Cyware Monthly Cyber Threat Intelligence August, 2018

The Good


August’s end brings to a close another month buzzing with cyber activity including new security breaches, malware strains and threat actors popping up to target victims around the world. However, it is always worth tipping our hats to the positive advancements made by researchers, law enforcement, governments and companies towards improving the security of users, devices and networks alike. Three cybercriminals linked to FIN7 were arrested while a Washington man allegedly linked to the Satori IoT botnet is facing charges. Brazil passed a new data protection bill. Meanwhile, the US Department of Homeland Security (DHS) launched a “risk radar” to help government agencies better understand and implement cybersecurity strategies. Germany set up a DARPA-like cybersecurity agency. Dozens of US private firms and government organizations collaborated on “Project Spartacus” to protect the energy grid from cyberattacks. HP announced a new printer bug bounty program, Instagram boosted its security and Blackberry launched a ransomware recovery solution.

  • The US Department of Homeland Security formed a new center to safeguard the nation’s critical assets against both physical and cyber threats. The National Risk Management Center help foster coordination between the federal government and private sector to better protect critical infrastructure through information sharing and risk management strategies.
  • HP launched a printer bug bounty program offering payouts ranging from $500 to $10,000. The private program invited security researchers to find firmware-level vulnerabilities such as remote code execution, cross-site request forgery (CSRF) and cross-site scripting )XSS) bugs across enterprise printers and report them to Bugcrowd.
  • Three alleged high-ranking members of the notorious FIN7 hacker group, also known as the Carbanak Group, were charged by the US Justice Department. Since at least 2015, the cybercrime group has used malware to target over 100 US companies since to infiltrate systems and steal more than 15 million credit card records from over 6,500 point-of-sale terminals across 3,600 separate locations.
  • Google announced that G Suite admins can receive special alerts when a government-backed hackers are attempting to infiltrate one of their company’s user accounts. G Suite super admins will also be able to configure special automated actions such as resetting the user’s account password to halt a potential intrusion and send a copy of the alert to the user as well.
  • BlackBerry announced a new ransomware recovery solution that could allow organizations to quickly contain and limit the damage of ransomware attacks. The new feature for BlackBerry Workspaces would freeze the accounts of affected users if their PCs and synced files are infected, and allow IT managers to roll back affected documents and data to the point before the ransomware hit.
  • General Motors announced an automotive bug bounty program inviting a few white hat hackers to detect and report bugs in their cars’ software. GM President Dan Ammann announced the program at the Billington Cybersecurity Summit saying the team will include white-hat researchers who “we’ve established relationships with through our coordinated disclosure program.”
  • Researchers from Nozomi Networks released free tools to help detect the destructive Triton/Trisis malware. The TriStation Protocol Plug-in for Wireshark can detect the malware communicating in the infected network, gather intelligence on the communication, translate function codes and extract PLC programs being transmitted. The second Triconex Honeypot Tool could be used by ICS organizations to set up honeypots to detect Triton reconnaissance scans and attack attempts on their networks.
  • LinkedIn said it shut down less than 40 fake accounts on its platform being used to connect with members of US political groups, including one that claimed to be a well-known celebrity. Although the accounts weren’t used to spread fake news or manipulative ads, the firm said they “don’t take their existence lightly.”
  • More US states have now deployed technology that can help track election hacking attempts. The rapid adoption of the $5,000 Albert sensors, developed by the Center for Internet Security, highlights the growing concern of state government officials about Russian election interference attempts ahead of the 2018 midterm elections.
  • Brazil’s president Michel Temer passed a new data protection bill to give citizens more power over their online data. The new law will come into effect in 18 months and will prevent the commercial use of information such as names, telephone numbers and addresses without users’ consent.
  • Israel launched a new three-year program designed to boost the cyber industry. The $24 million will fund organizations involved in high-risk research and development projects. The program will also fund pilot projects in Israel and abroad.
  • Nigerian citizen Olayinka Olaniyi was convicted for orchestrating a $6 million phishing scam that targeted colleges and universities across the US. Olaniyi used stolen credentials to steal payroll deposits of staffers at various universities. Olaniyi also managed to access employees’ W2 tax forms and use them to fill fraudulent tax returns.
  • The DHS is launching a program called the risk radar next year. The program is aimed at helping government agencies better understanding and implementing their cybersecurity strategies. The radar will take a close look at the cyber threats agencies face, and their readiness to respond to those threats.
  • US government agencies and businesses are collaborating to launch Project Spartacus, which aims to protect the national energy grid from potential cyber and EMP attacks. The project’s announcement came intelligence leaders are raising new fears of an attack and as business and some in the military are beginning to make plans for a lights out event.
  • Microsoft managed to thwart a new campaign orchestrated by Russia-backed Fancy Bear hackers. The campaign targeted US think tanks and GOP critics of US president Donald Trump. Microsoft believes that the new campaign is Russia’s renewed attempt to influence the upcoming US midterm elections.
  • The UK National Cyber Security Centre (NCSC) recognized The University of Kent, King's College London and the University of Cardiff as academic centers of excellence in cybersecurity. The three universities join a list of 14 other institutions in a scheme forming part of the government's National Cyber Security Strategy, which aims to make the UK a world leader in cybersecurity.
  • Instagram introduced three primary features in August aimed at boosting its security and transparency. The features will allow users to better verify the authenticity of accounts that have a large following, use third-party apps such as Google Authenticator for two-factor authentication and apply to obtain the coveted blue tick for their accounts.
  • The US government charged 20-year-old Kenneth Schuchman over his alleged involvement with the Satori botnet. Schuchman is believed to be the online persona Nexus Zeta - the alleged operator of Satori.
  • Germany announced the creation of a new DARPA-like federal agency that will be tasked with creating cutting-edge technologies. The new agency will be responsible for creating new tech that will advance the nation’s cyber defensive capabilities.
  • A hacker that stole and leaked personal photos of Jennifer Lawrence and other Hollywood A-listers, was sentenced to eight months in prison. George Garofano, 26, was accused of illegally hacking the private Apple iCloud accounts of 240 people.

The Bad


The month of August was peppered with security breaches and leaks that saw the exposure of millions of people across the globe. Reddit was hacked despite having SMS-based 2FA while Yale University disclosed a decade-old breach. TCM accidentally exposed thousands of credit card applicants’ data due to a website misconfiguration. Augusta University Health exposed over 400,000 patients’ sensitive healthcare records. Superdrug and Atlas Quantum both fell victim to hackers and Spyfone inadvertently exposed terabytes of data. Chinese hotel chain Huazhu Hotels Group Ltd. suffered a breach that resulted in the personal data of 130 million of its customers ending up on the dark web. The PGA of America and TSMC suffered ransomware attacks. Meanwhile, A teenager managed to hack into Apple and steal 90GB worth of sensitive information.

  • Reddit disclosed a breach of its systems that compromised user data. The company said a hacker managed to thwart its two-factor authentication system and gain access to several employee accounts via SMS intercept. The attackers obtained read-only access to systems, source code and other logs including an 2007 database backup of Reddit user data that contained account credentials, email addresses, hashed and salted passwords and more.
  • UnityPoint Health warned patients of a data breach that possibly compromised 1.4 million patients. Officials said an employee fell for a phishing attack that resulted in the unauthorized access to sensitive company data and patient information.
  • Yale University disclosed a security breach that occured a decade ago between 2008 and 2009. The academic institution said a threat actor managed to access a university database and steal names, Social Security numbers, dates of birth and, in some cases, Yale email addresses and physical addresses. About 119,000 were affected in the breach including alumni, faculty members and staff.
  • A borough in Alaska were hit with a massive ransomware attack that cripplied their computer infrastructure and forced government employees to rely on typewriters and hand receipts. Officials from Matanuska-Susitna declared a disaster due to the multi-pronged APT-style attack that involved the Emotet Trojan, BitPaymer ransomware and other tools.
  • Credit card issuer TCM Bank said a website misconfiguration accidentally exposed the personal data of thousands of people who applied for credit cards between early March 2017 and mid-July 2018. Applicants’ names, addresses, dates of birth and Social Security numbers were exposed. The firm said less than 10,000 applicants were impacted.
  • The PGA of America fell victim to a ransomware attack. The encrypted files included promotional and creative materials for the PGA Championship. The PGA was reportedly hit by the BitPaymer ransomware, the same malware that infected the Matanuska-Susitna (Mat-Su) borough in Alaska and several hospitals in Scotland last year.
  • TSMC, a major supplier to Apple’s iPhone, said a WannaCry variant crippled its semiconductor fabrication plants. The company said a “misoperation” led to the virus infection, adding that it will take a 3 percent revenue hit due to the downtime.
  • Security researcher Bob Diachenko discovered a fully exposed MongoDB database online that contained the healthcare information of 2 million patients in Mexico. Exposed data included patients’ full names, gender, dates of birth, insurance data, addresses and disability status.
  • Android app Couple Voe exposed the plaintext passwords of 1.7 million users. The spyware also exposed personal information such as texts, location, and call data.
  • 11-year-old Emmett from Austin hacked into a replica of a US voting system in 10 minutes, even changing the election results. The incident took place at this year’s Defcon hacking conference and was organized by the Voting Machine Hacking Village. 89 percent of the youngsters that participated in the competition managed to compromise the replica of voting systems.
  • A teenager hacked into Apple’s networks and stole around 90GB of sensitive corporate information. The 16-year-old hacker, from the southern city of Melbourne, broke into the U.S. computer giant’s mainframe from his suburban home many times over a year.
  • Chinese elite hackers targeted US government and private organizations earlier this year. The attack occurred shortly after a US trade delegation visited China. Chinese hackers targeted several U.S. energy and communications companies, as well as the Alaskan state government, in the weeks before and after Alaskan government officials’ trade mission to China.
  • Augusta University Health exposed over 400,000 patients sensitive healthcare records. The organization was hit by two separate phishing attacks. Investigators discovered that an email account accessed earlier by an unauthorised user may have given access to a number of internal email accounts.
  • Superdrug was hit by hackers who held the firm’s customers’ data to ransom. The UK health and beauty retailer sent emails to those affected after reports suggested hackers contacted the firm on Monday to say they had data on 20,000 customers.
  • Animoto suffered a data breach that exposed users’ personal data and location data. Although it is still unclear as to how many users were affected by the breach, Animoto alerted all 22 million of its users about the breach.
  • Spyfone, a company that offers parents and employers mobile spyware, inadvertently exposed terabytes of user data. The breach was caused due to an unprotected Amazon S3 bucket and exposed information such as selfies, location data, text messages and more.
  • Brazilian cryptocurrency investment platform Atlas Quantum was hit by hackers that affected 261,000 customers. The attackers stole information such as included customers names, phone numbers, email addresses, and account balances.
  • Chinese hotel chain - Huazhu Hotels Group Ltd. - suffered a breach earlier this month. The breach resulted in the personal data of 130 million of its customers ending up on the dark web. The stolen data was found being peddled on a Chinese dark web forum for 8 bitcoins.
  • ABBYY, the optical character recognition software provider, inadvertently exposed over 200,000 highly sensitive corporate documents. The breach was caused by an unprotected MongoDB database that contained over 142GB of sensitive data.
  • Air Canada suffered a data breach that may have compromised the personal data of around 20,000 of the airline’s mobile app users. The exposed data likely included users’ names, email addresses and phone numbers. The airline said that it discovered the breach between August 22 to 24 after the company noticed unusual login behavior on its mobile app.

New Threats


Dozens of new malware strains, threat groups, scams and other malicious activity emerged over the past month. Cryptomining malware PowerGhost was spotted targeting enterprises while the BackSwap malware has been targeting global banks. An updated Azorult is being used to distribute ransomware. Researchers spotted a new malware campaign called Dark Tequila targeting Mexican users. Two new ransomware variants KeyPass and Princess Evolution popped up while experts discovered a new Intel chip flaw called Foreshadow. Mikrotik routers were enslaved in a cryptojacking campaign. A new Android spyware called BusyGasper and a new triple threat malware called Android.Banking.L were uncovered. The Lazarus group was found distributing Mac malware for the first time. The author of GandCrab ransomware retaliated against AhnLab while IBM created a new AI-powered malware.

  • A new threat group dubbed DarkHydrus targeted at least one government in the Middle East. Palo Alto Network’s Unit 42 researchers said the group used spear-phishing emails written in Arabic along with password protected RAR archive attachments that contained malicious IQY files. These files were used to ultimately install a custom PowerShell-based payload dubbed RogueRobin to gain backdoor access into targeted systems.
  • Kaspersky Lab researchers uncovered a fileless, cryptocurrency-mining malware dubbed PowerGhost that has been targeting corporate networks worldwide. The cryptojacker leverages both PowerShell and EternalBlue to stealthily spread across a network and spread to other PCs and servers to mine for cryptocurrency.
  • Proofpoint researchers spotted an updated version of the AZORult infostealer and downloader that attempts to spread the Hermes ransomware version 2.1 in the wild and steal victim data. The new and improved AZORult also sports improved stealing and loading capabilities along with cryptocurrency wallet support.
  • Tens of thousands of vulnerable MikroTik routers were spotted serving up web pages that contain a Coinhive miner. The exploited vulnerability in this case was patched by MikroTik within a day of discovery. However, hundreds of thousands of devices that have not been updated by their owners were left vulnerable to exploit.
  • The author of the infamous GandCrab ransomware seemed to retaliate against South Korean security firm AhnLab after it released a vaccine app for the ransomware. The author reportedly said the upcoming version of the ransomware would contain an alleged zero-day for the AhnLab v3 Lite antivirus.
  • IBM X-Force Red researchers discovered 17 vulnerabilities in smart city systems that could be exploited to cause panic or even silence sensors from sounding the alarm during an actual emergency. Researchers said the vulnerabilities, eight of which were deemed “critical” in severity, highlighted how smart cities are still exposed to old-school threats.
  • IBM researchers developed a new proof-of-concept dubbed “DeepLocker”, a stealthy AI-powered malware to understand how artificial intelligence and malware techniques can be combined to create a new type of attack. The tool itself hides in other applications until it identifies a suitable victim based on several attributes like facial recognition, geolocation and voice recognition before it attacks.
  • The US Internal Revenue Service warned taxpayers to be wary of scams involving fake charities that could pop up during hurricane season. These scams typically begin with unsolicited contact via a phone call, social media post, email or in-person, but could lead to phishing schemes, identity theft or financial loss.
  • The KeyPass ransomware was discovered by security researchers which comes with a “manual control” feature that gives its operators additional control over infected systems. KeyPass has already infected victims in Brazil, Vietnam, Indonesia and Algeria.
  • Security experts discovered a new ransomware variant called Princess Evolution. The ransomware was delivered via the Rig exploit kit and demands $723 in ransom. Princess Evolution’s operators are also selling it on the dark web as a ransomware-as-a-service (RaaS).
  • IBM created a new AI-powered malware called DeepLocker that comes packed with advanced detection-evading capabilities. The malware is capable of infecting millions of victims while remaining completely undetected. The malware can also identify victims using facial and audio recognition,as well as geolocation.
  • Security experts discovered a new Intel chip flaw called Foreshadow. The Spectre-like flaw is also a speculative execution side channel attack affecting one of the most secure components of the Intel chip - the software guard extensions (SGX).
  • The BackSwap malware, believed to have emerged in March, was discovered targeting banks in Poland and Spain. The malware contains the features of the Tinba trojan and like other banking trojans, uses malicious scripts to modify what victims see on their bank’s website in classic man-in-the-browser (MitB) style.
  • The Dark Tequila malware campaign was found targeting victims in Mexico. The cybercriminals conducting the campaign are looking to steal financial information and login credentials to popular websites. Dark Tequila has been active since 2013, deliver the malware via either spearphishing or USB devices.
  • The cybercriminals behind the Ryuk ransomware targeted multiple organizations across the globe, raking in over $640,000. The Ryuk ransomware was found to have several similarities with the Hermes ransomware, which is believed to be operated by the Lazarus Group.
  • The North Korea-backed Lazarus Group was found distributing Mac malware for the first time ever. Lazarus targeted an Asia-based cryptocurrency exchange with its old malware Fallchill, which had been upgraded to target both Windows and Mac users.
  • BusyGasper was another newly discovered Android spyware that comes with features such as the ability to detect motion, keylog and steal data. Although BusyGasper is not considered to be all that sophisticated, the spyware has around 100 commands. It is also capable of exfiltrating data from messaging apps like Facebook, WhatsApp and Viber.
  • A new version of the CEIDPageLock rootkit was found being distributed via the Rig exploit kit. The latest version of the rootkit is capable of hijacking browser sessions as well as monitoring browsing activities, replacing websites with fraud pages and redirecting victims to these fake pages.
  • A new triple threat malware called Android.Banker.L was discovered. The malware contained keylogging, banking malware and ransomware capabilities. It can also forward calls and record audio.
  • The Asacub malware, which first appeared in 2015, was updated to include additional features. The malware has infected over 250,000 users in Russia. Asacab’s increasing infections helped it rise rapidly last year, even outperforming other banking malware variants such as Svpeng and Faketoken.




  • Share this blog:
To enhance your experience on our website, we use cookies to help us understand how you interact with our website. By continuing navigating through Cyware’s website and its products, you are accepting the placement and use of cookies. You can also choose to disable your web browser’s ability to accept cookies and how they are set. For more information, please see our Privacy Policy.