Go to listing page

Cyware Monthly Threat Intelligence, November 2019

Cyware Monthly Threat Intelligence, November 2019

Share Blog Post

The Good

November just rolled by and it’s time to recollect the cybersecurity happenings of the past month. To begin with, let’s first glance through all the good that has happened in cyberspace this month. The Cybersecurity Protocol for International Arbitration (2020), a set of detailed guidelines on cybersecurity measures for individual arbitration matters was released. Google has launched an initiative called ‘OpenTitan’ that focuses on the cybersecurity posture of devices in data centers. In other news, the U.S. Air Force plans to launch ‘Infrastructure Asset Pre-Assessment program’, a program to rate the cybersecurity of commercial satellite communication companies.

  • The Cybersecurity Protocol for International Arbitration (2020), a detailed guideline set on cybersecurity measures for individual arbitration matters was released as part of New York Arbitration Week. These guidelines were the work of a cybersecurity group including representatives from the New York City Bar Association (City Bar), the International Institute for Conflict Prevention & Resolution (CPR), and the International Council for Commercial Arbitration (ICCA).
  • Google has launched a new open-source silicon root of trust project. Named ‘OpenTitan’, this project focuses on boosting the cybersecurity posture of servers, storage, and other devices in data centers. OpenTitan is said to be managed by lowRISC, a non-profit organization.
  • The U.S. Air Force is planning to launch a cybersecurity program called ‘Infrastructure Asset Pre-Assessment program’ for satellite communication companies to streamline pre-assessment procedures for contractors. According to this program, satellite communication providers must undergo assessments to ensure that they meet the National Institute of Standards and Technology regulations.
  • The U.S. Internal Revenue Service is planning to launch a cyber safety campaign that coincides with the year’s busiest online shopping period. Named ‘National Tax Security Awareness Week 2019’, the campaign is set to run from December 2 through December 6. YouTube videos that educate shoppers are said to form an important part of the campaign.
  • The state of Virginia has developed a new model for quantifying cybersecurity risk and prioritizing defenses. This model is said to be an adaptation of multiple standards for quantifying risk. The model’s accuracy was tested by comparing the outcomes of past breaches with known variables against the model’s predictions, and numbers were found to be fairly close.
  • Google announced a partnership called ‘App Defense Alliance’ with three cybersecurity firms. This collaboration will aim at enhancing the detection of Potentially Harmful Applications (PHAs). The partners will analyze the dataset before an application goes live on the Google Play Store.

The Bad

This month witnessed several cyber incidents. An unsecured Elasticsearch database exposed over 4 terabytes of data, impacting more than 1.2 billion people. The U.S. branch of T-Mobile disclosed a security breach that impacted the details of some customers of its prepaid service. Meanwhile, major hosting provider SmarterASP fell victim to a ransomware attack.

  • An open Elasticsearch database was found to be leaking more than 4 terabytes of data associated with People Data Labs and OxyData, two data enrichment companies. Personal and social information of over 1.2 billion people were said to be impacted by this leak. Researchers have not been able to attribute the database to a specific company.
  • The U.S. branch of T-Mobile announced a security breach that affected some customers of its prepaid service. The exposed data included customer names, phone numbers, account numbers, billing addresses, rate plans, and plan features. The company said that no sensitive information was compromised.
  • SmarterASP, a major hosting provider, was hit by a ransomware attack. Apart from encrypting customer data, the attack also caused downtime for the company’s website. The company said that it was working with security experts to decrypt the data.
  • Spain’s largest radio station Cadena SER and an NTT DATA company Everis were hit by ransomware attacks. SER is said to be impacted by an unknown ransomware strain that forced the radio station to disconnect all its systems from the internet. Security experts believe that Everis’ data was encrypted by the BitPaymer ransomware.
  • Facebook disclosed that around 100 partners may have accessed user information such as names and profile pictures of members in certain Facebook groups. The social media giant said that although there was no evidence of access abuse, the partners have been asked to delete retained member data. An audit is also said to be conducted to confirm the deletion of data.
  • Cybersecurity firm Trend Micro disclosed a security incident involving a malicious insider threat. Names, email addresses, support ticket numbers, and some telephone numbers may have been compromised due to this incident. A Trend Micro spokesperson reportedly said that around 70,000 customers have been impacted.
  • The U.K. Labour Party was hit by two cyberattacks in 24 hours. Both of the attacks are said to be distributed denial-of-service (DDoS) attacks and the party said that no data breach occurred. It is not clear if the same hackers were behind both attacks.
  • A misconfigured AWS S3 storage bucket exposed around 93,000 files with patient information of three drug and alcohol addiction facilities managed by California-based Sunshine Behavioral Health. The exposed data includes names, physical and email addresses, dates of birth, phone numbers, CVV codes, payment card numbers, and health insurance information. The database has been made private now.
  • Department store chain Macy’s disclosed the details of a data breach involving malicious scripts that stole customers’ payment information. The website was reportedly hacked on October 7, 2019, and the malicious script was injected into the 'Checkout' and 'My Wallet' pages. Macy’s said that only a small number of customers were impacted by this breach.
  • The state of Louisiana suffered a ransomware attack impacting websites and IT systems. As a response to the attack, the state’s cybersecurity team was activated. The extent of damage to the government’s internal system caused by this cyberattack is not clear yet.
  • Facebook and Twitter announced that hundreds of Android users may have had their data improperly accessed after the accounts were used to log in to Google Play Store apps. This reportedly happened because One Audience, a software development kit, allowed third-party developers to access users’ personal data. Twitter said that it had notified Apple and Google of the vulnerability.

New Threats

A number of malware and vulnerabilities were reported in the past month. The infamous Nemty ransomware was observed to be delivered by the Trik botnet. The Emotet Trojan was spotted in a new wave of attacks. Meanwhile, a new phishing campaign targeting Office 365 administrators was reported.

  • Researchers observed that the Nemty ransomware is being delivered by the Trik botnet, which has expanded its reach. The Nemty ransomware is spread to systems with exposed Server Message Block (SMB) network communication protocol. The malware has been observed to be in continuous development since its first appearance in August 2019.
  • The infamous Emotet Trojan has been observed in a new wave of attacks. Researchers noted that the malware had undergone changes in functionality and deployment. The malware authors had used a new list of words to create process names.
  • Security experts have spotted a new phishing campaign targeting Office 365 administrators. The campaign was found using legitimate sender domains to bypass reputation filters. This campaign was found to be targeting admins across several industries and enterprises.
  • A new attack technique that can exploit the ‘Light Commands’ vulnerability to hack smart voice assistants has been discovered. The vulnerability is a design flaw in the micro-electromechanical systems (MEMS) microphones that convert voice commands into electrical signals. Attackers can leverage this vulnerability to perform malicious activities.
  • Researchers disclosed a vulnerability in Amazon Ring doorbells that exposed the passwords of connected Wi-Fi networks. This vulnerability can be exploited by malicious actors to launch massive attacks. Amazon has fixed this vulnerability in all Ring devices.
  • A new version of the ZombieLoad side-channel attack impacting Intel processors was reported. Tracked as CVE-2019-11135, the ZombieLoad v2 exploits the Transactional Synchronization Extensions (TSX) Asynchronous Abort operation in Intel processors. Intel has rolled out patches and vendors have started issuing guidance for customers.
  • The infamous TrickBot Trojan was spotted in a new spear-phishing campaign. The campaign sends fake sexual harassment complaints that appear to be from the U.S. Equal Employment Opportunity Commission. The threat actors are said to be using names, company names, job titles, and phone numbers of victims in the email to make it appear legitimate.
  • The Australian Cyber Security Centre (ACSC) has warned businesses and netizens of Emotet and BlueKeep attacks. Tracked as CVE-2019-0708, BlueKeep vulnerability affects older Windows OS versions including Windows Vista, Windows 7, Windows XP, Server 2003, and Server 2008, said the ACSC advisory.
  • Researchers discovered 19 flaws in VoIP adapters from Cisco's SPA100 Series. These flaws potentially allowed malicious actors to eavesdrop on user conversations, infiltrate into the internal network, and initiate fake phone calls. Cisco has issued patches for these vulnerabilities along with their new firmware release.
  • A camera security vulnerability on Google and Samsung devices was found impacting millions of devices. Tracked as CVE-2019-2234, this flaw allows cybercriminals to hijack the phone and take pictures or record videos even on locked devices. Both Google and Samsung have released patches for this issue.
  • Thousands of Android applications were said to be impacted because of a recently disclosed GIF processing vulnerability. Tracked as CVE-2019-11932, this is a stack buffer overflow bug that could be exploited using MP4 video files. This flaw was initially discovered in Whatsapp and has been patched by its parent company Facebook.
  • The Common Weakness Enumeration (CWE) list outlining the 25 most dangerous software vulnerabilities has been updated for the first time in eight years. The updates were made using a data-driven approach based on reported real-world vulnerabilities. The list has been compiled from the publicly reported vulnerabilities available in the National Vulnerabilities Database (NVD).


elasticsearch database
t mobile
nemty ransomware
emotet trojan
office 365 administrators

Posted on: December 02, 2019

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.