Go to listing page

Cyware Monthly Threat Intelligence, July 2019

Cyware Monthly Threat Intelligence, July 2019

Share Blog Post

The Good 

As July comes to an end, let’s quickly recap all that happened in the cybersecurity world this month. July witnessed several cybersecurity advancements, security incidents, as well as the emergence of new threats. To begin with, let’s first glance through all the good that has happened in the cyberspace. The National Security Agency (NSA) plans to establish a new cybersecurity division that will help defend the US against foreign cyber-threats. The U.S. government announced plans to implement new DNS security measures for all .gov domains. Meanwhile, Samsung Electronics, South Korean telcos, and banks formed a consortium to build a blockchain network to deploy mobile authentication services.

  • The U.S. government announced plans to implement new DNS security measures for all .gov domains to mitigate risks associated with future DNS hijacking attacks. This new initiative was prompted by a global DNS hijacking campaign alert issued by the National Cybersecurity and Communications Integration Center (NCCIC).
  • The National Security Agency (NSA) plans to establish a new cybersecurity division named ‘Cybersecurity Directorate’ that will help the US defend against foreign cyber-threats. This new division will enable organizations to share information with their customers so they are equipped to defend against cyber threats. The directorate will become operational on October 01, 2019.
  • Toyota released an open-source testing tool named ‘PASTA’ (Portable Automotive Security Testbed) that tests a car’s vulnerability to hacking. This testing tool can be used by car manufacturers for their own research and development. PASTA is designed to simulate attacks and test for vulnerabilities and exploits, but not for hacking the vehicle while it is moving.
  • Fujitsu Laboratories announced the development of a digital identity exchange technology that uses blockchain to enhance trust while validating a user. This technology enables individual users and service businesses involved in online transactions to confirm the identity of the other parties. The technology is developed based on Decentralized Identification (DID) system.
  • Samsung Electronics, South Korean telcos, and banks formed a consortium to build a blockchain network to deploy mobile authentication services. The organizations part of the consortium are  SK Telecom, KT, LG Uplus, KEB Hana Bank, and Woori Bank.

The Bad
This month witnessed numerous data breaches and cyber attacks that saw the exposure of millions of people's personal information across the globe. Capital One suffered a massive data breach exposing the personal and credit card information of almost 106 million US and Canadian customers. Meanwhile, Magecart attackers were spotted in two different massive attack campaigns. First was the large-scale campaign that breached almost 962 e-commerce stores in just 24 hours. The second campaign witnessed Magecart attackers injecting card skimmer code on over 17,000 websites through misconfigured Amazon S3 buckets.
  • Capital One suffered a major data breach after a hacker exploited a configuration vulnerability in the web application firewall. This exposed the personal and credit card information of almost 100 million people in the United States and around 6 million people in Canada. The exposed information includes personal information, credit card data, transaction data, Social Security numbers, linked bank account numbers, and Social Insurance numbers of consumers and small businesses who applied for credit card products between 2005 and 2019.
  • Attackers hacked 7-Eleven Japan’s 7pay customer accounts and made illegal charges on almost 900 customers incurring a collective loss of ¥55 million ($510,000). The incident was caused by a security lapse in the design of the company's mobile payment app 7pay which was launched on July 1, 2019.
  • The Administrative Office of Courts in the state of Georgia was hit by a ransomware attack that resulted in its servers being taken offline. The court agency also had its website shut down due to the attack. However, websites for Georgia Supreme Court and court clerks remained operational.
  • An unprotected MongoDB database exposed almost 188 million records of personal data sourced from Pipl and LexisNexis. Almost 800,000 records originated from LexisNexis which included names, addresses, gender, parental status, a short biography, family members, redacted emails, and information about the individual’s neighbors including full names, dates of birth, reputation scores, and addresses.
  • Attackers breached the Internet Domain Registry of ICS-Forth impacting several .gr and .el domain owners whose domain names were stored in the compromised registry. Researchers identified that a hacker group known as Sea Turtle were responsible for the attack against ICS-Forth. 
  • Magecart attackers injected card skimming code on over 17000 domains with malicious JavaScript files through misconfigured Amazon S3 buckets. Some of the affected websites are also listed in Alexa’s top 2000 rankings. Researchers suggest that threat actors behind this campaign scanned for misconfigured Amazon S3 buckets as well as JavaScript files. After finding these files, they downloaded them and appended the card-skimming code.
  • A large-scale Magecart campaign breached almost 962 e-commerce stores in a span of 24 hours, stealing customers’ payment card details including full credit card data, names, phone numbers, and addresses. The attackers inserted a customized Javascript on e-commerce sites, essentially inserting a fake credit card payment section.
  • The GitHub account of Canonical, the company behind Ubuntu was compromised by hackers. In addition, they created 11 new GitHub repositories in the official Canonical account. However, the organization confirmed that there was no evidence that any source code or sensitive information was impacted.
  • Hackers stole almost 110 databases containing the private data of millions of Bulgarians from the NRA network and leaked 57 databases to local news publications via emails containing download links. The leaked information contained personal identification numbers (PINs), names, home addresses and financial earnings of Bulgarians. Most of the information available in the databases dated back as far as 2007.
  • An international investigation revealed that the Chinese authorities are installing surveillance apps on the phones of some visitors at border crossings in the Xinjiang region as part of the government's mass surveillance program. The malicious surveillance app installed on visitors’ phones can extract emails, text messages, phone logs, contact information, calendar entries, and device information. The app can also scan the device for over 70,000 different files.
  • A database dump added to Have I Been Pwned website had contained data of almost 101 million Evite users who had their information exposed in a data breach earlier this year. At that time, it was believed that approximately 10 million users had their information exposed, however, the number of exposed users is much larger.
  • Hackers gained unauthorized access to Sprint customer accounts using their account credentials via a Samsung website. The compromised information includes customers’ names, phone numbers, billing addresses, device types, device IDs, monthly recurring charges, subscriber IDs, account numbers, account creation dates, upgrade eligibility, and add-on services.
  • An unsecured database belonging to YouHodler exposed over 86 million records of user data including names, dates of birth, email addresses, addresses, phone numbers, passport numbers, passwords, credit card numbers, CVV numbers, bank details, and crypto wallet addresses. YouHodler acknowledged the data leak and secured the database by restricting public access.
  • Security researchers from Data Group discovered an unprotected server containing 250GB of data which was publicly accessible without any authentication. The unsecured server contained sensitive information of clients of various local banks. Even though the server is linked to more than one bank, a majority of the exposed details were related to a local bank named Banco Pan.
  • A Chinese cyberespionage group targeted several German firms including BASF, Seimens, and Hankel with Winnti malware. Apart from these German firms, Roche, Marriott, Lion Air, Sumitomo Corporation, and Shin-Etsu Chemical were also targeted by the group.
  • A hacker group named ‘0v1ru$’ breached SyTech, a contractor for the Russian Federal Security Service (FSB) and stole information about internal projects. The contractor had worked for FSB unit 71330 and with fellow contractor Quantum since 2009. The projects include Nautilus, Nautilus-S, Reward, Mentor, Hope, and Tax-3.
  • The LaPorte County in Indiana suffered a malware attack that disabled the county’s computer systems and email services. The county reported the matter to FBI and informed other law enforcement agencies about the attack. It is working with security experts to respond to such cyber attacks. The experts will also coordinate with the county to repair the affected systems and improve the security to prevent such virus infection.
  • A misconfigured Elasticsearch cluster owned by the Public Security Department of Jiangsu Province, China, leaked two databases containing over 90 million citizen and business records. The leaky databases contained 58,364,777 public records and 33,708,010 business records. Public information includes names, dates of birth, genders, identity card numbers, location coordinates, as well as city information. The business records included business IDs, business types, location coordinates, city_open_id, and memos designed to track the owner of the business.

New Threats
Several new malware, ransomware, vulnerabilities, and threat groups emerged this month. Trickbot trojan added a custom proxy module from IcedID. A malspam campaign that delivers Astaroth malware through fileless execution was spotted in the wild. Meanwhile, WhatsApp and Telegram were found to be impacted by a new flaw named ‘Media File Jacking’.
  • The Trickbot trojan was found deploying a custom proxy module from Bokbot, also known as IcedID. This module is derived from IcedID’s code for web injection attacks. This new Trickbot module is dropped separately as “shadnewDll” and comes with its own configuration file. This module acts as a local proxy server between the client and the online banking service and can include a fake template for the bank requested by the user in order to steal sensitive information.
  • Researchers uncovered a string of malware campaigns that leveraged the ‘Heaven’s Gate’ technique for evasion. The technique allowed malware developed in 32-bit to hide API calls in 64-bit machines. According to the researchers, one of the campaigns distributed the HawkEye Reborn keylogger. Other campaigns mainly distributed Remcos, Agent Tesla, or cryptocurrency mining trojans. 
  • US Cyber Command issued an alert on Twitter about the exploitation of a known vulnerability in Microsoft Outlook. Tracked as CVE-2017-11774, the vulnerability is being exploited by threat actors to deploy malware on government networks. The vulnerability was patched in the October 2017 Patch Tuesday updates.
  • New research revealed that WhatsApp and Telegram are impacted by a new flaw named ‘Media File Jacking’. The vulnerability arises from how media files are stored on these messaging apps. It could allow attackers to manipulate and expose WhatsApp and Telegram media files.
  • WannaLocker, a mobile derivative of WannaCry ransomware has been enhanced with spyware, RAT, and banking trojan capabilities. Cybercriminals have been found using this all-in-one malware to target Brazilian banks and their customers.
  • A new campaign that delivers Astaroth malware through fileless execution was spotted by Microsoft Defender ATP team. It was found that the campaign ran Astaroth directly in memory. The attackers relied on spear-phishing to spread this malware. Furthermore, they leveraged the Windows Management Instrumentation Command-line (WMIC) tool to run scripts for fileless execution.
  • Anubis banking trojan which targets Android mobile users was back in a new campaign. Researchers detected two servers containing 17,490 samples of Anubis trojans. These samples of Anubis are called AndroidOS_AnubisDropper.  The two samples of Anubis trojan are labeled as ‘Operatör Güncellemesi’ and ‘Google Services.
  • Researchers uncovered a new malspam campaign that delivers Dridex banking trojan and RMS RAT via malicious Microsoft Word document attachments. The phishing emails included malicious ZIP archives containing XLS (Microsoft Excel) documents disguised as fake eFax messages. The malicious documents were embedded with a macro which is designed to download and launch the Dridex trojan and RMS RAT. Upon execution, the Dridex trojan collects credentials from the web browsers and the RMS RAT manages the infected systems.
  • Turla APT group was spotted using a new malware dubbed ‘Topinambour’ in its recent campaign. Topinambour uploads and executes malicious files on compromised machines, along with fingerprinting them. The APT group used installers of legitimate software such as Softether VPN, psiphon3, or Microsoft Office ‘activators’ to spread Topinambour.
  • The developers of GandCrab are believed to be behind the Sodinokibi ransomware. In May, the group had announced their retirement from using GandCrab RaaS. On the other hand, the FBI released a master decryption key to unlock files encrypted by any versions (from 4 to 5.2) of GandCrab.
  • Researchers uncovered a vulnerability in the Facebook-owned social networking app Instagram. The vulnerability resided in the ‘password recovery’ feature of the mobile version of Instagram. It could allow attackers to reset the passwords for any Instagram account and take complete control of it.
  • Researchers analyzed a sample of the MegaCortex ransomware that targets enterprises. The attackers behind the ransomware operated by accessing a target network and then compromising the Windows domain controller. After encrypting compromised workstations, the ransomware demands a ransom that falls somewhere between 2-3 bitcoins to 600 BTC.


new version trickbot
rms rat
gandcrab ransomware
turla apt group
magecart hackers
astaroth malware
icedid trojan
dridex trojan
megacortex ransomware

Posted on: August 01, 2019

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.