Go to listing page

Cyware Monthly Threat Intelligence, September 2019

Cyware Monthly Threat Intelligence, September 2019

Share Blog Post

The Good

September just rolled by, and it’s time to recollect the happenings of the past month in cyberspace. Microsoft, Hewlett Foundation, MasterCard, and other corporations have jointly launched the ‘CyberPeace Institute’, a non-profit organization that protects victims from cyberattacks. A new technique called ‘Splintering’ that makes hacking passwords more difficult has been developed by researchers at Tide. In other news, the United States Department of Defense has launched a counter-insider threat program to educate analysts on malicious insider risks.

  • Microsoft, Hewlett Foundation, MasterCard, along with other major corporations have launched the non-profit organization called the CyberPeace Institute, which is designed to protect victims against cyberattacks.
  • Researchers at Tide have developed a new technique dubbed ‘Splintering’ to protect usernames and passwords. This technique takes encrypted passwords within an authentication system, breaks them up into multiple fragments, and stores them on a decentralized distributed network from where they can be reassembled when required. Researchers claim that Splintering is 14 million percent more difficult to hack when compared to other techniques.
  • The U.S. Department of Defense (DOD) has launched a counter-insider threat program. The objective of this program is to educate analysts on how to identify potential insider threats and detect suspicious behavior. The Defense Counterintelligence and Security Agency's Center for Development of Security Excellence has also provided resources for employees about insider threats.
  • Hitachi Europe Ltd. has announced a new biometric technology dubbed ‘Hand gesture biometric authentication’. This technology couples Hitachi's proven secure finger vein technology with any device that has a camera. This authentication system replaces passwords, fingerprint scanning, and facial recognition systems for authorizing transactions.
  • The United States Healthcare and Public Health Sector Coordinating Council (HSCC) has launched a cybersecurity matrix for information sharing. This online resource, called the Health Industry Cybersecurity Matrix of Information Sharing Organizations (HIC-MISO), provides a list of organizations that facilitate information sharing. Each of these sources comes with its mission and other related details.
  • The Joint Artificial Intelligence Center is creating a framework for collecting, sharing and storing the military’s cybersecurity data, which will lay the foundation for AI-powered cyber defense tools. This would help train AI to monitor military networks for potential threats.

The Bad

This month saw a fair number of cyber attacks and data exposures. An unsecured server with at least 419 million records of phone numbers linked to various Facebook users was discovered by researchers. Meanwhile, a notorious hacker who goes by the name Gnosticplayers has hacked the popular word puzzle game called ‘Words With Friends’, compromising the data of more than 218 million users. On the other hand, a leaky Elasticsearch database belonging to a consulting company called Novaestrat exposed the personal information of over 20 million Ecuador citizens.

  • A security researcher uncovered an unguarded server that contained at least 419 million records of phone numbers linked to several Facebook users including celebrities. The exposed records included users’ unique Facebook ID and their associated phone numbers. Some of the exposed records also included Facebook users’ names, gender, and country.
  • A popular word puzzle game named ‘Words With Friends’ developed by mobile social game company Zynga Inc has been breached. The hacker, who goes by the name Gnosticplayers, gained unauthorized access to a database of more than 218 million users. The compromised information includes names, email addresses, login IDs, and Zynga account IDs among others.
  • The personal information of over 20 million Ecuador citizens was exposed because of a leaky Elasticsearch database. The exposed data, belonging to a company called Novaestrat, includes personal information of individuals and family members, financial information, employment details, and other data. The database contained around 18GB of data, that appeared to be sourced from Ecuadorian government registries, an automotive association called Aeade, and an Ecuadorian national bank named Biess among others.
  • Attackers infected the City of New Bedford in Massachusetts with Ryuk ransomware and demanded a ransom payment of $5.3 million. The city made a counteroffer of $400,000, which was subsequently declined by the attackers. The city has now decided to restore its data from back-ups.
  • Security researchers discovered an Elasticsearch database belonging to DK-Lok, that was left publicly accessible without any authentication. The leaky database exposed DK-Lok's internal and external communication records including emails sent between staff and their clients. Some of the exposed email records were marked as “private” and “confidential”. Apart from emails, the personal information of staff and clients such as names of employees and clients, their email addresses, employee/user IDs, and phone numbers were also exposed.
  • Attackers launched a massive DDoS attack against Wikipedia and took down its website across various countries. The attack, launched on September 6, 2019, targeted several countries including the U.K., France, Germany, Italy, The Netherlands, Poland, and parts of the Middle East.
  • An unprotected database belonging to a cybercriminal network has exposed almost 17 million email addresses. The breach allowed access to the personal details of users purchasing tickets from any website using the Neuroticket software. This impacted popular ticket vendors such as Groupon, Ticketmaster, and Tickpick apart from various small independent venues.
  • Yves Rocher exposed the information of over 2.5 million Canadian customers due to an unprotected database managed by Aliznet. A majority of affected customers were located in Canada. The exposed information includes names, phone numbers, email addresses, birth dates, zip codes, and FID numbers. FID numbers are used by several countries for international shipping or tax purposes.
  • An unprotected Elasticsearch database belonging to Dealer Leads has exposed almost 198 million records containing information about potential car buyers. The exposed data includes names, email addresses, phone, addresses, IP addresses, ports, pathways, storage information, loan and finance inquiries, and details of vehicles that were for sale.
  • Magecart card-skimming attack hit hotel chains across 14 countries. Mobile users of these hotel chains were targeted to steal payment card details and other sensitive information. Both the hotel websites were observed to be developed by a Spain-based company named Roomleader, whose module was compromised to inject malicious code.
  • Data of 24.3 million Lumin PDF users was found on a hacking forum. The data, which is in a 2.25GB ZIP file includes names, gender, Google Access tokens, email addresses, locale settings, and hashed password strings.
  • Two unsecured MongoDB databases with 1,444,375 records of email accounts, 2,196,840 passwords strings, and 752,645 entries of usernames were discovered. The databases were found to belong to a criminal group that is responsible for the Gootkit malware.
  • Hackers have infected Click2Gov payment portals in 8 cities. Almost 20,000 payment records have been compromised and are said to be available on the dark web for sale. The affected cities include Deerfield Beach, Palm Bay, Milton, and Coral Springs in Florida to name a few.
  • For the second time this month, the personal details of nearly 20 million Ecuadorian citizens were exposed. The unprotected server, reportedly located in Germany, belongs to an Ecuadorian company called Databook. The compromised information includes names, workplaces, family member details, phone numbers, vehicle information, and emails.
  • DoorDash, a food delivery service, has disclosed a data breach that affected nearly 5 million customers. The breach exposed customer details such as names, phone numbers, delivery addresses, email addresses, payment information, and more. The company said that full credit card information and full bank details were not exposed.
  • Researchers have discovered a phishing campaign launched by an Iran-linked hacker group called Cobalt Dickens that has targeted over 380 universities across over 30 countries. This campaign has predominantly affected the universities in Canada, Australia, the US, and the UK. The hacker group has targeted universities in order to steal intellectual property that can be used for financial gain.
  • Researchers analyzed over 2300 Picture Archiving and Communication System (PACS) servers and found out that at least 590 systems were unsecured, exposing more than 24.3 million patient records. The servers were spread across 59 countries including the United States, Brazil, Italy, and India.
  • The personal data of customers of major airline companies owned by Lion Air and Malindo Air was found in an open AWS storage bucket. The exposed data includes names, email addresses, phone numbers, physical addresses, passport numbers, passport expiration dates, dates of birth, and passenger and reservation IDs.

New Threats

Various new malware activities and vulnerabilities were reported in September. The infamous threat group Fancy bear has reappeared in the threat landscape with an updated set of tools. Emotet botnet has also returned after a break since June. On the other hand, the TrickBot trojan has been distributed in a massive phishing attack targeting various U.S. states.

  • Notorious threat group Fancy Bear has returned with an updated set of tools. This group, known for its politically-motivated attacks, is observed to be using phishing emails. The updates include the use of a new programming language, Nim, and a backdoor written in GoLang.
  • The Emotet botnet resurfaced after a break since June. The latest campaign primarily targeted Poland and Germany among other countries. The campaign was observed to send phishing emails based on financial themes. Some of the emails were disguised as replies to previous email conversations.
  • The infamous TrickBot trojan has returned in a massive phishing attack targeting several states in the U.S. The affected states include California, Maryland, Illinois, New York, Texas, Minnesota, and New Jersey. The phishing emails included a malicious zip file attachment disguised as receipt and invoice documents. The operators of TrickBot trojan have also changed their propagation methods and are now using a JavaScript downloader dubbed ‘Ostap’ to deliver the trojan. This downloader is delivered as a Microsoft Word 2007 macro-enabled (.DOCM) document. The downloader is also equipped with anti-analysis features.
  • A security researcher who goes under the name ‘Mol69’ spotted a new malvertising campaign that distributes the Nemty ransomware via the RIG exploit kit (EK). This variant appends the ‘._NEMTY_Lct5F3C_’ extension to the encrypted files. The ransomware also drops a ransom note that provides payment instructions to recover the encrypted files.
  • Researchers have identified that Android smartphones including models by Samsung, Huawei, LG, and Sony, are vulnerable to advanced phishing attacks via Open Mobile Alliance Client Provisioning (OMA CP) messages. An attacker requires IMSI numbers of mobile devices in order to carry out the attack. Once a CP is authenticated with the recipient’s IMSI number, Huawei, LG and Sony phones allow installation of malicious settings. However, attackers can send unauthenticated OMA CP messages to Samsung phones even without the need for obtaining IMSI numbers.
  • Security researchers have reported a new vulnerability in Intel chips that abuses the Data-Direct I/O (DDIO) feature. Dubbed NetCAT, this vulnerability allows attackers to observe keystrokes in SSH sessions in the compromised machines. This vulnerability, tracked as CVE-2019-11184 by Intel, is a side-channel leak that requires direct access to the vulnerable system.
  • U.S. Cyber Command has shared 11 malware samples with VirusTotal, which are believed to be linked with North Korean government hacker groups. Most of these samples are tied to the notorious Lazarus Group which has been active since at least 2009. The Cyber Command has discovered several samples similar to the well-known malware called HOPLIGHT.
  • A series of vulnerabilities have been discovered in Verizon Wireless systems that could have been exploited by to gain access to 2 million customer contracts. The customer contracts contained information such as full name, address, mobile number, and signature of customers. It also included the model and the serial number of the device brought by customers.
  • Thousands of Google Calendars were found to be leaking private information online because of a misconfiguration. It was discovered that anyone could access and add events in more than 8000 calendars that were indexed by Google’s search engine.
  • A passcode bypass flaw was reported in iOS 13, which was released on September 19, 2019. It could allow hackers to access the phone book of a victim by following a series of seemingly harmless steps. This security flaw is yet to be patched.
  • The infamous Nemty ransomware’s code has been updated to make it capable of killing processes and services. The update, that retained the same version number, was also found to have enriched the list of blacklisted countries.
  • Old Magecart domains have been observed to be purchased for malicious purposes. Most of the domains used in old Magecart attacks have been sinkholed and seized. However, some of them have been released back into the pool of available domains and are being used in malvertising campaigns by other threat actors.
  • A new malspam campaign targeting a large U.S. manufacturing company has been observed lately. The campaign distributes the infamous LokiBot trojan that is capable of stealing sensitive information. An attachment in the form of the #RFQE67Y54.7z file actually contained the LokiBot.


counter insider threat program
lokibot trojan
fancy bear group
cyberpeace institute

Posted on: September 30, 2019

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.