Go to listing page

Cyware Weekly Cyber Threat Intelligence January 7-11, 2019

Cyware Weekly Cyber Threat Intelligence January 7-11, 2019

Share Blog Post

The Good

We’re back with the most interesting cybersecurity of the week. Let’s start with all the positive advancements that happened in the cybersecurity landscape. Google has announced new features on G suite to alert admins on phishing and data exfiltration activities. T-Mobile announced caller verification technology to combat Spammers. Meanwhile, two Senators introduced a bill to protect the U.S. from supply chain security issues.

  • Google introduces new, secure features for G Suite. These features are introduced as a measure to alert admins on activities such as phishing and data exfiltration. Google said that the alert center in G Suite now comes with improvements in security-related notifications and alerts.
  • T-Mobile announced Caller Verification technology to alert users on incoming calls that are non-authentic. This caller verification technology is based on STIR and SHAKEN standards which deter spam or spoof calls. The technology will be available to T-Mobile customer who uses Samsung Galaxy Note 9.
  • Two senators introduce a bill to create a central government entity that deals with supply chain security issues and help U.S. technologies to stay safe from foreign theft. The bill proposes to create a White House Office of Critical Technologies and Security to protect US technologies against state-sponsored technology theft and risks to the critical supply chain.

The Bad

Over the past week, several data breaches and massive cyber attacks happened. Ethereum Classic was hit by a majority attack with over $1 million potentially stolen. Another data breach was noted this week which hit Singapore Airlines stealing private data of 285 customers. Meanwhile, a large group of Reddit users’ accounts were found to be locked out due to some unusual activity.

  • Ethereum Classic token was hit by 51% attack, with deep chain reorganizations and double spends amounting to over $1 Million. ETC market cap fell by around 6% since the discovery of the attack.
  • Chinese fraudsters stole $18.6 million dollars from Tecnimont S.p.A. Tecnimont S.p.A’s India head was the primary victim of this attack. Attackers used spam emails to convince the Indian chief of a possible ‘acquisition’ in China and successfully sourced the money from the chief.
  • A software glitch in Singapore Airlines website caused a data breach impacting 285 customers. Out of which 278 customers’ private data such as customers’ names, email addresses, account numbers, membership tier statuses, KrisFlyer miles, recent miles transactions, upcoming flights, and KrisFlyer rewards were compromised. For the remaining seven customers, passport details were compromised.
  • Reddit account users were locked out of the account due to unusual activity that indicates unauthorized access. The reason behind such unusual activity is bad password practices such as using very simple passwords and reuse of passwords across multiple websites/services.
  • Cybercriminals hacked EWN’s systems and sent spam alerts to thousands of people across Australia. The hackers gained unauthorized access to EWN’s system and sent spam notifications via text, email, and landline. However, the event did not compromise anyone's personal information.
  • Attackers breached Titan Manufacturing and Distribution Inc’s computer systems. The attackers used malware attack to breach the company’s computer system and stole customers’ data such as full names, billing addresses, contact numbers, payment card details such as card numbers, expiration dates, and verification codes.
  • Bankers Life was hit by data breach exposing PII of Humana health insurance policy applicants. The exposed personally identifiable information (PII) included names, addresses, dates of birth, last four digits of Social Security numbers, and limited information on Humana health insurance policy.
  • An open and unprotected MongoDB  which contained 202,730,434 resumes of Chinese jobseekers was left publicly accessible. The exposed CVs contained personal information such as full names, dates of birth, addresses, phone numbers, email addresses, marital status, education, salary expectations, previous job experience, and more.

New Threats

Several vulnerabilities and malware strains emerged over the past week. Cybercriminals were spotted using a combination of Vidar Malware and GandCrab Ransomware in a single attack. CryptoMix ransomware returned with a new attack campaign targeting weak RDP ports. A new malware strain ‘IcePick-3PC’ was discovered by researchers which is capable of stealing device IP addresses. Last but not least, a group of researchers identified a new type of side-channel attack that is hardware agnostic and targets Operating System (OS) page cache.

  • Attackers are using a combination of Vidar Malware and GandCrab Ransomware to attack victims. Security researchers investigated the campaign and detected that several exploit kits such as Fallout and GrandSoft were used to initially install Vidar malware and then a secondary payload containing GandCrab ransomware was used.
  • CryptoMix ransomware returns with a new attack campaign targeting weak RDP ports. Attackers used a brute force attack on the weak RDP ports in order to gain access to the target network. Once inside the network, the attackers would harvest the admin credentials and encrypt the backup files.
  • Researchers detected a new malware strain dubbed as ‘IcePick-3PC’ which is capable of stealing device IP addresses by hacking a website’s third-party tools. The malware has affected several publishers and e-commerce businesses including industries such as retail and healthcare.
  • Researchers disclosed that a new type of side-channel attack targets operating system page cache. The researchers reported that the page cache attacks are hardware agnostic and target both Windows and Linux operating systems.
  • A malware was spotted on a weather app named ‘Weather Forecast-World Weather Accurate Radar’ which came preinstalled on Alcatel smartphones as well as was available for download on Google Play store.
  • Researchers spotted adware hidden behind 85 Android apps including games, TV apps, and remote control apps which were available in Google Play Store. These 85 apps were downloaded over 9 million times. However, Google has removed those 85 apps from the Play Store.
  • TA505 threat actor group was spotted using two new malware families - ServHelper backdoor and FlawedGrace RAT to launch its recent attack campaign against banks, retailers, and businesses. The malware strains help the hacker group to establish remote desktop access and harvest users’ personal data.
  • A critical vulnerability (CVE-2018-16196) that exists in the Vnet/IP Open Communication Driver impacts several Yokogawa products. This vulnerability has a CVSS score of 7.7, making it a ‘high-severity’ category vulnerability. The vulnerability could allow an attacker to stop the communications functionality of the Vnet/IP Open Communication Driver, thereby resulting in DoS.
  • A vulnerability in Microsoft Office allowed documents with embedded ActiveX controls to leak local machine information and user information including passwords, certificates, https requests, and more.


cryptomix ransomware
gandcrab ransomware
unprotected mongodb
icepick 3pc
ta505 threat actor group
flawedgrace rat

Posted on: January 11, 2019

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.