Go to listing page

Cyware Monthly Cyber Threat Intelligence July 2018

Cyware Monthly Cyber Threat Intelligence July 2018

Share Blog Post

The Good

As cyber threats and attacks continue to become more sophisticated and frequent, it is vital to acknowledge and celebrate every hard-earned advance made towards improving security, enhancing technology and safeguarding both users and devices. The month of July saw significant measures being taken to protect people against cyber threats.

Britain’s HMRC said it took down 20750 malicious websites. China arrested 20 suspects in a major cryptojacking case. Ukraine’s Secret Service said it stopped a VPNFilter attack on a chlorine distillation plant.

Google Chrome labelled all HTTP sites as ‘not secure’ and added a new Spectre fix. Tinder beefed up its data security with encryption and Instagram is working on a new, non-SMS 2FA system. Microsoft, Google, Facebook and Twitter partnered up for the Data Transfer Project.

On the research side, experts are working on a program to stop hacking by supercomputers. Meanwhile, researchers at the University of Geneva discovered Ytterbium that could change the face of quantum computing. Researchers from Ben-Gurion University came up with a new method of detecting malicious emails.

  • Britain’s tax authority HM Revenue and Customs said it requested a record 20,750 malicious to be taken down over the past 12 months. It has also been trialing technology that identifies phishing messages that claim to be from the HMRC and stop them from being delivered. The initiative has resulted in a 90% reduction in people reporting spoof HMTC-related messages since April 2017.
  • Google Chrome has marked all unencrypted websites as ‘not secure’. With the release of Chrome 68, the browser now flags any site with a Hypertext Transfer Protocol (HTTP) address rather than a Hypertext Transfer Protocol Secure (HTTPS) address.
  • Popular dating site Tinder finally shored up its data privacy by encrypting photos uploaded by its users. Swipe data and other actions have also been padded so that they appear the same size when they are being transferred, thus preventing any snoops from identifying users’ activities.
  • In China, 20 suspects were arrested in connection to a major cryptojacking case that affected 3.89 million computers since 2015 and generated 15 million yuan ($2.2 million) in illicit profits. Chinese tech giant Tencent discovered the malware embedded in software designed to help gamers cheat was actually used to mine cryptocurrency. Authorities were alerted in January and a dedicated task force was created to handle the probe.
  • The Ukranian Secret Service detected and shut down a cyberattack that used the infamous VPNFilter malware to target a chlorine distillation station. The malware strain targets a large number of router models, can survive device reboots, monitor and intercept traffic, and even brick infected devices. The agency accused Russia of operating VPNFilter and launching the attack.
  • Google’s new Chrome release came with a Site Isolation feature to protect against side-channel attacks like Spectre. Enabled by default, this fix helps prevent attackers from using speculative execution features of most processors to access parts of memory that should otherwise be restricted. However, the fix also increases Chrome RAM usage by about 10-13 percent.
  • Japan and the European Union are strengthening their cybersecurity cooperation ahead of the 2020 Tokyo Olympic and Paralympic Games. To tackle cyber attacks and threats, Japan is acquiring and exchanging knowledge and best practices on cybersecurity with EU, as well as making collaborative efforts in developing new capabilities.
  • Colton Grubbs, the 21-year-old malware author behind the infamous LuminosityLink RAT, pleaded guilty in federal court. He admitted to creating the RAT in April 2015 and later sold it online via hacking forums under the online moniker KFC Watermelon. US authorities secretly arrested Grubb in July 2017.
  • Irish resident and alleged administrator of the now-defunct Silk Road, Gary Davis, was extradited to the US to face charges over his involvement with the Dark Web marketplace. Facing charges of computer intrusion, money laundering and narcotics distribution, Davis could face life in prison if convicted.
  • The Girl Scouts of the USA unveiled a new set of 30 STEM badges that girls aged 5 to 18 can earn for efforts, completing activities and advocacy in “some of society’s most pressing needs.” The new STEM badges will help girls hone their skills in coding, robotics, cybersecurity, mechanical engineering and more.
  • Instagram is upgrading its two-factor authentication (2FA) that would not require a user’s phone number to better guard against SIM hacking. The social media company confirmed it is building a token-based 2FA system that works with security apps like Google Authenticator or Duo. Users can receive a special code to log in that can’t be generated on a different phone used by a hacker in a SIM porting attack .
  • Researchers at Australia’s Monash University developed a post-quantum secure algorithm to help stop cyberattacks by supercomputers. The Lattice-Based One Time Ring Signature (L2RS) deploys cryptographical techniques designed to protect the privacy of users, large transactions and transfer of data without risk of being hacked by quantum computers.
  • In partnership with CNRS, researchers at the University of Geneva (UNIGE) discovered a new material. The material contains Ytterbium, an element that can store and protect the fragile quantum information when operating at high frequencies. Ytterbium could change the face of quantum computing in the coming years.
  • A new initiative called the Data Transfer Project (DTP) was undertaken by Microsoft, Google, Facebook, and Twitter to simplify data sharing across services. This open-source effort is working towards building tools that enable users to share data directly from one service to another. Eventually, users will no longer have to download and re-upload information.
  • Google may have proved that security keys are more efficient than multi-factor authentication. Ever since the company’s employees started using physical keys, there hasn’t been a single case of account takeover via phishing.
  • A new method of detecting malicious emails was released by a group of researchers from Ben-Gurion University. Researchers said this method could outperform 60 top-selling anti-virus programs. By leveraging machine learning algorithms, malicious emails could be detected when used in conjunction with features suggested by related work.

The Bad

Several major data breaches came to light in July as well - both malicious and accidental - that exposed millions of users. US law enforcement personnel data was exposed by an active shooter training center. The NHS blamed a coding error for a major data-sharing mistake. Typeform said hackers managed to download a backup of its customers’ data.

Companies around the world including Macy’s, TimeHop, Domain Factory, Telefonica and Thomas Cook suffered breaches. Polar Flow exposed the locations of spies and military personnel worldwide. Hackers stole 600 gallons of gas while Reaper drone documents were spotted for sale on the Dark Web. Thousands of Dahua DVR passwords were exposed via ZoomEye. Robocent leaked thousands of US voter records. Millions were impacted in the Telefonica breach. Researchers discovered sensitive data belonging to GM, Ford, Toyota, Tesla, Fiat Chrysler and other major firms was exposed online.

A healthcare group in Singapore was targeted by cybercriminals who stole over 1 million patients’ data. Some significant cyberattacks that occured over the past 30 days include LabCorp that was hit with ransomware, Ubisoft that suffered DDoS attacks and MyEthernet that was targeted by threat actors. Hackers also managed to attack a gas pump in Detroit to steal $1800 worth of gas.

  • The federally-funded Advanced Law Enforcement Rapid Response Training (ALERRT) facility exposed the personal data of police officers along with the capabilities and deficiencies of local police departments in handling active shooters. The exposed database contained thousands of records of law enforcement personnel who had sought or underwent active shooter response training over the past few years.
  • The NHS said confidential data of 150,000 patients were accidentally shared without their permission due to a “coding error.” The affected patients had requested their data only be used to provide them with care - known as “Type 2 opt-out”. However, the glitch caused their request to be ignored and their data shared for clinical auditing and research.
  • Survey company Typeform suffered a major data breach after attackers downloaded a “partial backup” of its customer data. The incident impacted a string of businesses that use Typeform’s software to conduct customer surveys and quizzes. The Tasmanian Electoral Commission, British brand Fortnum & Mason, foodmaker Birdseye and digital bank Monzo have since notified their own customers that they were likely impacted by the incident.
  • Retail giant Macy’s informed some online customers with profiles on Macys.com or Bloomingdales.com an unauthorized party accessed “a small number” of accounts between April 26 to June 12 using “valid usernames and passwords.” Compromised data included home addresses, credit card numbers, expiration dates and phone numbers.
  • TimeHop revealed it suffered a data breach that affected 21 million accounts - 3.3 million of which had their names, email addresses and phone numbers compromised. It later added that dates of birth and gender were also exposed. However, the popular service that resurfaces memories from past social media posts said users’ financial data and personal content or “memories” stored in the app were not impacted.
  • German hosting provider Domain Factory said it experienced a data breach in January that compromised customer data such as names, account numbers, physical and email addresses, phone numbers and dates of birth. Account passwords, bank names and account numbers such as IBAN and BIC were also included. Customer were advised to change their account passwords as well as MySQL, SSH, FTP, and Live disk passwords.
  • A major vulnerability in Thomas Cook Airlines’ booking system was found to have exposed customers’ names, email addresses and flight details. Norwegian security researcher Roy Solberg uncovered the flaw that allowed anyone to retrieve the data using just a reference number. The firm said the flaw only affected its Nordic division and has since been fixed.
  • Fitness app Polar Flow exposed the names, home addresses and locations of high-ranking intelligence and military personnel to the public on its network. Researchers found it was possible to exploit Polar Flow’s Explore function to discover 6400 users’ full names, profile pictures and geolocation data across 69 nationalities, along with locations of secret military sites. The function has since been turned off.
  • Hackers managed to attack a gas pump in Detroit to steal 600 gallons of gas worth roughly $1800. Investigators said the attackers used a device that allowed them to remotely block the attendant’s control of the pump from a dedicated console while a total of 10 cars used the pump during the 90-minute hack.
  • Researchers confirmed a hacker has been selling non-classified, but sensitive materials on the US Air Force’s NQ-9 Reaper drone for $150-$200 on the Dark Web. The attacker also posted information on US Army vehicles and tactics for sale too. The intruder used a 2-year-old FTP vulnerability in Netgear routers to break into a computer at the Creech Air Force Base in Nevada.
  • Popular crypto service MyEtherWallet (MEW) suffered an attack after a widely-used VPN service Hola was compromised for five hours, during which any Hola users who navigated to MEW and accessed their wallet may have been affected. Users who used and Hola during the time frame were advised to transfer their tokens to a new wallet account.
  • Login passwords for over 30,000 vulnerable Dahua DVRs running old firmware were cached by IoT search engine ZoomEye. Although many Dahua devices could be hijacked by exploiting a 5-year-old vulnerability, hackers could have simply used the search engine to unearth thousands of Dahua DVR credentials.
  • LabCorp, one of the largest clinical labs in the US, suffered a security incident that forced it to take part of its systems offline. It was later revealed that the firm was hit by the SamSam ransomware. The firm said it has found “no evidence of theft or misuse of data” so far.
  • Virginia-based political robocall firm Robocent left hundreds of thousands of voter records exposed on an unprotected Amazon S3 bucket. The repository contained both audio files with pre-recorded political messages and voter data such as names, phone numbers, addresses, jurisdiction breakdown and political leanings.
  • Spanish telecom giant Telefonica suffered a breach that possibly compromised the personal data of millions of customers. Compromised data included customers’ full names, fixed line and mobile numbers, national ID numbers, banks and call records. The company said the flaw has since has been fixed.
  • Gaming giant Ubisoft’s servers were hit by DDoS attacks causing connection and login issues for gamers. The connectivity issues began last Thursday, preventing gamers from signing into their favorite games like Far Cry 5, For Honor and Ghost Recon Wildlands for days.
  • A security vulnerability in LifeLock’s website might have exposed the email addresses of millions of customers. The vulnerability allowed users with a Web browser to index email addresses of the customers. Cyber criminals could also unsubscribe users from all communications from the company by leveraging this bug.
  • Singapore’s biggest healthcare group, SingHealth, was attacked by cybercriminals who stole non-medical personal information of over a million patients. Singapore's Prime Minister Lee Hsien Loong is among the list of victims. Stolen data includes NRIC (National Registration Identity Card) numbers, names, addresses, gender, date of birth and race.
  • Two separate cyber intrusions were recorded targeting a Virginia bank in a period of eight months. Both intrusions resulted in a total loss of $2.4 million. The first breach was recorded in May 2016 when an employee fell victim to a phishing email. The second breach happened in January 2017 after cybercriminals broke into the financial institution’s systems via a phishing email.
  • Researchers at Upguard discovered that sensitive data belonging to over 100 manufacturing companies including GM, Ford, Toyota, Tesla, Fiat Chrysler, TyssenKrupp and Volkswagen was exposed online. A repository containing 157GB worth of corporate documents was leaked. Exposed data also includes customers information, employees’ personal details and Level One corporate data.

New Threats

The month of July also saw various strains of malware, ransomware and new techniques developed and leveraged to exploit unsuspecting users. The OSX.Dummy was found targeting crypto-investors, Magniber ransomware become a global threat and Upatre was upgraded with new evasion techniques. The double threat Rakhni Trojan can choose to mine or encrypt.

New variants of Spectre was discovered, Gandcrab ransomware v4 popped up and unique extortion scam that uses hacked passwords to scare victims is making the rounds.

Researchers found hackers could use thermal imaging to read key presses. Fancy Bear hackers were found to behind the new ‘Roman Holiday’ campaign. Meanwhile, several vulnerabilities were also discovered in AVTech devices and Apache OpenWhisk. A malware author also managed to build a massive botnet in a day.

  • A new macOS malware dubbed OSX.Dummy was spotted targeting the cryptocurrency community on popular chat platforms Slack and Discord. Researchers said it uses an unsophisticated infection method that has users infect themselves and open themselves up to arbitrary code execution. They also described it has as all-round “dumb” because of its limited capabilities, trivial detection and “lame” persistence mechanism.
  • Scientists found attackers could potentially leverage thermal residue left behind on keyboards to figure out victims’ passwords and PINs. In a series of experiments, researchers found many non-expert subjects were able to successfully recover both secure and unsecure passwords based on imaging captured by thermal cameras - particularly those of “hunt and peck” typists.
  • Kaspersky Lab researchers uncovered the Rakhni malware that comes with both ransomware and cryptomining capabilities. The malware scans a targeted system before deciding whether to encrypt files or quietly mine cryptocurrency.
  • Gandcrab ransomware version 4 was spotted employing a different encryption algorithm and a new TOR payment website. The ransomware uses Salsa20, appends files with a new .KRAB extension and demands $1200 to be paid in the DASH cryptocurrency.
  • Hackers deployed thousands of invoice-themed phishing emails to organizations to drop a data-stealing malware in a new cyber espionage campaign. Dubbed “Special Ear”, the campaign delivers a malware designed to steal credentials and log keystrokes from targeted systems. Organizations in India, Saudi Arabia and South East Asia were primarily being targeted.
  • Two new Spectre variants were discovered that could be exploited to uncover confidential data via microarchitectural side channels in Intel and ARM CPUs. Spectre 1.1 could be used to create speculative buffer overflows while Spectre 1.2 allows attackers to overwrite read-only data and code pointers to infiltrate sandboxes on CPUs that don’t enforce read/write protections. The researchers who uncovered then earned a $100,000 bug bounty from Intel.
  • Bankbot Anubis struck again in a new campaign targeting Turkish-speaking Android users. IBM’s X-Force researchers said hackers managed to slip in at least 10 fake apps that are actually malicious downloaders capable of fetching over 1,000 malicious samples from the attackers C2 servers. The malware itself can capture victims’ keystrokes and steal their banking login credentials.
  • A new extortion scam emerged in which the scammers state that they know the victim’s password, have installed malware on their system, created videos of the victim using adult websites through their webcam and have stolen their contacts. They then demand a $2900 payment to keep it a secret or risk having the video sent to all of the victims’ contacts. Although the passwords have been gathered from previous data breaches and leveraged to add legitimacy to the frightening email, the rest of the scammers’ claims are bogus.
  • Magniber ransomware is becoming a global threat as it expands beyond South Korea to target other Asian countries as well. Malwarebytes researchers said its source code is now more refined, comes with multiple obfuscation techniques and is no longer dependent on a C&C server or hard coded key for its encryption process.
  • Cisco Talos researchers discovered a highly targeted malware campaign targeting just 13 iPhones located in India. The campaign has been in operation since August 2015 with attackers using an open-source mobile device management (MDM) protocol to carry out the attack and control enrolled devices.
  • CSE Cybesec’s Z-Lab said Russian threat group Fancy Bear is behind a new malware campaign targeting Italy’s Navy. The multi-stage cyberespionage campaign named Roman Holiday features an initial dropper and an updated version of the group’s X-Agent backdoor.
  • A malware author going by the pseudonym “Anarchy” managed to build a massive botnet comprised of more than 18,000 routers in just a day. Security researchers from NewSky Security spotted the new botnet built by exploiting the CVE-2017-17215 vulnerability in Huawei HG532 routers.
  • A new exploit kit named Underminer was discovered delivering a bootkit and a cryptocurrency-mining malware named Hidden Mellifera. Underminer has several advanced capabilities including transfering malware via an encrypted transmission control protocol (TCP) tunnel and packaging malicious files with a customized format similar to ROM file system format (romfs).
  • Security researchers at McAfee Labs identified a fileless threat called CactusTorch that is used to load and execute malicious .NET assemblies straight from memory. CactusTorch uses the DotNetToJScript technique to carry out its operations. Since DotNetToJScript does not write any part of the malicious .NET assembly on a computer’s hard drive, it is difficult to detect the malware using traditional scanners.
  • Fourteen unpatched security vulnerabilities have been discovered in the firmware of several AVTech devices. By exploiting these vulnerabilities, a malware author going by the name EliteLands is reportedly building a new botnet dubbed “Death”. Affected AVTech devices include DVRs, NVRs, IP cameras and more.
  • Security bugs present in Apache OpenWhisk have been found to leak sensitive information. The vulnerabilities are tracked as CVE-2018-11756 and CVE-2018-11757. Exploiting these bugs could allow hackers to leak sensitive action data belonging to different end-users and launch attacks at the same time.


data breaches
gandcrab ransomware
spectre flaws
google chrome

Posted on: August 03, 2018

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.