Cyware Weekly Cyber Threat Intelligence June 18 - June 22, 2018

The Good


Every week, cybercrime is becoming rampant as attacks get fiercer and hackers more sophisticated. Still, this week saw some successful law enforcement operations. Europol dismantled hacker group Rex Mundi while French authorities took on Dark Web site, Black Hand. Google Play security will soon extend to apps shared offline while VirusTotal Monitor is looking to reduce false positive detections.

  • Europol is disrupting the long-running cybercrime outfit Rex Mundi--Latin for “king of the world.” The cyber extortion outfit has been operating since at least 2012. Authorities announced the arrest of a 25-year-old French coder in Thailand under a French international arrest warrant. This is the eighth suspect arrested so far for connections to Rex Mundi.
  • The French Minister of Public Action announced that they have dismantled Black Hand, one of the largest Dark Web forums that saw the trade of illegal goods and services such as weapons, narcotics, stolen data and more. Authorities said the site’s administrator--a 28-year-old mother from Northern France--and several other accomplices were arrested in a string of coordinated police raids across the country.
  • US carrier Verizon agreed to stop selling customers’ real-time location data to third party data brokers following serious concerns over user privacy and security. Senator Ron Wyden praised Verizon’s initial move before chastising its competitors for not following suit. Eventually, AT&T, T-Mobile and Sprint also announced similar commitments.
  • Google is looking to make sure apps downloaded from Play Store and shared offline will be verified as safe. The company will add a small security metadata into APKs to mark the app as “authentic” and originally coming from the Google Play Store. The verification will work when the device is offline and will by regularly checked with Play Protect.
  • VirusTotal has introduced a new service to allow software developers to privately check and monitor their programs against antivirus detection engines in a bid to reduce false positives. Developers can use the new VirusTotal Monitor to upload new files, check their code and receive alerts if their program has incorrectly been flagged as malicious.

The Bad


This week, numerous data breaches came to light including South African insurer Liberty, which refused to cave to hackers’ ransom demands. Flight tracker Flightradar24 suffered a data breach while hackers stole $32 million from South Korean cryptoexchange, Bithumb. Syscoin’s Github account was poisoned with malware and over 21,000 open container orchestration and API management systems were found online.

  • South African insurance firm Liberty suffered a cyberattack that saw hackers infiltrate its IT infrastructure, access some data and threatened to release it if they weren’t paid a ransom. The firm said it refused to pay the ransom demand, noting the stolen data included emails and attachments. Liberty said it addressed vulnerabilities in its systems to secure customer data, adding no customers were impacted by the breach.
  • Popular flight tracking service Flightradar24 suffered a breach that compromised a “small subset” of users’ email addresses and hashed passwords. Users were asked to reset their passwords. The firm said the breach was limited to one server that was shut down once the intrusion was detected. No payment data was accessed in the breach, it added.
  • South Korean cryptocurrency exchange Bithumb was targeted by hackers who stole about $32 million. The company said the remaining assets have been moved to offline cold wallets while all deposits and withdrawals were briefly halted. Bithumb said it is working with other exchanges to prevent further losses and retrieve funds.
  • Malicious actors replaced the legitimate Windows installer for the instant payment cryptocurrency, Syscoin earlier in June with a version that contained malware. The tainted Windows client was available on the project’s GitHub page for days and contained the Arkei Stealer malware - a trojan designed to steal wallet keys and passwords.
  • VDOO researchers uncovered several critical vulnerabilities in nearly 400 Axis camera models that could have allowed hackers to take full control of the IoT devices or rope them into botnets. The vulnerabilities, now disclosed to Axis, could have enabled hackers to take over devices using the IP address and control the camera, access video streams and more.
  • Lacework researchers discovered more than 21,000 container orchestration and API management systems left unprotected or publicly exposed on the internet in early June. Researchers said their findings highlighted “the potential for attack points caused by poorly configured resources, lack of credentials and the use of non-secure protocols.”

New Threats


A fresh batch of nasty malware emerged this week including the complex Mylobot that comes with a unique bag of tricks. The Olympic Destroyer that hit the 2018 Winter Olympics is targeting biochem protection groups. A new SamSam ransomware variant requires a special password before infection. The US warned of North Korean malware Typeframe while fake Fortnite Android apps are spreading.

  • Deep Instinct researchers have discovered Mylobot, a botnet that features a never-before-seen level of complexity and three layers of evasion techniques. It also comes with a delaying mechanism of 14 days before accessing C&C servers and the ability to serve up different payloads from ransomware to keyloggers.
  • The destructive Olympic Destroyer that hit networks supporting this year’s Winter Olympics in Pyeongchang, South Korea, has cropped up again. Kaspersky Lab researchers said the new campaign is targeting financial organizations in Russia and biological and chemical threat prevention laboratories in Europe and Ukraine. All biochem threat prevention firms and research organizations in Europe have been advised to bolster their defenses and run unscheduled security audits.
  • A new, targeted SamSam variant has popped up that requires attackers’ input before infecting victims. Malwarebytes researchers said the campaign was difficult to analyze since a password is required to access the malware’s code. Even if someone accidentally downloads the malware, the attacker must enter a special password to run the payload.
  • Chinese cyberespionage group Thrip has been targeting satellite operators, defense contractors, geospatial imaging systems and telecommunications firms in the US and Southeast Asia. Symantec researchers said the group’s activities thus far indicate their motive goes “beyond spying and may also include disruption.”
  • US-CERT warned of another North Korea-linked malware named TypeFrame that contained descriptions related to Hidden Cobra. Analyzed samples had the capability to download and install malware, install proxy and Remote Access Trojans (RATs), connect to C&C servers for additional instructions and modify the victim’s firewall to allow incoming connections.
  • As the wildly popular multiplayer survival shooter Fortnite is set to make its debut on Android this summer, cybercriminals are already looking to tap into the hype. Scammers have been spotted uploading fake, malicious Android versions of Fortnite along with YouTube tutorials explaining how to download them. The developer behind Fortnite - Epic Games - has yet to announce a specific release date, so watch out for any dodgy downloads before then.




  • Share this blog:
To enhance your experience on our website, we use cookies to help us understand how you interact with our website. By continuing navigating through Cyware’s website and its products, you are accepting the placement and use of cookies. You can also choose to disable your web browser’s ability to accept cookies and how they are set. For more information, please see our Privacy Policy.