Go to listing page

Cyware Monthly Threat Intelligence, June 2019

Cyware Monthly Threat Intelligence, June 2019

Share Blog Post

The Good

As we gear up to a new month of 2019, let’s quickly glance through all that happened over the past month. Before we get into the cybersecurity incidents and the new threats, let’s first acknowledge all the positive events that happened over the past month.   Google announced its expansion of Android’s security key technology to iOS devices.
SK Telecom developed a new technology that allows quantum password keys to be switched and routed to different networks. Meanwhile, Microsoft announced a new feature called ‘OneDrive Personal Vault’ that adds a security layer to protect sensitive files.

  • Apple unveiled a new ‘Find My’ app, which is available on its Mac and iOS platforms. The new app is a merged version of ‘Find My Friends’ and ‘Find My iPhone’ apps. The purpose of the app is to help the users to locate their lost macOS and iOS devices even when they are not connected to Wi-Fi or a cellular network. The app leverages nearby Bluetooth-enabled Apple devices to accomplish the task.   
  • Google announced that it is expanding Android’s security key technology to iOS devices. This implies that iPhone and iPad users could use Android smartphones as a security key while logging into their Google accounts on an iOS device. For this to work, users should have Bluetooth enabled on both their iOS and Android devices.
  • Instagram is testing a new in-app account recovery process to help its users recover their accounts in the event of hacks. This recovery process method would help users recover their accounts even if the hacker changed the user name and contact details.
  • The Commonwealth Scientific and Industrial Research Organisation's (CSIRO) Data61 announced that its researchers have developed a technique dubbed ‘Vaccination’ to protect AI and machine learning algorithms from adversarial attacks. This technique is currently used to identify spam emails, diagnose diseases from X-rays, and predict crop yields.
  • SK Telecom announced that it has developed a new technology that allows quantum password keys to be switched and routed to different networks. This technology allows networks to transfer a quantum password key to another network when the network being used is down. It will also allow routing of the transfer when connected to multiple networks.
  • Microsoft announced a new security layer for protecting sensitive files with its new feature ‘OneDrive Personal Vault’. This feature is a protected area in OneDrive that can be accessed only with the Microsoft Authenticator app or a second step of identity verification, such as fingerprint, face recognition, PIN, or authentication code. This feature is supported in web, Android, iOS, and Windows 10. 
  • Financial services company Moody’s Corporation collaborated with cybersecurity think-tank Team8 for developing a framework to measure businesses’ defenses and preparedness against cyber attacks. This framework will help companies that engage in mergers and acquisitions or when purchasing cyber insurance policies.

The Bad
June witnessed numerous data breaches and cyber attacks that saw the exposure of millions of people's personal information across the globe. A cybersecurity firm revealed that a Chinese threat group had launched cyberattacks against several telecommunication companies across 30 countries since 2017. In another instance, the Chinese cyber-espionage campaign ‘Cloud Hopper’ compromised almost eight tech services companies. Meanwhile,  the US Customs and Border Protection agency disclosed that the photos of travelers and license plates have been compromised in a cyber attack at one of its contractors.

  • The web payment page breach at American Medical Collection Agency (AMCA) has impacted millions of individuals of Quest Diagnostics, Laboratory Corporation of America Holdings (LabCorp) and Opko Health Inc. While Quest Diagnostics saw the compromise of personal & financial information of nearly 11.9 million patients, LabCorp disclosed that 7.7 million customers were affected in the breach. In addition, the data breach affected around 422,600 patients of OPKO Health Inc.
  • Private details of almost 100,000 Australian bank customers have been exposed in a cyber attack on WestPac’s PayID. An investigation revealed that the attack had begun on April 7, 2019. The company confirmed that no financial information was compromised in the attack.
  • A security lapse at IT giant Tech Data had exposed its customer and billing data. The incident occurred due to an unprotected database. The database contained a swath of customer personal data and records related to payment cards. After being informed by a research team from vpnMentor, the database was secured by Tech Data.
  • The Australian National University confirmed that around 200,000 people have been impacted in a data breach that took place in late 2018. The unauthorized party accessed a significant amount of personal data related to staff and students and visitors. The data is believed to be as old as 19 years.
  • An unprotected Elasticsearch database belonging to FMC Consulting had exposed millions of resumes and company data. The leaky database contained 884,178 internal emails, 5,392,816 company records, 110,000 customer records and 73,000 client messages. Upon learning this, CNCERT/CC immediately took down the unsecured database.
  • ASCO, one of the largest airplane parts manufacturer, suffered a ransomware attack crippling production in factories across four countries including Belgium, Germany, Canada, and the United States. ASCO’s factory in Zaventem, Belgium was hit by a ransomware infection causing major downtime as most of the plant’s IT systems were infected. As a result, almost 1,000 of its 1,400 workers were sent home.
  • A Distributed Denial of Service (DDoS) attack on Telegram messenger caused service outages and connection problems for users primarily in South and North America and other parts of the world. A botnet formed of compromised computers sent huge traffic to Telegram servers which resulted in unstable connections as the messenger could not handle all the requests. The attack originated from China during the Hong Kong protests.
  • E-invitations platform Evite admitted that it suffered a data breach in February. The stolen user data was actually put up for sale in the Dream Market marketplace by the infamous hacker ‘Gnosticplayers’. Evite also provided additional details about the breach. The social planning website revealed that an unauthorized third party gained access to an inactive data storage file that contained Evite user accounts prior to 2013.
  • The retro gaming site ‘Emuparadise’ suffered a data breach in April 2018, which led to the exposure of account details of almost 1.1 million Emuparadise forum members. The exposed account information included members’ email addresses, IP addresses, usernames, and passwords stored as salted MD5 hashes.
  • The US Customs and Border Protection agency (CBP) disclosed that the photos of travelers and license plates have been compromised in a cyber attack at one of its contractors. CBP said that one of its contractors transferred copies of license plate images and traveler photos collected by CBP to the company’s network, which was later compromised by an attacker. The agency did not reveal the name of the contractor, however, CBP’s public statement sent to the Washington Post included the name “Perceptics” in the title: “CBP Perceptics Public Statement”, indicating that the contractor was Perceptics.
  • Desjardins, one of the world’s largest banks suffered a security breach after a rogue employee stole the data of 2.9 million customers and disclosed to individuals outside Desjardins without authorization. The data leak impacted almost 2.7 million home users and 173,000 business customers. The financial institution fired the employee who was responsible for the data leak.
  • Mermaids UK disclosed that it had inadvertently published part of its email database on the internet between 2016 and 2017 that contained 1000 pages of confidential emails. The exposed emails included the private details of transgender children and young people.
  • A cybersecurity firm revealed that a Chinese threat group had launched cyberattacks against several telecommunication companies across 30 countries since 2017. The tools used in the attacks are linked to the APT10 threat group.  The attackers attempted to obtain CDR data such as call logs, cell tower locations, etc. and attempted to compromise the critical assets of the telecom companies.
  • A hacker stole 9.3 million Ripple (XRP) coins worth $4.25 million and 2.5 million Cardano (ADA) coins worth $225,000 from the Bitrue cryptocurrency exchange platform. Bitrue administrators detected the hack and immediately shut down trading on their platform. The exchange also worked closely with HuobiGlobal, Bittrex exchange, ChangeNOW to freeze the affected funds and accounts.
  • The City Hall in Lake City, Florida which suffered a ‘Triple Threat’ ransomware attack on June 10, 2019,  paid the attackers 42 bitcoins worth nearly $500,000 in order to recover the encrypted files. The city’s insurance provider had made the payment on June 25, 2019. Soon after, the attackers provided the decryption key to retrieve the city’s files and data.
  • Taiwan’s Ministry of Civil Service (MOCS) suffered a data breach compromising the personal information of almost 243, 376 civil servants including both local and central government officers. The compromised information included ID numbers, names, national identification card numbers, agency information, job designation, and the agencies the civil servants work for.
  • A ‘human hacking’ forum, Social Engineered had been breached and the user data has been published on a rival website. The data includes 89,000 unique email addresses linked to 55,000 forum account holders, usernames, IP addresses, and passwords. The data breach was due to a security hole in ‘My BB’ open-source software.
  • Unprotected Amazon Web Services cloud-computer servers belonging to Attunity exposed the company’s passwords and network information. The leaky servers also exposed sensitive information of some of its high-profile customers including  Ford Motor Company and the Toronto-Dominion Bank. 
  • Chinese hackers’ global hacking campaign ‘Cloud Hopper’ compromised almost eight tech services companies. The impacted companies include Ericsson, Hewlett Packard Enterprise, IBM, Fujitsu, Tata Consultancy Services, NTT Data, Dimension Data, Computer Sciences Corporation, and DXC Technology
  • Attackers stole the administrative credentials of the cloud solutions provider PCM which was used to manage client accounts within Office 365. A security expert at a PCM customer said that the attackers prime motive was to steal client information that could be used to conduct gift card fraud at various retailers and financial institutions.

New Threats

Several new malware, ransomware, vulnerabilities, and threat groups emerged over the past month. Researchers spotted a new variant of DanaBot that comes with a new ransomware module. A new variant of Mirai botnet that uses 18 exploits to target IoT devices was spotted in the wild. Meanwhile, a critical vulnerability was uncovered in Outlook for Android app that impacted over 100 million users.

  • A newly discovered GoldBrute botnet compiled over 1.5 million unique systems that have RDP connections. The attack begins by gaining access to the system using a brute-force attack. If successful, a ZIP file containing the GoldBrute malware code is downloaded onto the system.
  • Researchers spotted a new malware dubbed ‘Silex’. This malware is capable of corrupting IoT devices’ storage, deleting the network configuration, dropping firewall rules, and halting the device. It was also identified that the malware was a bot designed for bricking IoT devices. ZDNet found that around 2000 devices were inoperable in an hour after the malware’s discovery.
  • Researchers spotted a new malware dubbed ‘GolfSpy’ which is capable of stealing system information from an infected Android device. This malware is also capable of listing, deleting, and renaming files, taking screenshots, recording audio and video, and self-updation.
  • Over 440 million Android phones have been infected by BeiTaPlugin adware. The adware is distributed via 238 unique applications on Google Play. It forcibly displays ads on the users’ screen even when the phone is locked as well as triggers unwanted video and audio advertisements on victims’ phones.
  • Researchers have uncovered a new variant of Mirai botnet that uses 18 exploits to target IoT devices. This variant includes eight new exploits apart from the 10 existing exploits. It is capable of targeting devices ranging from wireless presentation systems to set-top-boxes, SD-WANs, and even smart home controllers. It also includes exploits targeting the Oracle WebLogic Server RCE vulnerability.
  • FIN8 threat group is back with a new variant of ShellTea/PunchBuggy backdoor targeting the hospitality industry. The ShellTea malware is capable of creating and executing files, writing the data or shellcode it received from the C&C server,  and executing the shellcode. The malware leverages a hashing algorithm to evade detection from antivirus tools.
  • Twitter URLs could be abused by bad actors for various nefarious activities including distributing malware, spread fake news, and redirecting users to a phishing page. Bad actors could abuse a tweet URL by simply changing the username but using a status ID that points to a tweet from an account controlled by them. In this way, attackers could spread fake news or malicious content as users click on the tweet thinking it is from a trusted source.
  • Researchers have uncovered a crypto jacking campaign, wherein attackers used NSA hacking tools to compromise vulnerable computers of businesses across the globe. The NSA hacking tools used in this campaign include EternalBlue and EternalChampion. Using these tools, attackers target unpatched Windows computers to install XMRig Monero miners.
  • Researchers spotted a new variant of Ryuk ransomware that blacklists IP addresses to avoid encrypting already infected computers. The partial IP address strings that are searched by the ransomware are 10.30.4, 10.30.5, 10.30.6, and 10.31.32. The new Ryuk variant also compares the computer name to the strings ‘SPB’, ‘spb’, ‘MSK’, ‘Msk’ and ‘msk’ to simplify its infection process.
  • A cybersecurity firm along with Europol, DIICOT, FBI and the Metropolitan Police released a free decryptor tool for the infamous GandCrab ransomware. This decryption key was released shortly after the developers of the ransomware announced their plan to retire. The key works for all the versions of ransomware, from v5.0 through v5.2.
  • Researchers spotted a new variant of DanaBot that comes with a new ransomware module. On top of this, the updated variant also includes new plugins, configuration files, string encryptions, file name generation algorithms as well as a different communication protocol.
  • A critical vulnerability in Outlook for Android app impacts more than 100 million users. The security flaw is a spoofing vulnerability that could allow attackers to conduct cross-site scripting(XSS) attacks on devices installed with the app. The flaw is the result of an issue with email parsing. This vulnerability impacted older versions prior to 3.0.88 of Outlook for Android.
  • Researchers have uncovered a new variant of the Mirai botnet dubbed Echobot. This new variant uses a total of 26 exploits to target IoT devices. Its targets include network-attached storage devices (NAS), routers, network video recorders (NVR), IP cameras, IP phones, and wireless presentation systems.
  • Researchers observed multiple malspam campaigns that distribute LokiBot and NanoCore trojans. These malspam emails are disguised as an invoice and an ISO disk file attachment, which upon opening drops the Lokibot and NanoCore trojans on the victims’ systems. 
  • Several vulnerabilities have been detected in Electronic Arts’ Origin platform. These vulnerabilities exposed 300 million gamers to account takeover attacks by abusing authentication tokens and related trust mechanisms. However, these vulnerabilities have been fixed by EA.
  • Sodinokibi ransomware, also known as REvil is distributed via malvertising that leads to the RIG exploit kit. Sodinokibi is now using exploit kits to infect victims. The malvertising campaigns that distributed Sodinokibi were done on the PopCash ad network.


new mirai botnet
ryuk ransomware
rig exploit kit
lokibot trojan
fin8 threat group
gandcrab ransomware
sodinokibi ransomware
danabot trojan

Posted on: July 01, 2019

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.