Cyware Weekly Cyber Threat Intelligence July 2 - July 6, 2018

The Good


Another week has passed with plenty of new cyber threats, attacks and breaches - both accidental and malicious. Still, significant measures are being taken to protect people against perilous cyber threats. Britain’s HMRC said it took down 20750 malicious websites while a £300 million court is being set up to tackle cybercrime and fraud. A DHS-funded tool to protect mobile users against phishing attempts is going commercial. Google Chrome is labeling all HTTP sites as ‘not secure’. Tinder beefed up its data security with encryption.

  • Britain’s tax authority HM Revenue and Customs said it requested a record 20,750 malicious to be taken down over the past 12 months. It has also been trialling technology that identifies phishing messages that claim to be from the HMRC and stop them from being delivered. Since the approach began in April 2017, there has been 90% reduction in people reporting spoof HMTC-related messages.
  • A new £300 million purpose-built court is also being set up in the UK to combat cybercrime and fraud. The court will replace the Mayor’s and City of London county court and City of London magistrates’ court and take on civil cases, economic crimes and business and property disputes.
  • On the other side of the pond, the US Department of Homeland Security is touting a product designed to protect mobile users against phishing attempts and malware-laced applications. The DHS-funded tool was developed by mobile security firm Lookout and is being made available to both government and private-sector clients.
  • Google Chrome will be marking all unencrypted websites as ‘not secure’ this month. With the release of Chrome 68, the browser will flag any site with a Hypertext Transfer Protocol (HTTP) address rather than a Hypertext Transfer Protocol Secure (HTTPS) address.
  • Popular dating site Tinder has finally shored up its data privacy by encrypting photos uploaded by its users. Swipe data and other actions have also been padded so that they appear the same size when they are being transferred, thus preventing any snoops from identifying users’ activities.

The Bad


This week also saw a couple of serious data breaches. US law enforcement personnel data was exposed by an active shooter training center. The NHS blamed a coding error for a data-sharing mistake. Typeform said hackers downloaded a backup of its customer data. Meanwhile, a Facebook bug briefly unblocked previously blocked users.

  • The federally-funded Advanced Law Enforcement Rapid Response Training (ALERRT) facility exposed the personal data of police officers along with the capabilities and deficiencies of local police departments in handling active shootyers. The database, uncovered by data breach hunter Flash Gordon, contained thousands of records of law enforcement personnel who had sought or underwent active shooter response training over the past few years.
  • The NHS admitted the confidential data of 150,000 patients were accidentally shared without their permission due to a “coding error.” The affected patients had requested their data only be used to provide them with care - known as “Type 2 opt-out”. However, the glitch caused their request to be ignored and their data shared for clinical auditing and research.
  • Survey company Typeform suffered a major data breach after attackers downloaded a “partial backup” of its customer data. The incident impacted a string of businesses that use Typeform’s software to conduct customer surveys and quizzes. The Tasmanian Electoral Commission, British brand Fortnum & Mason, foodmaker Birdseye and digital bank Monzo have since notified their own customers that they were likely impacted by the incident.
  • Some Samsung users reported their Galaxy S9 and Galaxy Note 8 smartphones were erroneously sending photos and scheduled texts to random contacts via Samsung Messages without their permission. Many affected users reported they are T-Mobile customers and recently updated Samsung Messages. The company said its technical teams are looking into the issue.
  • Facebook notified over 800,000 people that a glitch briefly unblocked previously blocked users, allowing them to see some of their posts. The bug was active between May 29th and June 5th and has since been patched. The social media firm said around 83 percent of affected users had just one blocked person become unblocked.
  • Iranian APT Charming Kitten managed to create a fake website impersonating the security firm that outed their campaigns. ClearSky Security said the group copied its official website hosted on a similar-looking domain - clearskysecurity[.]net while it’s actual website is Clearskysec.com. The phishing website has since been taken down.

New Threats


This week’s fresh batch of malware included the OSX.Dummy that targets crypto-investors and a Rakhni Trojan that can choose to mine or encrypt. Researchers said hackers could use thermal imaging to read key presses. Gandcrab v4 popped up while attackers are using fake invoice emails to drop malware in a new hacking campaign.

  • A new macOS malware dubbed OSX.Dummy was spotted targeting the cryptocurrency community on popular chat platforms Slack and Discord. Researchers said it uses an unsophisticated infection method that has users infect themselves and open themselves up to arbitrary code execution. They also described it has as all-round “dumb” because of its limited capabilities, trivial detection and “lame” persistence mechanism.
  • Scientists found attackers could potentially leverage thermal residue left behind on keyboards to figure out victims’ passwords and PINs. In a series of experiments, researchers found many non-expert subjects were able to successfully recover both secure and unsecure passwords based on imaging captured by thermal cameras - particularly those of “hunt and peck” typists.
  • Kaspersky Lab researchers uncovered the Rakhni malware that comes with both ransomware and cryptomining capabilities. The malware scans a targeted system before deciding whether to encrypt files or quietly mine cryptocurrency.
  • Gandcrab ransomware version 4 has been released that employs a different encryption algorithm and a new TOR payment website. The ransomware now uses Salsa20, appends files with a new .KRAB extension and demands $1200 to be paid in the DASH cryptocurrency.
  • Hackers have been deploying thousands of invoice-themed phishing emails to organizations to drop a data-stealing malware in a new cyber espionage campaign. Dubbed “Special Ear”, the campaign delivers a malware designed to steal credentials and log keystrokes from targeted systems. Organizations in India, Saudi Arabia and South East Asia are primarily being targeted.




  • Share this blog:
To enhance your experience on our website, we use cookies to help us understand how you interact with our website. By continuing navigating through Cyware’s website and its products, you are accepting the placement and use of cookies. You can also choose to disable your web browser’s ability to accept cookies and how they are set. For more information, please see our Privacy Policy.