Go to listing page

Cyware Weekly Threat Intelligence, July 06 - 10, 2020

Cyware Weekly Threat Intelligence, July 06 - 10, 2020

Share Blog Post

The Good

With another week coming to an end, let’s take a quick glance at all the good developments that happened this week. The US Department of Justice (DoJ) indicted the notorious Fxmsp hacker responsible for breaching networks of 135 companies between 2016 and 2019. In a different incident, German authorities took down a web server controlled by the DDoSSecrets group. The server hosted the BlueLeaks website that provided access to internal documents of police personnel.

  • The DoJ indicted the infamous ‘Fxmsp’ hacker for selling access to dozens of corporate networks. The hacker had breached the networks of 135 companies in 44 countries between 2016 and 2019.
  • Security experts released free decryption keys for the recently discovered EvilQuest ransomware that uses a custom symmetric encryption routine based on the RC2 algorithm.
  • Microsoft seized six domains of a threat actor group that were used in a phishing operation against Office 365 customers. The gang sent emails to companies that hosted email servers and enterprise infrastructure on Microsoft’s Office 365 cloud service.
  • German authorities took down a web server - belonging to the DDoSecrets hacktivist group - that hosted the BlueLeaks website. The website provided access to internal documents stolen from the US police departments.

The Bad

The week also witnessed several organizations falling victims to different cyberattacks. Attackers hijacked over 240 website subdomains of various well-known companies with an aim to redirect users to malware, X-rated content, and online gambling. Meanwhile, the DXC Technology and EDP Renewable North America (EDPR NA) disclosed being hit by ransomware attacks.

  • The Egypt-based ride-hailing app, SWVL, was hacked in an attack that impacted personal information of passengers. The exposed data included emails, names, and phone numbers.
  • Clubillion app leaked Personally Identifiable Information (PII) of millions of its users due to an unsecured Elasticsearch database. The impacted data included emails, private messages, and IP addresses.
  • More than 240 website subdomains belonging to different organizations were hijacked to redirect netizens to malware, X-rated material, online gambling, and other unexpected content. The affected organizations included Chevron, the Red Cross, UNESCO, 3M, Getty Images, Hawaiian Airlines, Arm, Warner Brothers, and Honeywell.
  • DXC Technology disclosed a ransomware attack on its subsidiary firm, Xchanging. The incident occurred on July 5.
  • In a notification to customers, BCycle revealed that credit card information of some of its users was impacted in a hack. The incident occurred between January 24 and April 26, 2020.
  • Hackers attacked the Sheriff’s Office for Cooke County, Texas, and stole some of the law enforcement agency’s data in the process. The compromised data included information of both past and current police personnel.
  • Brazilian health insurer, Hapvida, disclosed a cyberattack that potentially affected both personal and medical information of its customers.
  • All IT systems of X-FAB Group were halted following a cyberattack. The firm had also stopped production at all its six manufacturing sites as an additional measure to stop further spread of the attack.
  • Ragnar Locker ransomware targeted EDP Renewable North America (EDPR NA) in its latest attack campaign. The incident had occurred on May 8, 2020.
  • Around 15 billion credentials that could give access to individuals’ bank accounts and companies’ networks were found for sale on the dark web. These credentials were harvested from over 100,000 discrete data breaches.
  • Chilton county temporarily closed its computer network after being targeted in a ransomware attack. As a result of the attack, local records required by the courthouse were rendered inaccessible.

New Threats

Among the new threats discovered this week, security researchers uncovered two threat actor groups, Keeper and Cosmic Lynx, that were responsible for a large number of card-skimming and BEC attacks respectively. While the Keeper gang has hijacked over 570 e-commerce sites over the last three years, the Cosmic Lynx has launched more than 200 BEC attacks since July 2019.

  • A hacking group known as ‘Keeper’ was found responsible for hacking more than 570 online e-commerce portals over the last three years. The gang carried out their attack by inserting malicious scripts into the checkout pages of the sites.
  • New details reveal that the Evilnum threat actor group has shifted its focus on targets located in Europe and the United Kingdom. Some of its victims are also located in Australia and Canada. The APT group is specialized in targeting financial firms.
  • Russia-based Cosmic Lynx threat actor group is responsible for more than 200 BEC attacks since July 2019. The gang relies on infrastructure linked with malware campaigns from Emotet and TrickBot.
  • The week witnessed new variants of Lampion trojan, Mirai botnet, and Joker spyware. While the new Lampion variant came with VBS downloader files, the new version of Mirai exploited nine vulnerabilities, including a flaw found in Comtrend routers. The new Joker variant included the capabilities of unleashing additional malware onto a targeted device. A new variant of Purple Exploit kit was also found with two more exploits added to its arsenal.
  • More than a dozen websites hosted on Microsoft IIS servers and running ASP.NET have been targeted by a payment-card skimmer code in a campaign that started likely in April 2020. The malicious code was injected into the existing JavaScript libraries.
  • Cerberus banking trojan made a comeback disguised as the Calculadora de Moneda app. The trojan’s capabilities included logging keystrokes, and stealing credentials from Google Authenticator and SMS messages.
  • Two new ransomware - Conti and FileCry - emerged this week. While Conti uses 32 independent CPU threads to encrypt files on infected computers, the new FileCry ransomware derives its name from WannaCry.
  • A survey revealed that 127 routers from seven different vendors are affected by several vulnerabilities. The vendors have failed to fix these flaws despite the available security patches. The affected vendor names are AVM, D-Link, Linksys, TP-Link, Zyxel, and Netgear.
  • Federal authorities issued security advisories related to a vulnerability in ultrasound systems from Philips. Described as an authentication bypass issue, the flaw can be successfully exploited to allow an attacker to view or modify information.


fxmsp hacker
lampion trojan
cosmic lynx
keeper gang
dxc technology
card skimming
cerberus banking trojan
bec attacks

Posted on: July 10, 2020

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

The Virtual Cyber Fusion Suite