Cyware Monthly Cyber Threat Intelligence November, 2018

The Good


As November comes to an end, it brings to a close another month buzzing with cyber activity, including new breaches, malware strains and more. However, there are always positive advancements, that are as important, if not more than all the negatives. Security researchers have created a new AI system that is capable of accurately predicting cyberattacks. The US Congress approved a bill that approves the creation of a new centralized, federal cybersecurity agency. The US army’s scientists are working on a quantum networking experiment aimed at offering soldiers more secure and reliable communications on the battlefield. Meanwhile, security researchers developed a powerful new tool to root out security flaws.

  • Security researchers have created a new AI system, named DARKMENTION, that is capable of accurately predicting cyberattacks. The AI system is capable of monitoring online and dark web forums and gathers intelligence. DARKMENTION also contains a repository of over 500 cyberattacks that have previously occurred.
  • Google’s automated Fuzz bot has spotted over 9,000 security vulnerabilities over the past two years. Google launched OSS-Fuzz was in December 2016. The automated tool is capable of hunting for vulnerabilities in applications by applying a technique called fuzzing.
  • The US Congress approved a bill that approves the creation of a new centralized, federal cybersecurity agency. The move would reconfigure the Department of Homeland Security’s National Protection and Programs Directorate into the Cybersecurity and Infrastructure Security Agency (CISA).
  • Google, Microsoft, and other tech giants have backed French President Emmanuel Macron’s call for greater internet security. The initiative, known as the “Paris Call for Trust and Security in Cyberspace,” is aimed at tightening internet regulations and boosting protections against cyberattacks, election interference, and more.
  • Researchers are working on using brainwaves as the new generation of passwords. Biometrics are increasingly replacing traditional passwords and the new research involves developing a flexible and secure biometric alternative to current, traditional passwords.
  • The US army’s scientists, working out of the corporate research lab (ARL), are working on a quantum networking experiment aimed at offering soldiers more secure and reliable communications on the battlefield.
  • The Federal Communications Commission (FCC) has launched an all-out war against scammers and robo-callers in a new initiative. US network providers are now being forced to implement a new technology  called SHAKEN/STIR (Secure Handling of Asserted information using toKENs/Secure Telephony Identity Revisited).
  • Security researchers developed a powerful new tool to root out security flaws. AFLSmart is a fuzzing software built on the powerful American Fuzzy Lop toolkit. It can detect twice as many bugs as AFL over a 24 hour period and has already uncovered a total of 42 zero-day vulnerabilities and has banked 17 CVE-listed holes.

The Bad


November was peppered with numerous data breaches and leaks that saw the exposure of millions of people's personal information across the globe. Two of the biggest breaches of the year occurred this month. A misconfigured ElasticSearch server leaked the personal information of 57 million US citizens. Marriott was hit by a breach that compromised the personal data of 500 million guests. Hackers hit every bank in Pakistan in a massive attack. The data of around 700,000 customers of American Express India was left inadvertently exposed in an unsecured MongoDB server.  Google services went down briefly after the tech giant’s internet traffic was hijacked. Meanwhile, a California-based communications firm exposed a massive database containing millions of text messages and more. The US Postal Service (USPS) was also impacted by a breach that may have exposed over 60 million customers’ data. 

  • Hackers hit every bank in Pakistan in a massive attack. The data of nearly 8,000 bank account holders from 10 different banks have been put up for sale on the dark web. Although it is still unclear as to how this breach came about, PakCERT believes that some locals may have been involved in aiding the cybercriminals behind the attack, who are suspected to have been located outside the country.
  • The data of around 700,000 customers of American Express India was left inadvertently exposed in an unsecured MongoDB server. The unsecured database contained 689,272 records in plaintext. The data exposed included full names, email addresses, phone numbers, card details and more.
  • Google services went down briefly after the tech giant’s internet traffic was hijacked by a Nigerian ISP. Google’s user traffic was routed via Russia and Nigeria before the tech giant’s IP prefixes were leaked to the Chinese state-owned telecom provider called China Telecom.
  • A California-based communications firm called Voxox exposed a massive database containing millions of text messages and more. The breach was caused by an unprotected Amazon Elasticsearch server. The database contained tens of millions of text messages, including password reset links, two-factor codes, shipping notifications and more.
  • Amazon suffered a massive breach just days before Black Friday. The breach resulted in the compromise of names and email addresses of some of its customers. The tech giant has been tight-lipped about the details surrounding the matter, only revealing that the breach was caused due a technical error in its website.
  • The US Postal Service (USPS) was also impacted by a breach that may have exposed over 60 million customers’ data. The breach was caused by a year-old API flaw, that not only allowed anyone with a USPS account to view other users’ data but also alter their information without their knowledge or consent.
  • Daniel’s Hosting, one of the most popular dark web hosting services, was knocked offline by rival hackers. The attack occurred on November 15, 2018, and has resulted in the loss of 6500 plus Dark Web services hosted on the platform.
  • San Diego-based communications company Vovox exposed around 26 million text messages, as well as other sensitive customer data like phone numbers, password reset links and security codes, two-factor verification codes, shipping notification and more.
  • A misconfigured ElasticSearch server leaked the personal information of 57 million US citizens. The database was left online for nearly two weeks. The leaky database contained over 73GB data, including first names, last names, employer IDs, job titles, email addresses, physical addresses, state, ZIP codes, phone numbers, and IP addresses.
  • The Marriott was hit by a breach that compromised the personal data of 500 million guests. The hotel chain discovered that its networks had been accessed by unauthorized parties since 2014. This breach is now being considered to be one of the largest to have ever been discovered.
  • A new phishing campaign was spotted targeting French industries. The campaign began in October and has targeted the French banking, aviation, IT, chemical manufacturing, automotive and other sectors.
  • Over 2 million patients’ personal data was impacted in a breach that affected Charlotte-based Atrium Health. The information compromised in the breach includes patients’ names, addresses, dates of birth, invoice numbers, account balances, dates of service, insurance policy information, and Social Security numbers.
  • SKY Brazil accidentally leaked 32 million customers’ personal information online. The data was left exposed online long enough for hackers to have likely stolen information. The leaked data also included the personal information of high-profile politicians, which may have already been accessed by hackers.
  • Dunkin’ Donuts was hit by hackers recently. The breach was caused by hackers who launched a credential stuffing attack. The information that may have been accessed by the hackers could include customers’ first and last names, email addresses, 16-digit DD Perks account numbers and more.

New Threats


Dozens of new malware, ransomware, vulnerabilities, threat groups, scams and other malicious activity emerged over the past month.  A 100,000-bot strong IoT botnet BCMUPnP_Hunter is currently pushing out massive spam email campaigns.  The TA505 threat actor was found testing out a new reconnaissance malware dubbed tRAT. A new malware called DarkGate, that can function as a keylogger, a ransomware and cryptominer, has been discovered.  Over a dozen malware-laced Android apps were discovered on the Google Play Store. Meanwhile, a new variant of the Rotexy malware, that combined the capabilities of both a banking malware and a ransomware, was discovered.  A new Linux cryptominer that can steal root passwords and disable antivirus software was discovered. A cryptominer called KingMiner was uncovered that has already infected victims from Mexico to India and from Norway to Israel. Meanwhile, a new zero-day vulnerability in surveillance cameras was found affecting Nuuo’s surveillance firmware.

  • Security researchers discovered a new stealthy cryptomining malware. Dubbed “Coinminer.Win32.MALXMR.TIAOODAM”, the malware is delivered onto victim machines as a Windows Installer MSI file. It is also capable of bypassing security filters and comes with a self-destruction mechanism.
  • A 100,000-bot strong IoT botnet BCMUPnP_Hunter is currently pushing out massive spam email campaigns. The botnet’s operators were spotted using a five-year-old vulnerability, which allows attackers to remotely execute malicious code on vulnerable routers. Although the botnet is targeting victims globally, so far, it has primarily infected victims in India, China, and the US.
  • The Outlaw hacker group was found wielding the Shellbot botnet to target IoT devices and Linux systems. The botnet is capable of allowing attackers to launch DDoS attacks, conduct port scans and more.
  • The TA505 threat actor was found testing out a new reconnaissance malware dubbed tRAT. tRAT is a modular malware, written in Delphi, that is currently being used in a reconnaissance campaign targeting financial institutions.
  • A new malware called DarkGate, that can function as a keylogger, a ransomware, and cryptominer, has been discovered. The malware is currently being delivered via Torrent files and is targeting victims in Spain and France. The malware also uses several advanced anti-analysis techniques, such as using vendor-specific checks, to evade detection.
  • The Mylobot botnet was found distributing the Khalesi malware. Mybolot belongs to a sophisticated malware family and is classified as a downloader. Meanwhile, Khalesi is considered to be one of the fastest growing malware variants of the year.
  • A new Trickbot variant was discovered being distributed as part of a new campaign posing as coming from Llyods bank. The malware is capable of exfiltrating data such as passwords, browsing history, bank & other financial details and logins from the infected systems.
  • Over a dozen malware-laced Android apps were discovered on the Google Play Store. 13 malicious gaming apps, developed by the same person, were installed over 560,000 times. Once downloaded, the malicious apps, posing as driving games were designed to crash each time they were opened.
  • A new variant of the Rotexy malware, that combined the capabilities of both a banking malware and a ransomware, was discovered. Between August to October 2018, Rotexy launched over 70,000 attacks, primarily against victims in Russia.
  • Texas-based Altus Baytown Hospital (ABH) was hit by a ransomware attack that may have led to hackers compromising patient records and their personal data. The hospital fell victim to the prolific Dharma ransomware.
  • A new Linux cryptominer that can steal root passwords and disable antivirus software was discovered. The cryptominer dubbed Linux.BtcMine.174 contains over 1,000 lines of code and is also capable of searching for other miners and removing it.
  • A cryptominer called KingMiner was uncovered that has already infected victims from Mexico to India and from Norway to Israel. The malware targets Windows servers and mines for Monero.
  • A new zero-day vulnerability in surveillance cameras was found affecting Nuuo’s surveillance firmware. The bug could allow hackers to take control over surveillance cameras and tamper with footage and live feeds. It could also allow attackers to execute malicious code remotely after gaining root privileges to systems.
  • A new variant of the Bladabindi malware was discovered. The new variant of the RAT, Worm.Win32.BLADABINDI.AA., spread via removable drives and installs a fileless variant of the Bladabindi backdoor. Bladabindi comes with a variety of data-stealing capabilities. It can steal browser credentials, capture webcam footage, as well as download additional malicious files.





  • Share this blog:
To enhance your experience on our website, we use cookies to help us understand how you interact with our website. By continuing navigating through Cyware’s website and its products, you are accepting the placement and use of cookies. You can also choose to disable your web browser’s ability to accept cookies and how they are set. For more information, please see our Privacy Policy.