Cyware Monthly Cyber Threat Intelligence May, 2018

The Good


It is important to celebrate every hard-won security advancement made in the field of cybersecurity. This month saw several advancements in the fields of data privacy and identity theft. The EU's privacy policy, GDPR, was implemented this month. A cybersecurity agreement has been established between Europol and World Economic Forum and EU agencies. Europol also  announced a new Dark Web Investigations team. New privacy controls were unveiled by Apple for its users and Mozilla developed an improved Tracking Protection system for Firefox. A new plugin for Chrome was developed that can help users pick stronger passwords. China implemented a defense strategy that can withstand over 500,000 attacks. The US House passed a bill to help train small businesses in cybersecurity and the Australian Parliament House is getting its own cybersecurity operations center. Several companies have made improvements to their privacy policy in lieu with the GDPR.

  • Europol signed two memorandums of understanding this week - one with the World Economic Forum and another with the European Defense Agency, European Union Agency for Network and Information Security and CERT-EU. The agreements establish a framework on cybersecurity, defenses, intel exchange and technical cooperation.
  • The EU’s law enforcement agency also unveiled a new team dedicated towards investigating activity across the deep dark web. Embedded within Europol’s European Cybercrime Centre, the Dark Web Investigations Team will be tasked with sharing information, providing operational support and expertise across various crime areas and developing TTPs to conduct dark web investigation and identify top threats and targets.
  • UTSA researchers have developed an authorization framework to protect connected cars against cyberattacks. Using this framework, researchers are looking to create and use security authorization policies in different access control decision points to prevent any unauthorized access to smart car sensors and data, and protecting it against attacks.
  • Federal and state officials in New York said they will be holding drills over the next few weeks leading up to the primary elections for the US House and State to prep against cyberattacks. The exercises will include voting system attack simulations like ransomware infections and social media manipulation. Information gathered from these exercises will help them identify and respond to any vulnerabilities involving the state’s voting systems.
  • US Congress passed a new bill that establishes guidelines to help prevent synthetic identity fraud. Synthetic identity fraud involves hackers creating fake identities using credit-inactive Social Security Numbers, particularly those of children, to get loans and commit other crimes. The provision will require the Social Security Administration (SSA) to accept electronic signature for financial institutions to verify identities and, in turn, identify synthetic identity fraud more quickly.
  • Apple introduced a new “Data and Privacy” website that allows customers to download a copy of all the data the company has collected about them, including Apple ID accounts and iCloud data, iTunes and App Store history. The new privacy controls will also let users deactivate or delete their accounts, and all of the stored information as well.
  • Mozilla is developing an improvised Tracking Protection system for Firefox 63 that will block the browser from loading scripts from abusive trackers, in-browser miners and user fingerprinting scripts. The upcoming version, set to release in October, will also make it easier for users to clear cookies and site data directly from the security panel.
  • Login management company Okta has released a new Chrome extension that can help warn users if their password has been compromised. The browser plug-in named PassProtect will automatically check if your password was leaked in an earlier data breach by verifying it against the Have I Been Pwned? Service and inform users in a pop-up if it isn’t safe to use.
  • A mimic defense theory, developed by China, has withstood over 500,000 hacker attacks in an international challenge, held in Nanjing, capital of east China’s Jiangsu Province. The defense system features a constantly changing software environment which makes a conventional hacker difficult to locate a target. The idea which been inspired by Mimic Octopus -- which can change its appearance according to its environment -- was first proposed by Chinese scientists in 2007.
  • The US Department of Homeland Security has introduced a new cybersecurity strategy to keep pace with the evolving cyber risk landscape over the next five years. The strategy will mainly focus on five factors namely, Risk Identification; Vulnerability Reduction; Threat Reduction; Consequence Mitigation; and Enable Cybersecurity Outcomes.
  • The government of Denmark has unveiled a $240 million cyber defense plan that aims to protect government authorities, businesses and individuals from any cyber threat. The initiative was undertaken following the increase in attacks by cybercriminals and nation-state actors. The proposed plan is expected to be implemented in the next five years and consists of 25 concrete initiatives to bolster the society's defense system against cyber attacks.
  • The first EU-wide legislation on cybersecurity - NIS Directive - came into force on May 9, to ensure critical infrastructure firms are prepared for and protected from cyberattack and computer network failure. Operators of “essential services” such as health, water, energy, transport and digital infrastructure that fail to report breaches or outages to regulators within 72 hours could face fines of up to £17 million, as per the new law.
  • Google announced at its I/O event on Thursday, that Android P will come with new privacy and security updates including limits on what apps can access when you’re not actively using them. Starting with Android P, apps are given permission to your location, microphone, camera or network status when the app is running in the background.
  • In the US, the House passed a bill aimed at helping small businesses better defend themselves against cyberattacks and threats. As per the legislation, the Small Business Administration will establish a “cyber counseling certification program” to train employees in cybersecurity at small business development centers.
  • Meanwhile, the Australian Parliament House will get its own $9 million cybersecurity operations centre to “enhance cybersecurity protection for the parliamentary computing network.” Overseen by the Department of Parliamentary Services, the centre will be responsible for the Parliament House internet services, email addresses and device management of MPs, senators and staff.
  • The UK’s Financial Conduct Authority awarded a £40 million contract until March 2021 to 17 companies to monitor, test and suggest improvements for its cyber defenses. Marking the first time the FCA has turned to external firms to improve its cybersecurity practices, companies like Deloitte, Cisco, and PwC will attempt to infiltrate the FCS’s security control, identify vulnerabilities and suggest improvements.
  • A NATO team took home the top prize in the Locked Shields 2018 exercise, the largest and most complex international live-fire cyber defense exercise. The intense competition lets cyber defenders test the protection of complex IT networks against realistic, simulated challenges and cyberattacks.
  • Israel-based security firm Regulus Cyber has unveiled new end-to-end solutions to protect the communication and sensor systems of autonomous cars and trucks, robots and drones against attacks. Having raised $6.3m in funding, Regulus’ Pyramid products could help protect autonomous vehicles’ GPS systems against spoofing attacks and safeguard drones from hacking and mission interference.
  • Email inboxes are being flooded with messages from major companies like Apple, Twitter, Airbnb, LinkedIn and more regarding changes to their privacy policy. As firms scramble to comply with tough new European data protection regulations going into effect on May 25, the GDPR marks a significant shift towards greater data privacy, user control and transparency. Firms that fail to comply could risk fines of up to 4% of annual global sales.

The Bad


The month of May witnessed a fresh wave of data breaches and cyber attacks. Ironically, Ghostery accidentally exposed hundreds of email addresses while notifying customers about GDPR compliance. Among the companies affected by data breaches are Coca-Cola (at the hands of an ex-staffer), Honda India and AgentRun (accidentally exposed private data of customers), FLEETCOR Technologies, Arizona city, and Android app Drupe (accidentally exposed sensitive user data). A DDoS attack was launched against Copenhagen’s city bike service, and nearly 1 million personal records of South Africans were publicly leaked. A lot of phishing attacks were also identified as scammers tried to impersonate multiple services like ProtonMail to trick victims into handing over their data.

  • Coca-Cola said it suffered a data breach in September 2017 after an ex-employee possessed an external hard drive that contained some employees’ personally identifiable information. The company said that about 8000 workers were affected but said there is no evidence the data was used to commit identity theft.
  • Honda India exposed the personal data of over 50,000 customers in two unsecured Amazon AWS S3 storage buckets. The data of Honda Connect app users included names, passwords, trusted contacts information, VIN, Connect IDs and more.
  • Similarly, insurance startup AgentRun exposed sensitive personal and medical details of thousands of insurance policy holders in a misconfigured AWS S3 storage bucket. The misconfigured bucket contained insurance policy documents, sensitive health information like individual prescriptions and dosages as well as scans of identification documents like Social Security cards, Medicare cards, voter IDs and more.
  • Multiple cryptocurrencies including Bitcoin Gold, Verge and Monacoin suffered nasty 51 percent attacks using overwhelming computing power to gain control of their network and alter transactions on its blockchain to steal millions worth of cryptocurrency. The attack targeting Bitcoin Gold saw the theft of about 388,000 BTG amounting to $17.5 million.
  • Ad-blocking service Ghostery suffered an embarrassing gaffe after it sent out notification emails about its GDPR compliance. However, it accidentally exposed recipients’ email addresses in the “Happy GDPR Day” email by sending the emails in batches of 500 users and CCing hundreds of recipients in every email. The company later apologized for the error saying it was caused due to an operator’s mistake while using their new self-hosted email delivery system.
  • TeenSafe, a teen-monitoring app that lets parents monitor their kids’ phone activity, accidentally exposed the data of tens of thousands of accounts in an unprotected AWS S3 storage bucket. Personal data, parental email addresses, Apple ID information, name of the teen’s device and the phone’s unique identifier were exposed.
  • An insurance startup named AgentRun exposed highly sensitive information of thousands of broker clients including insurance policy documents, health and medical data, and some financial data in a publicly accessible online storage bucket. Many files included scans of identification documents such as Social Security cards, Medicare cards, drivers’ licenses, armed forces and voter ID cards and other documents.
  • Less than a year after South Africa’s massive data leak in 2017, another 934,000 personal records of South Africans have been leaked online. The compromised data includes full names, national identity numbers, email addresses and plain text passwords. Security researcher Troy Hunt and Tefo Mohapi from iAfrikan said the data was likely backed up or posted publicly by one of the firms responsible for traffic fine online payments in South Africa.
  • A non-profit organization that handles Los Angeles County’s crisis hotline, 211 LA County, accidentally exposed 3.2 million files that contained detailed information about calls made to the hotline. The compromised data included over 3 million rows of call logs and 200,000 rows of detailed call notes including graphic details of elder abuse, child abuse and suicidal distress. Full names, phone numbers, addresses of victims, alleged perpetrators and witnesses in numerous cases of physical and sexual abuse were also exposed along with 33,000 full Social Security Numbers.
  • Cryptocurrency Verge fell victim to yet another hack that saw approximately 35 million XVGs (worth above $1.7m) stolen within a few hours. Verge suffered a similar hack in early April when it lost 250,000 XVG. Hackers exploited a glitch in Verge’s technology by mining multiple blocks one second apart using the same algorithm - the same tactic used in the first attack. Verge developers had initiated a hard fork following the April hack to “resolve” the issue.
  • The city of Riverside’s Police and Fire department suffered yet another ransomware attack - the second one since the April incident. The department’s servers were badly hit in the attack with eight hours worth of data completely wiped out by the attackers. However, the good news is that the city had a backup of its data.
  • Up to 8,000 clients may have been affected due to a data breach affecting Family Planning New South Wales (FPNSW). The exposed data contained data of clients who have contacted FPNSW via its website over the past 2½ years to make appointments or give feedback. It included names, contact details, dates of birth and the reason for their inquiries. Officials claim that the attackers may have abused vulnerability in the software that was used to build the website, in order to execute the attack.  
  • DSB, the largest train operating company of Denmark, suffered a massive DDoS attack that caused service disruption across the country. This DDoS attack halted train operations and blocked travelers from buying tickets. It also affected the company’s website, ticket machines, apps and 7-Eleven kiosks inside the railway stations.
  • Researchers have revealed a newly discovered breach that left data of more than 3 million Facebook users exposed for four years on an unsecured website. The leaked info consisted of information collected by the popular ‘myPersonality’ quiz, conducted on the social media site. The website’s low security potentially gave anyone provision to access the details.  
  • A misconfigured S3 bucket of Board of Control for Cricket in India (BCCI) resulted in the leakage of personal data of several thousand Indian applicants who had submitted forms between 2015 and 2018. The number of affected people is estimated to be between 15,000 - 20,000 while the exposed data includes name, date of birth, permanent address, medical records, birth certificate, mobile number, SSC certificate of a person.
  • FLEETCOR Technologies revealed that it suffered a data breach in April after its gift card systems were accessed by an unauthorized party. The company said it identified suspicious activity on systems involving its Store Value Solutions gift card business. It said a “significant number” of gift cards at least six months old and PIN numbers were accessed in the breach, but did not include personally identifiable information (PII).
  • Popular Android app Drupe, downloaded over 10 million times, inadvertently left users’ photos, selfies, audio messages and other sensitive data exposed online. The data was publicly available on unsecured servers on Amazon Web Services. Drupe said the exposed files were sent through Drupe Walkie Talkie and other feature that allows images to be sent during a call. It claimed these features have been used by less than 3% of its users, noting that the issue has been resolved and exposed files deleted.
  • Copenhagen’s city bikes network Bycyklen was hacked by an unidentified hacker who deleted its entire database and disabled users’ access to the bicycles. Bycyklen said the hack was “rather primitive”, but noted it was likely carried out “by a person with a great deal of knowledge of its IT infrastructure.” No data was stolen in the attack, but the firm advised users to change their PIN codes for the bikes.
  • The Together for Yes campaign which is calling for a Yes vote in the upcoming Eighth Amendment referendum in Ireland said its crowdfunding website was hit with a DDoS attack. The attack temporarily knocked the website hosted by CauseVox offline at 5:45pm which the agency said would “ordinarily be a peak time for donations.” The interruption also affected CauseVox’s security infrastructure.
  • The city of Goodyear, Arizona, temporarily disabled its online utility payment system after a resident reported fraudulent activity on the card used to pay a utility bill. The city has begun a forensic investigation into the breach that could affect 30,000 customers. The city said severe vulnerabilities within the software used for some payment card transactions were likely exploited. The affected server has been disabled and customers have been advised to monitor their payment card statements.
  • Australia’s Commonwealth Bank, the nation’s largest bank, lost the personal financial histories of 12 million customers from 2004 to 2014 after its subcontractor, Fuji Xerox, lost several magnetic tape drives of financial statements in 2016. However, the bank chose not to reveal the breach to customers. The Office of the Australia Information Commissioner was notified of the breach at the time and is now making further inquiries into the breach.
  • Compromised copies of a software used to enroll Indian citizens into the country’s controversial biometric ID program named Aadhaar are reportedly being sold to anyone for up to $30. Authenticated private contractors typically use the program to upload the Indians’ personal and biometric data to the government-owned database. However, the compromised version could let anyone add or modify entries to the Aadhaar database with no checks, including the mandatory GPS check.
  • Americas Cardroom, one of the world’s oldest online poker websites, was hit with a series of DDoS attacks. The company was forced to pause all running tournaments and take its website offline for days, leading many irked players to voice their fury on social media.
  • Meanwhile, phishing attacks were abound as multiple companies warned users to be on the lookout for scams impersonating their platforms and requesting personal data. ProtonMail warned users that it noticed an “unusually high” number of phishing attempts targeting its users in recent days. Irish Netflix users were also cautioned against a “convincing” scam warning them about an expiring Netflix subscription to dupe victims into divulging their bank details.
  • Britain’s TSB warned customers of phishing emails and texts attempting to steal their banking details - the latest blow to the company after up to 1.9 million customers have been left unable to access their accounts for two weeks in a major IT crisis.
  • 4Chan hackers attempted to change the voting results of Nasa’s Optimus Prime Spinoff Promotion and Research Challenge to prevent a group of three African-American girls from winning. Nasa confirmed the cyberattack and was forced to end its public voting to protect the integrity of the final results.

New Threats


New malware, threat methods and botnets were discovered this month. The VPNFilter malware were found infecting over half a million routers worldwide. Exploiting the craze surrounding FIFA, scammers launched football-themed scams. The Satori botnet was identified targeting  cryptomining rigs. New strains of cryptomining worms include the Drupal-focused Kitty malware and Blackheart ransomware. New versions of the infamous Spectre vulnerability were disclosed by researchers. PoS malware TreasureHunter’s source code was leaked on a cybercrime forum. Cyber criminals also used StalinLocker, Dharma ransomware, and Maikspy malware to launch attacks.

  • ESET researchers uncovered the BackSwap malware that exploits Windows message loop to identify visited sites related to banking before injecting malicious JavaScript into the web page.  Bypassing AV and browser protection mechanisms, the malware then replaces the recipient’s bank account number with a different one to transfer funds over to the attackers instead.
  • The FBI issued an urgent advisory asking people to reboot their routers to thwart the Russia-linked VPNFilter malware. Cisco Talos researchers said the malware has already compromised nearly half a million devices worldwide including those manufactured by  Linksys, MikroTik, NETGEAR, TP-Link and QNAP network-attached storage devices. The malware, believed to be created by the Sofacy hacking group, is capable of collecting data, blocking network traffic and even disabling the infected device completely.
  • As the 2018 FIFA World Cup draws near, opportunistic fraudsters are already deploying football-themed scams via messages and cloned websites advertising tickets and travel deals to dupe fans. Kaspersky Lab researchers observed spikes in spam emails and phishing pages particularly during match ticket sales.
  • The US Department of Homeland Security and FBI issued a joint advisory detailing two strains of North Korean malware named Joanap and Brambul. Officials said hackers associated with Pyongyang have used both to target critical infrastructure, aerospace, financial and media organizations worldwide since at least 2009.
  • Cisco Talos researchers discovered a new strain of malware named VPNFilter infecting 500,000 routers and storage devices in 54 countries worldwide including Linksys, MikroTik, Netgear and TP-Link networking equipment. VPNFilter’s capabilities include theft of website credentials, monitoring of Modbus SCADA protocols and a destructive capability to render a device unusable. Researchers said most of the infected devices were concentrated in Ukraine, noting that VPNFilter is likely a state-sponsored malware that overlapped with versions of the BlackEnergy malware.
  • Kaspersky Lab researchers observed the previously Android-focused mobile malware Roaming Mantis is expanding its reach and nefarious capabilities. While earlier Roaming Mantis attacks targeted Android users in South East Asia via DNS hijacking, the malware now uses malicious APK files and landing pages supporting 27 languages. It has also begun targeting iOS users with phishing attacks, and PCs with cryptomining code.
  • WinstarNssmMiner, a nasty new piece of cryptomining malware has been spotted being used in half a million attempted attacks targeting PCs in just 3 days. According to Qihoo researchers attempts to infect systems to hijack their processing power and mine Monero coins. However, if users or an antivirus attempts to remove the programme, it crashes the machine.
  • Multiple research firms reported the malicious activities of a large Satori botnet scanning the internet for vulnerable Ethereum mining rigs since May 11. Qihoo 360 Netlab, GreyNoise Intelligence and SANS ISC researchers said attackers are targeting port 333 used for remote management features by cryptomining hardware.
  • Security researchers at Microsoft and Google uncovered a new Spectre-like security flaw called Speculative Store Bypass or “Variant 4” that affects chips from Intel, AMD and ARM. Although the newly discovered flaw could allow unauthorised read access to memory, the risks have been described as low due to patches for common web browsers issued earlier this year to address Spectre.
  • The recently detected Powershell backdoor, dubbed PRB-Backdoor malware, has been found to be stealing information and executing various commands on the infected systems. The malware is distributed via Word document named ‘Egyptairplus.doc’ containing malicious macros. Other capabilities of the malware include writing files to disk, reading files, launching a shell, recording keystrokes, taking screenshots of the screen and getting system info.
  • A new-in-development screenlocker called StalinLocker was discovered giving victims 10 minutes to enter a specific code or have their hard drive data deleted. Upon execution, the malware locked the screen, displayed a picture of Stalin and a countdown timer while playing the USSR anthem in the background. The countdown is displayed until the files are deleted.
  • A new malware has been reported to collect cache and key files from instant messaging service Telegram. This new malware was first seen on April 4, 2018, with a second variant emerging on April 10. The second variant is capable of stealing login credentials and collecting Telegram's desktop cache and key files. The two malware are distributed using various downloaders written in different languages.
  • A new variant of Bip Dharma/Crysis ransomware was discovered this week that is being distributed via spam emails. Upon installation, it encrypts the content of files and later appends them with .Bip extension in order to extort victims to pay up in Bitcoin.
  • Researchers discovered a RIG Exploit Kit being used to deliver a Trojan named Grobios. In this attack, victims are directed to the RIG landing page after visiting the domain latorre[.]com[.]au. The main purpose of Grobios malware is to help attackers gain a strong foothold in targeted systems by employing various kind of evasions and anti-VM techniques.
  • Over 400 websites running on the Drupal content management system, including government and university sites, were targeted by a cryptomining campaign exploiting the critical CVE-2018-7600 remote-code execution vulnerability, dubbed Drupalgeddon 2.0. Some of the websites affected included those of Lenovo, the San Diego Zoo, UCLA and more.
  • Researchers discovered a series of legitimate websites that have been found delivering the notorious Gandcrab ransomware. Cisco Talos researchers said the key issue for these compromised websites were multiple vulnerabilities in outdated software - ripe for the picking for adversaries. Some of the affected websites included a courier service in India and a WordPress site for a herbal medicine seller.
  • Trend Micro researchers discovered the Maikspy malware that comes disguised as an adult game named after former adult film actress Mia Khalifa. Targeting Windows and Android users, the fake game app is promoted on social media to distribute the malicious link. The link redirects users to a website that distributes other malicious apps, connects to a C&C server and uploads data from infected devices including account info, phone numbers, contacts, photos, SMS messages and more.
  • Flashpoint researchers said the source code of the TreasureHunter PoS malware has been leaked on a Russian-speaking underground forum. Following the source code’s release in March 2018, researchers predict the leak will likely inspire a new round of nasty PoS malware strains much like previous source code leaks for Mirai, BankBot and Zeus have done so in the past.
  • AlienVault researchers identified the MassMiner malware that targets web servers and uses multiple well-known exploits to infiltrate vulnerable systems and drop a Monero miner. MassMiner leverages NSA’s EternalBlue hacking tool, an exploit for the Apache Struts flaw seen in the Equifax breach, an exploit for Oracle’s WebLogic Java application server and the SQLck tool for brute-force attacks against Microsoft SQL Servers in its attacks.
  • Over a month since the Drupalgeddon 2.0 exploit was uncovered, Imperva researchers discovered a new version of the Kitty malware targeting the Drupal content management system to mine cryptocurrency. Multiple types of malware, including Kitty, use this flaw as an entry point to gain a foothold in Drupal setups. Besides compromising the server and installing the XMRig Monero miner, Kitty can also spread to the machines of future users who visit infected domains to mine cryptocurrency.
  • Trend Micro discovered the new Blackheart ransomware that comes bundled with the legitimate AnyDesk tool to evade detection. Once the ransomware is downloaded, AnyDesk begins running in the background while Blackheart begins the encryption process. Demanding $50 in bitcoins, Blackheart infects victims via malicious sites and functions like any other common ransomware.
  • Russia-linked cyberespionage group Fancy Bear is believed to impersonating the popular anti-theft software LoJack to infiltrate enterprise networks. Arbor Networks’ said the APT group is likely behind malicious command and control (C2) domains found in five legitimate Lojack agents. While the legitimate actions of the software were unchanged, the C2 server addresses were subtly swapped with those of the attackers and were undetected by most AV software.






  • Share this blog:
To enhance your experience on our website, we use cookies to help us understand how you interact with our website. By continuing navigating through Cyware’s website and its products, you are accepting the placement and use of cookies. You can also choose to disable your web browser’s ability to accept cookies and how they are set. For more information, please see our Privacy Policy.