Cyware Monthly Cyber Threat Intelligence October, 2018

The Good


As we bid adieu to October, its time to summarize all the major breaches, attacks, malware, as well as new technologies that have emerged over the past month. Lets begin by lauding all the new positive developments that have occurred in the past month, California passed a new law that aims at boosting IoT security, researchers from the MIT created a new system to protect against Meltdown and Spectre attacks. Meanwhile, the US Cyber Command is dogging the heels of Russian online trolls attempting to distribute disinformation campaigns and warning them that they are being watched.

  • Google plans to enforce more stringent roles on developers to block malicious Chrome extensions. The new measures will give the users of extensions more control over which sites extensions can access. Google is also prohibiting extensions using obfuscated code. Extension developers will also have to do more to protect their developer accounts. For instance, starting 2019, extension developers will have to enable two-factor authentication for their accounts.
  • California passed a new law that aims at boosting IoT security. The new law makes it illegal for connected device manufacturers to ship devices with default passwords. The law also makes it mandatory for manufacturers to create a unique credential for each device, or ensure that the user is forced to create a unique password when they boot up the device for the first time.
  • The Wall Street Journal launched a programme designed to help small businesses improve their security. The WSJ Pro Cybersecurity program offers small business information about cyberthreats, security response methods, and more via its website and newsletters.
  • Researchers from MIT have created a new system which is able to reduce the risk of memory-based attacks such as Meltdown and Spectre. Lebedev and his team at MIT CSAIL are working on a system which they say is a more effective alternative to protecting modern PC architecture against timing attacks, and the invention has proven to be more secure than Intel's "Cache Allocation Technology" (CAT). The system labeled as the Dynamically Allocated Way Guard (DAWG) splits the cache into multiple buckets.
  • Passengers checking into flights at Shanghai's Hongqiao International Airport can now use their face to prove their identity thanks to the rollout of facial recognition technology. The airport this week unveiled self-service kiosks for flight and baggage check-in, security clearance, and boarding powered by facial recognition technology.
  • The Army’s Research, Development and Engineering Command is laying the groundwork for its artificial intelligence plans with a newly crafted strategy. The RDECOM strategy, which has not been made public, details where the command currently is regarding the development of AI capabilities, where it wants to go in the future, and defines taxonomy associated with the technology.
  • The European Union is gearing up to create new regulations that would impose economic sanctions on cybercriminals. In the face of increasingly sophisticated cyberespionage and cybercriminals campaigns, EU leaders are now mulling imposing sanctions on hackers to stem the flow of destructive cyberattacks.
  • The US Cyber Command is dogging the heels of Russian online trolls attempting to distribute disinformation campaigns and warning them that they are being watched. The operation is aimed at deterring more sophisticated Russian cyberattacks targeting US infrastructure.
  • Apple launched a new T2 security chip that is designed to stop attackers from spying on users. This new security feature is capable of disconnecting the microphone whenever the lid of the MacBook is closed. It is designed to help protect a device’s encryption keys, storage, fingerprint data, and secure boot features.
  • Google launched reCAPTCHA v3 that aims to better protect websites from spam and make the security procedure more user-friendly. The latest version of the security tool is designed to run an adaptive risk analysis in the background and provide websites with a score that shows how suspicious an interaction is.

The Bad


Over the past month, numerous destructive data breaches, leaks and cyberattacks were observed. These attacks affected numerous government and private entities. Facebook acknowledged suffering a massive breach. Google plans to shut down Google Plus next year after a breach exposed 500,000 customers’ data. A water company already dealing with the aftermath of Hurricane Florence was attacked by a ransomware campaign resulting in one-of-its-kind a joint physical and a cyber disaster. Meanwhile, The HealthCare.gov’s sign-up system was hit by hackers who stole the data of around 75,000. Switzerland-based cryptocurrency exchange Trade.io was hacked and $7.5 million worth of cryptocurrencies was stolen. 

  • The biggest data breach of the week award goes to Facebook. The tech giant acknowledged suffering a massive breach that compromised over 50 million user accounts. The attackers exploited a flaw that first appeared in July 2017, when Facebook made some changes in the video uploading feature. This is Facebook’s second breach in 2018. The previous breach made headlines after profile details of 87 million users were improperly accessed by the political data firm Cambridge Analytica.
  • Sales engagement startup, Apollo was hit by hackers who stole a database that contained 200 million contact records. The stolen database contained the contact details of prospective customers from 10 million companies. The compromised data includes customers’ names, email addresses, company names, and other business information.
  • Brazilian banks suffered a massive attack by cybercriminals who used a 100,000-strong botnet. The attack targeted users attempting to access the online banking sites of Brazilian banks were being redirected to phishing sites. The cybercriminals behind the GhostDNS botnet campaign are still scanning the internet for Brazilian routers with weak or no passwords.
  • Google will shut down Google Plus next year after a breach exposed 500,000 customers’ data. The breach was caused by an API bug, which, if exploited, could allow third-party apps to gain access to public profile information of Google Plus users’ friends.
  • The Slovak Foreign and European Affairs Ministry has become the target of a massive cyber attack, Slovak Prime Minister Peter Pellegrini said on Wednesday, adding that at the moment it's not possible to specify who is behind the attack. The prime minister added that the issues concerning the identity of attackers and the subject of their interest are currently the main objective of the ongoing investigation.
  • Around 35 million US voter records from the year 2018, were found on a popular hacking forum for sale. The seller was demanding $42,200 dollars for all the records from 19 states. The advertisement on the hacking forum says that the data sold is from updated statewide voter lists and contains vulnerable information including phone numbers, full addresses, and names of millions of US residents.
  • A water company in the US state of North Carolina already dealing with the aftermath of Hurricane Florence was left to juggle a complete database rebuild because of a nasty ransomware infection. ONWASA said that the attack began on October 4 when Emotet was first spotted on the utility's network. IT staff had thought to have contained the initial infection, only to see a second attack kick off in the wee hours of Saturday, October 13.
  • The HealthCare.gov’s sign-up system was hit by hackers who stole the data of around 75,000. The hackers gained access to the HealthCare.gov’s sign-up system, called the Federally Facilitated Exchange (FFE), which is used by the HealthCare insurance agents and brokers to enroll users into Obamacare plans.
  • Switzerland-based cryptocurrency exchange Trade.io was hacked and $7.5 million worth of cryptocurrencies was stolen. The stolen funds were stored in a cold storage wallet. The cryptocurrency exchange discovered the breach after it observed a large number of cryptocurrencies being transferred from one of the accounts associated with its cold storage wallets.
  • Hong Kong-based airline Cathay Pacific was hit by a massive data breach that compromised 9.4 million passengers’ data. Passengers' personal details including names, nationality, dates of birth, phone numbers, email addresses, passport numbers, identity card numbers, frequent flyer membership numbers, custom service remarks, and travel history might have been stolen by hackers.
  • Eurostar detected a breach and began resetting users passwords. The firm said that the cybercriminals behind the attack used Eurostar account holders’ usernames and passwords to infiltrate systems. It is still unclear as to how many users have been affected by the breach and whether the attackers succeeded in exfiltrating any sensitive corporate or user data.

New Threats


October saw various new malware, vulnerabilities and other threats come out of the woodwork. White-hat hackers discovered 150 bugs in websites of the US Marine Corps. A previously unknown threat group called Gallmaker was brought to light by security experts. A new data reconnaissance campaign leveraging attack techniques dating back to the year 2010 and first used by APT1 was discovered. Meanwhile, a new Android malware dubbed TimpDoor was recently discovered and has already infected around 5,000 victims in the US.

  • A flaw in Telegram exposed users’ IP addresses. The breach was caused by a bug in the desktop version of the Telegram app, which inadvertently leaked users’ IP addresses during voice calls.
  • The Fallout exploit kit has switched from spreading the GandCrab ransomware to distributing the Kraken Cryptor ransomware. The EK began distributing the Kraken Cryptor ransomware (version 1.5) earlier this week. Kraken Cryptor appeared in the Ransomware as a Service (RaaS) arena and is now being actively distributed in the wild by multiple sources.
  • White-hat hackers discovered 150 bugs in websites of the US Marine Corps. Around 100 security researchers participated in the “Hack The Marine Corps” bug bounty program and took home a total of $150,000. The bugs were reported for the US Marine Corps Cyberspace Command team, during a three-week-long bug bounty program.
  • The DanaBot banking malware is back in action. A new campaign was discovered targeting victims in the US. The malware was first discovered in May 2018, when it was targeting victims in Australia. Since then, DanaBot has been updated several times and has also switched targets from Australia to Europe, and now to the US.
  • A previously unknown threat group called Gallmaker was brought to light by security experts. Gallmaker has been active since 2017 and was found targeting government, military and defense agencies across the globe.The hacker group uses living-off-the-land (LotL) tactics - employing publicly available hacking tools, instead of malware in its operations.
  • A new phishing campaign delivering the URSNIF malware has been discovered. The cybercriminals behind the campaign used hijacked email accounts to send malware inserted within email responses, that are a part of ongoing conversations.
  • A new data reconnaissance campaign, named Oceansalt, targeting Korean-speaking users has now spread to US and Canada. The threat actors involved in these campaigns are linked to the Chinese military. The campaign was found majorly targeting South Korea in the month of May, where five waves of campaigns were launched targeting various organization in the country.
  • Oracle has released a wide range of critical security updates (CPU) to address a total of 301 CVE-listed vulnerabilities, in its different enterprise products. The updates have been released as part of Q3 2018, October edition of the updates. Out of the 301 vulnerabilities, 45 had a severity rating of 9.8 (on a scale of 10). One of the vulnerability also received the maximum severity rating score of 10.
  • A new Android malware dubbed TimpDoor was recently discovered and has already infected around 5,000 victims in the US. The Android malware has been active since March and could turn infected Android devices into mobile backdoors, which, in turn, could be leveraged by attackers to infiltrate home and corporate networks.
  • The Ramnit banking malware was found distributed via a new malware downloader called sLoad. The new campaign has been targeting financial institutions across Italy, Canada and the UK. The malware comes packed with sophisticated reconnaissance capabilities and has also been distributing other malware variants like Gootkit, Ursniff and more.
  • A new ransomware called CommonRansom has been discovered. Unlike other ransomware variants, CommonRansom not only demands a Bitcoin payment but also demands that victims provide remote desktop protocol (RDP) access.
  • A new DDoS-for-hire service called ‘0x-booter’ has been spotted in the wild, which has launched over 300 DDoS attacks in just two weeks. Ox-booter has been advertised as containing over 500Gbps of bandwidth and 20,000 bots. The malicious service can launch DDoS attacks without direct contact between the user and the botmaster.




  • Share this blog:
To enhance your experience on our website, we use cookies to help us understand how you interact with our website. By continuing navigating through Cyware’s website and its products, you are accepting the placement and use of cookies. You can also choose to disable your web browser’s ability to accept cookies and how they are set. For more information, please see our Privacy Policy.