Go to listing page

Cyware Monthly Threat Intelligence, December 2019

Cyware Monthly Threat Intelligence, December 2019

Share Blog Post

The Good
2019 was a busy year in the world of cybersecurity with many new reports of malware, vulnerabilities, and data breaches. For the month of December, let’s first begin with the positive developments in cyberspace. A group of researchers developed a new cryptography method for full secrecy based on a One-time pad (Vernam Cypher). Meanwhile, the U.S. Congress passed the TRACED Act to curb robocall spam menace. Also, global law enforcement took down the network of the notorious Imminent Monitor RAT (IM-RAT).

  • A group of researchers presented a new cryptography method for full secrecy based on a One-time pad (Vernam Cypher). The complex time-varying irreversible structures of silicon chips can be used as the one-time key, which cannot be recreated and intercepted as it is never stored anywhere. Also, the method is compatible with the existing optical communication infrastructure.
  • Apple opened its bug bounty program to all security researchers, shifting from an invitation-based bug bounty program. The company will now accept vulnerability reports for a much wider spectrum of products that includes iPadOS, macOS, tvOS, watchOS, and iCloud. In addition, the company has also increased its maximum bug bounty reward from $200,000 to $1,500,000, of course depending on the exploit chain's complexity and severity.
  • The US Congress passed the Telephone Robocall Abuse Criminal Enforcement and Deterrence (TRACED) Act to fight against spam robocalls. The bill includes penalties of up to $10,000 per incident for robocallers that break the law and it pushes telcos to implement stricter call authentication technologies. It will make it easier for consumers to identify robocalls so that they can avoid answering them.
  • Google announced that it will offer financial aid to motivate volunteer work done by the open-source community for improving cybersecurity. The tech giant will help them arrange additional resources while prioritizing the security of its products. The support is available for both small teams ($5,000) as well as for a large team ($30,000) of developers.
  • The global law enforcement authorities dismantled the infrastructure behind the Imminent Monitor RAT (IM-RAT), a notorious remote access tool (RAT). Since first appearing in 2012, it was dubbed as the fastest remote administration tool ever created using new—and never used before—socket technology. According to Europol, the tool had more than 14,500 buyers across 124 countries and had been used to infect tens of thousands of victims.

The Bad
The month saw multiple data breaches and incidents that impacted organizations across the world. Smart home device maker Wyze confirmed a server leak that exposed the details of about 2.4 million customers. In other news, the online music streaming service Mixcloud exposed the information of over 21 million user accounts, which was also put up for sale on a dark web forum. Also, sophisticated Chinese hackers managed to steal $1 million during a transfer from a VC firm to a start-up.

  • Smart home tech makers Wyze Labs confirmed a data leak impacting over 2.4 million of its users. The incident had occurred due to an unguarded Elasticsearch database. The database was left open for over three weeks, from December 4 to December 26. Wyze products include smart devices like security cameras, smart plugs, smart lightbulbs, and smart door locks.
  • San Antonio’s Center for Health Care Services (CHSC) and Roosevelt General Hospital (RGH) in New Mexico, were forced to take down their computing systems following malware attacks. RGH suffered malware infection on November 14 and also requested its patients to monitor their credit reports for potential identity theft or fraud attempts.
  • The operators of Maze ransomware publicly released 2GB (of 32 GB) files that were stolen by them during the attack at the city of Pensacola. The crooks had demanded a $1 million ransom to decrypt the locked files. The attackers stated that they released the stolen data to prove to the media that they stole more than just a few files during the attack.
  • A database containing more than 267 million Facebook users’ IDs, phone numbers, and names was left exposed on the web without a password or any other authentication. Experts think this may be the result of an illegal scraping operation wherein bots might be used to copy sensitive information online. More sophisticated attacks could be also planned through this data since it includes both a phone number and an email address.
  • A data breach exposed personal data of nearly 6,000 students of Montgomery County, Maryland. Initially, what looked like a security incident affecting 1,344 accounts at one school, was later found to be affecting nearly 6,000 accounts, during multiple hack attempts involving more schools. The suspect reportedly performed a brute force attack.
  • Around 260 passengers were left stranded after RavnAir canceled at least a half-dozen flights in Alaska due to a cyberattack on its computer systems. Airlines said operations were expected to be slowed or disrupted for the next week because of the necessity of shutting down the IT network. The airline serves more than 100 communities in Alaska, many of which are not accessible by road.
  • A thief reportedly stole multiple unencrypted physical hard drives from a Facebook payroll staffer's car. Some tens of thousands of current and former Facebook employees were impacted. The company also faced criticism due to how long it took to come clean—the break-in took place on 17 November 2019. According to Bloomberg, banking information of 29,000 Facebook employees in the U.S. was compromised.
  • Online music streaming service Mixcloud suffered a data breach exposing the information of over 21 million user accounts. The exposed data was put up for sale for $4,000, or about 0.5 bitcoin, on a dark web forum. The data contained usernames, email addresses, and passwords that were hashed and salted using the SHA-2 algorithm.
  • The details of over 15 million Iranian bank cards were published online after hundreds of bank branches were set on fire last month by demonstrators. Experts suspect a state-sponsored cyberattack and the largest financial scam in Iran’s history. The breach, which mostly targeted Iran’s three largest banks, affected close to one-fifth of the population.
  • Chinese hackers managed to steal $1 million from being wired from a Chinese VC firm to an Israeli startup. The stolen funds were part of an upcoming multi-million dollar seeding fund for the startup. The hacker reportedly sent a total of 18 emails to the Chinese VC firm and 14 to the Israeli startup ahead of the compromised bank transfer.

New Threats
The discovery of new security threats made several headlines this month. A critical flaw in Citrix Application Delivery Controller and Citrix Gateway put 80,000 corporate LANs at risk. On the other hand, at least 200 equipment manufacturers across the world fell victim to a malware campaign called ‘Gangnam Industrial Style’. Moreover, Facebook-owned Whatsapp addressed a severe bug allowing a group member to crash the messaging app for other group members.

  • A critical vulnerability in Citrix Application Delivery Controller and Citrix Gateway put almost 80,000 companies in 158 countries potentially at risk. The bug could allow an attacker to perform arbitrary code execution even without proper authentication. The company had not immediately released a patch but it recommended mitigation techniques that could be implemented until a firmware fix arrives.
  • Researchers identified a phishing campaign targeting PayPal customers with emails camouflaged as ‘unusual activity’ alerts warning them of suspicious logins. The phishers scared the potential victims with limited account access and that they need to secure it by confirming their identity. People clicking on the link in the email were being redirected to a PayPal phishing login page to enter their details.
  • Security researchers discovered three critical remote code execution vulnerabilities in Ruckus Wireless routers. The flaws could let malicious hackers bypass the routers and take control of it remotely. The vulnerabilities existed in the web-based interface. Ruckus has fixed the security flaws with the release of a new version. Customers were advised to update their router and apply the patch.
  • A vulnerability was discovered in the Twitter app for Android that attackers could have exploited to obtain sensitive information or take control of accounts. A security researcher said he matched 17 million phone numbers to Twitter user accounts by exploiting the flaw. He matched records from users in Israel, Turkey, Iran, Greece, Armenia, France, and Germany until Twitter put a break on his efforts.
  • Intel CPUs were discovered having a critical flaw called ‘Plundervolt’ that directly breaches Secure Guard Extensions' (SGX) integrity guarantees. The flaw exploits a dynamic voltage scaling feature that CPUs already have, and that can be triggered from software through a special Model Specific Register (MSR). Here, attackers could extract sensitive data, including full RSA encryption keys.
  • The Emotet trojan gang took to Christmas-themed emails with an intent to infect users. The emails are disguised as a Christmas party invite and use subjects like ‘Christmas Party next week’ or ‘Christmas party.’ These invites ask the recipients to view an attached malicious Word document with names like ‘Christmas party.doc’ and ‘Party menu.doc.’ The document once opened, unleashes the embedded macros that will later install the trojan in Windows.
  • At least 200 critical infrastructure equipment manufacturers across the world fell victim to a malware campaign called ‘Gangnam Industrial Style.’ The APT group behind the campaign used industry sector-themed spear-phishing emails and a combination of free tools to steal confidential information through a new variant of Separ malware. However, 60 percent of the affected companies were in South Korea alone.
  • WhatsApp addressed a severe bug that could have allowed a malicious group member to crash the messaging app for all members of the same group. An attacker can trigger the vulnerability by sending a maliciously crafted message to a targeted group. The issue resided in XMPP, a communication protocol for instant messaging.
  • At least 47 million kids’ smart tracker watches were found having multiple vulnerabilities allowing attackers to retrieve or change the real-time GPS position, or to steal audio recordings. The biggest flaw lied in a common shared cloud platform used to power millions of cellular-enabled smartwatches. The researchers commented that it is only the tip of the iceberg.


maze ransomware
imminent monitor rat
plundervolt attack
wyze labs
traced act

Posted on: January 02, 2020

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.