset dubbed AlterEgo that can “hear” your thoughts and allows you to “silently” communicate with a computer interface simply by vocalizing internally. By reading the neuromuscular signals your brain sends to the face and jaw during internal speech, the headset can identify the words you think of, but don’t actually say out loud, and reconstruct it with 92% accuracy.
  • The antivirus scanning engine, VirusTotal, made an announcement about a new Android sandbox technology. Named Droidy, this is a simulated Android OS environment for analyzing Android app behavior and producing reports for users and security researchers. These reports will contain additional behavioral details that would help security researchers confirm the malicious classification of VirusTotal scan results or even overturn them.
  • A new novel tool is designed by a group of researchers at Georgia Tech that would help in delaying and exposing would-be hackers to industrial automation. The small robot, called HoneyBot, is designed to trick cybercriminals into thinking it's a vulnerable robot performing important industrial automation tasks. Once a successful breach is detected, the tool raises alarm and helps IT security professionals in blocking the attack.
  • Decrypters for few versions of the Magniber ransomware have been created by security researchers from AhnLab, a South Korea-based cyber-security firm. Users can download the decryptors from AhnLab's website. Unfortunately, the usage instructions aren’t available in English. Hence, victims will have to use online translation services to understand them.
  • Europol has successfully dismantled the Webstresser website. As per claims by the police, the website sold Distributed Denial of Service (DDoS) attacks and helped launch up to 6 million of them for as many as 136,000 registered users. The investigation was led by the Dutch National High Tech Crime Unit and the UK National Crime Agency (NCA), and assisted by Europol. Four alleged administrators of the site were arrested, the site was shut down and its infrastructure was seized.
  • A new Windows platform security technology, meant to mitigate attacks in software, has been released by Microsoft. The company announced Windows Defender System Guard runtime attestation that can provide signals for Endpoint Detection and Response (EDR) and antivirus vendors. The security technology is also capable of detecting kernel tampering, rootkits, and exploits.
  • A study by researchers in New Zealand found out that the newly proposed quantum blockchain can result in blockchain systems that are unaffected by quantum-computer hacking. This is considered to be the first ever fully quantum blockchain. This new quantum blockchain functions by interpreting its mistakes and influencing its own past.

The Bad


Unfortunately, the month April also registered several data breaches and security threats. Data leaks at TrueMove H (one of Thailand’s biggest mobile operators) and Texas Health Resources affected 11,400 customers and 4000 patients respectively. In other news, a joint statement has been issued by the DHS, FBI and the UK’s National Cyber Security Centre, accusing Russian hackers of penetrating network infrastructure. Among the affected companies, this month, are Sodexo, LocalBox, YouTube and Coinsecure.

  • TrueMove H, one of Thailand’s biggest mobile operators, suffered a data leak compromising the data of at least 11,400 customers. Customers’ personal data, which included scanned images of ID cards, was exposed in an unprotected Amazon Web Services S3 cloud storage bucket. The company said the leak was fixed on April 12, but the incident has already triggered scrutiny and backlash from regulators and customers.
  • Texas Health Resources disclosed that an unauthorized third party may have accessed patient data back in October 2017 after compromising some of the organization’s email accounts. Compromised data included patient names, addresses, medical record numbers, dates of birth, insurance and clinical data. The firm reportedly said less than 4000 patients were impacted.
  • The US Department of Homeland Security, Federal Bureau of Investigation and the UK’s National Cyber Security Centre issued a rare joint statement accusing Russian state-sponsored hackers of penetrating network infrastructure devices such as routers within government, private companies, critical infrastructure, and ISPs. The agencies accused Russia of using compromised routers to conduct espionage, extract intellectual property and maintain persistence to possibly conduct larger offensive attacks in the future. The Kremlin has dismissed the allegations as “unsubstantiated” and of “no value.”
  • Handyman-for-hire app, TaskRabbit revealed it suffered an apparent data breach saying an “unauthorized user” managed to gain access to its systems and compromised certain personally identifiable information. The company briefly took down its website and app to safeguard its users. Users have been advised to change their passwords and monitor their accounts for any suspicious activity.
  • Localbox, a little-known data firm that builds personal profiles by scraping data from public sites and social media networks like Facebook, Twitter and Zillow without users knowledge or consent, accidentally leaked a trove of personal data. UpGuard’s Chris Vickery found the firm left a cache of profile data on an unprotected Amazon S3 storage bucket that listed 48 million individual records.
  • Food services and facilities management Sodexo has warned a number of customers to cancel their credit attack after its cinema voucher platform, Filmology, suffered a “targeted attack”. The website was taken down “to eliminate any further potential risk” to consumers and the incident has been reported to the UK’s Information Commissioner’s Office. Sodexo Filmology has advised all employees who used the site between March 19 through April 3 to cancel their payment cards and check their payment card statements.
  • Inogen revealed it experienced a security incident that saw an employee’s email account illegally accessed between January 2 and March 14 this year. Rental customers’ personal information including names, contact information and Medicare identification numbers were compromised in the breach. However, no financial data was accessed.\
  • A number of popular music videos posted by music service Vevo on YouTube were hijacked and defaced by hackers calling themselves Prosox and Kuroi’sh. The music video for the hit song Despacito along with others by Shakira, Selena Gomez, Drake and Adele were affected. The clip was replaced with a photo of masked people wielding guns at the camera while the description below the video was replaced with the words “Free Palestine”. The videos were briefly taken down until the issue was resolved.
  • Nearly 438 bitcoins worth $3 million were stolen from Coinsecure, a Delhi-based cryptocurrency exchange. However, the company said its system was not hacked or compromised. The company has filed an FIR accusing its CSO of swiping the money from the firm’s digital wallet and have asked authorities to bar him from leaving the country until the investigation is completed.
  • Four Singapore universities were found to have been targeted by Iranian hackers in a wave of attacks believed to part of last month’s security breach involving global educational institutions. The targeted universities included National University of Singapore (NUS), Singapore Management University, Singapore University of Technology and Design, and Nanyang Technological University (NTU). In total 52 accounts were found to be affected from these universities. As per government sources, they learned of breaches only last week.
  • A dozen major Israeli websites were at the receiving end of a major cyber attack launched by Palestinian sympathizers. The cyber attack was carried out by a hacker group known as Dark-Coder or TH3Falcon in response to clashes between the IDF and Gazan protesters last weekend. Among the affected websites were those belonging to hospitals, local authorities, the Israeli Opera, Israel Teachers Union and the IDF Widows and Orphans organization. All the affected websites temporarily displayed the images from the clashes on Gaza border that took place last weekend.
  • This week witnessed a striking cyber attack on four U.S pipeline companies. The attack shut down their electronic systems used for communicating with customers.The targeted companies were Energy Transfer Partners LP, Broadwalk Pipeline Partners LP, Eastern Shore Natural Gas and Oneok Inc. The shutdown did not impact any movement of gas but brokedown the communication channels these companies use for interacting with customers. Interestingly, most of the electronic communication equipment is third-party based and the attack once again underscores the importance of closing all security loopholes while dealing with third-party services.
  • Delta Air Lines has disclosed that it was impacted by a cyber breach potentially compromising customer’s payment information. As per the disclosure, the breach occurred last fall and only a small subset of customers were impacted. The incident involved (24)7.ai, a chat service used by Delta and many other companies. Delta has assured that only customer payment information was impacted and no other details like passport, security or frequent flyer information was affected.
  • Dubai-based ride sharing platform Careem became a victim of data breach after a cyber attack resulted in the theft of personal data of up to 14 million people in the Middle East, North Africa, Pakistan and Turkey. The company announced that the breach was detected on January 14, post which, a thorough investigation was launched and leading security experts were engaged to strengthen security systems.
  • The DNS server of MyEtherWallet, a web-based Ether wallet service, was hijacked by unknown hackers in order to redirect users to a fake version of the website and steal their wallet private keys. Using these keys, hackers managed to steal close to 215 Ether (about $160,000 at the time of the transaction). Hackers could hijack the DNS entries by executing a BGP route hijack that redirected traffic meant for Amazon servers to systems they controlled.
  • Hackers managed to redirect Amazon traffic to rogue destinations for two hours by exploiting the Internet-protocol weakness. Roughly 1,300 IP addresses were hijacked in this charade. Attackers also masqueraded as cryptocurrency website MyEtherWallet.com and stole about $150,000.
  • Around 25,000 investors and potential investors linked with Bezop.io, the organization behind the Bezop cryptocurrency, had their personal details leaked due to an unsecured Mongo database. The personal information included names, addresses, encrypted passwords, wallet information, scanned passports, and copies of driver’s license. Bezop immediately secured the data after being notified.
  • Around two million UK banking customers experienced trouble using their accounts after an IT upgrade went wrong. Customers were also able to access other users’ savings and business accounts. The Financial Conduct Authority (FCA) and the Information Commissioner’s Office(ICO) are said to be investigating the incident.

New Threats


Several variants--samples of ViperRAT malware, an upgraded version of njRAT, and ZeusVM--of previously discovered malware have been identified in April. New strains of malware spotted this month are: Roaming Mantis, affecting exposed home routers; Desert Scropion, a spyware; SquirtDanger, a data-stealing malware; SmashingCoconut, a Windows-based wiper malware; and the PUBG ransomware. Security researchers also found a new MacOS backdoor identified as ‘OSX_OCEANLOTUS.D', a new banking Trojan called 'IcedID', and a new Mirai style botnet targeting the financial sector.

  • Kaspersky Labs researchers found a new strain of malware dubbed the Roaming Mantis. Hackers distribute the malware by hijacking DNS settings on vulnerable routers to redirect users to malicious websites. While it is still not clear how hackers managed to gain access to exposed home routers, the crooks were able to hijack traffic from 150 unique IP addresses and redirect users to malicious sites about 6,000 times between February 9 and April 9.
  • Security firm Lookout found new samples of the ViperRAT malware lurking on the Google Play Store again.Two ViperRAT-infected apps - VokaChat and Chattak - had been downloaded over 1000 times before they were detected by Lookout and removed by Google. The new malware samples appeared to be updated with chat functionality enabled within the apps to evade detection and suspicion.
  • Lookout researchers also uncovered the Desert Scorpion spyware packaged in mobile messaging apps on the Google Play Store. Believed to have been developed by surveillance actor APT-C-23, it targeted individuals of interest in the Middle East, particularly in Palestine. A chat app called Dardesh was used to download the first stage of the malware before tricking users into downloading the more sophisticated surveillance-focused second stage.
  • Dell SecureWorks Counter Threat Unit detailed a new Nigeria-linked BEC group called Gold Galleon that has been plundering the global maritime shipping industry. Using publicly available business email addresses, low-tier RAT tools and spear-phishing techniques, the group has attempted to steal at least $3.9 million between June 2017 and January 2018.
  • Palo Alto Networks’ Unit 42 identified a new malware called SquirtDanger that appears to have been developed by veteran Russian malware author “TheBottle”. Written in C#, the malware comes with various capabilities including the ability to take screenshots, list and kill processes, access and delete files, and even steal wallets or swap existing ones with one belonging to the attackers.
  • Trend Micro researchers have detected a significant amount of scanning activity from China akin to that of the infamous Mirai botnet in 2016. Researchers’ network monitoring system observed a surge of activity from over 3,000 IP addresses of scanners with Brazil seeming to be the target location. Similar to Mirai, the scanners were constantly scouring the internet for potentially vulnerable internet-connected devices. such as routers or IP cameras, and using default administrator credentials to hijack them.
  • A new, but unusual strain of ransomware called PUBG locks down victims’ computer files and will only decrypt them if you play the game “PlayerUnknown’s Battlegrounds.” The ransomware encrypts the user’s files with a .PUBG extension and displays a pop-up warning instructing the victim to play to restore them. Interestingly, the ransom instructions offers a code to unlock their files immediately as well as an option to play the game for an hour. The TlsGame program only needs to run for about 3 seconds to start the decryption process, suggesting it’s likely a joke.
  • The US Department of Homeland Security (DHS) released an intelligence note identifying a new malware called SmashingCoconut that shares similarities to the one used by North Korea against Sony back in November 2014. The 32-bit Windows-based wiper malware can render a targeted system inoperable if run using administrator privileges, delete all files and write over the master boot data record and wipe both the bootable and non-bootable partitions on the hard drive.
  • Researchers uncovered a new fake update scam that has been exploiting thousands of legitimate websites since December 2017. The “FakeUpdates” campaign affected websites using outdated versions of WordPress, Joomla and Squarespace. The affected sites display authentic-looking messages to visitors prompting them to “save” the update for Firefox, Chrome or Flash. If a user does fall for it, a heavily obfuscated JavaScript file is downloaded from DropBox that deploys the ZeusVM variant - Chtonic banking malware - or a NetSupport RAT.
  • Researchers have found out a new Mirai style botnet targeting the financial sector. As per researchers, the attack on the financial sector is the largest since the Mirai wreaked havoc on Dyn servers in October 2016. The research found out three financial institutions becoming the latest victim of the new IoTroop botnet, created through hijacked internet connected web cameras and televisions. The aim of the hackers being the botnet seems to choke the internet traffic of financial firms by overloading servers and subsequently knocking off the services.
  • Security researchers at Trend Micro have found out a new MacOS backdoor that is probably the latest version of a threat used by APT 32, also known as Cobalt Kitty and OceanLotus. The backdoor has been identified as ‘OSX_OCEANLOTUS.D’. The attackers exploiting the backdoor have been found targeting MacOS computers having Perl programming language installed. The backdoor is being distributed through a malicious Microsoft Word document that claims to be a registration form for an event with HDMC, a Vietnamese organization that advertises national independence and democracy.
  • An upgraded version of njRAT has been found pushing Lime Ransomware and a bitcoin wallet stealer. Also known as Bladabindi, njRAT is an old-time Trojan that was first spotted in 2013 and has survived since then. The malware is known for using .NET obfuscation tools that make it go stealth against antivirus solutions and subsequently hinder any analysis by security researchers. The malware also makes use of dynamic DNA for command and control servers and communicates using a custom TCP protocol over a configurable port.
  • Last year in November, security researchers unearthed a new banking Trojan which was labeled as ‘IcedID’. Initially, it was found being distributed by Emotet and later in the new year there was a considerable increase in IcedID infections which were detected all throughout the AMP ecosystem. Now researchers have found infections through Emotet being mellowed down but more being spread through emails with malicious Microsoft Word documents without macros. Once the user clicks on the document, Rovnix is downloaded and executed which further downloads IcedID. In addition to Rovnix, a Bytecoin miner is also being downloaded as a second payload.
  • Dubbed Operation GhostSecret, a global data-stealing campaign has been discovered by McAfee security researchers, targeting several industries including critical infrastructure, entertainment, finance, health care, and telecommunications. The campaign leverages various tools, implants and malware variants associated with the Hidden Cobra hacker group.
  • A new variant of the Crossrider variant has been spotted attacking Mac devices disguising itself as a fake Adobe Flash Player installer. The configuration of the variant forces Safari and Chrome to redirect users to a page on chumsearch[dot]com. Unfortunately, this cannot be changed in the browser settings. The profile can be found by opening System Preferences, then clicking the Profiles icon.
  • Unit 42, Palo Alto Networks' threat research arm has discovered the author behind the new botnet malware family SquirtDanger. The Russian hacker, TheBottle, is found to be associated with these attacks. The malware is capable of conducting several actions including taking screenshots, clearing browsing cookies, steal stored information, upload/download files etc.
  • Three new malware variants associated with the APT34 hacker group have been discovered by a threat hunt team. The hacker group is believed to be operating since at least 2014, and uses BONDUPTATER (used to download software) and POWRUNER (used as a backdoor to exploit software vulnerabilities).
  • A new and advanced phishing kit, currently available in Brazil, is being analyzed by Check Point Researchers and a cyber intelligence company, CyberInt. The new kit is believed to be an epitome of the next generation in phishing architecture, as it makes for an even easier set-up and a more convincing fake website. The phishing kit generally targets online shoppers and aims at stealing users’ personal details and credit card information.
  • Members of the top-tier Russian hacking forum have started using the crimeware kit, dubbed the Rubella Macro Builder. The kit is cheap, fast and can bypass basic antivirus detections. The crimeware kit is being distributed via Microsoft Word or Excel email attachments.





  • Share this blog:
To enhance your experience on our website, we use cookies to help us understand how you interact with our website. By continuing navigating through Cyware’s website and its products, you are accepting the placement and use of cookies. You can also choose to disable your web browser’s ability to accept cookies and how they are set. For more information, please see our Privacy Policy.