Cyware Weekly Cyber Threat Intelligence June 4 - June 8, 2018

The Good


Another week, another dizzying array of headlines covering new attackers, major breaches, accidental data leaks and a swathe of malware. However, significant strides were made toward better security through new research, policies, and legislation. Amazon removed the flaw-riddled Cloudpets from its online store. Over 25 US states received funding to secure voting systems while a new bill could expand efforts to protect US critical infrastructure. Meanwhile, Apple is stepping up Safari’s privacy features to crack down on web-tracking.

  • Amazon announced it has pulled the flaw-riddled CloudPets from its online store after researchers discovered serious new and old vulnerabilities in the smart toys. Together with Cure53 researchers, Mozilla found CloudPets’ Bluetooth flaws, discovered over a year ago, were still unfixed in addition to newly discovered vulnerabilities. Walmart and Target have also pulled the toys from their shelves as well.
  • The US Election Assistance Commission released a list of 26 states that have requested and received funding to secure state voting systems ahead of the 2018 midterm elections. These states have requested nearly $210 million in newly available funds, about 55% of the total available amount, authorities said.
  • Apple is introducing new Safari privacy features on MacOS Mojave and iOS 12. At its Worldwide Developers Conference, the company said the next version of Safari will prompt users when a website tries to access cookies or other data, and lets you decide if you wish to allow it. The browser will also stop supporting legacy plugins as well.
  • The US House Homeland Security Committee has approved a bill to expand efforts to secure industrial control systems used to power critical infrastructure and services such as power and water systems, manufacturing and transportation. This move comes after researchers warned hackers have been targeting critical infrastructure systems over the past few years using sophisticated tools and techniques.
  • On a lighter note, popular mystery author James Patterson teamed up with former US President Bill Clinton to co-author a novel about a commander-in-chief going undercover to prevent a cyberattack. Titled “The President is Missing”, the fictional thriller revolves around President Duncan who is up for impeachment but has to prevent a cyber attack that could cost “massive loss of life… an economic crash greater than the Depression… and violent anarchy.”

The Bad


Multiple major breaches came to light this week including the MyHeritage and Transamerica hacks. Internal data of 10,000 firms were exposed due to a Google Group misconfiguration while Atlanta police said dashcam footage was lost in the ransomware attack. Meanwhile, a security researcher managed to hack in-flight WiFi networks from the ground.

  • DNA testing site MyHeritage suffered a breach compromising the personal data, email addresses and hashed passwords of over 92 million users. A security researcher notified the firm after discovering a file named “myheritage” on a private server outside of the firm. The company said payment card data was not impacted while family trees and DNA data are stored on separate systems and “does not believe those have been compromised.”
  • Ticketfly was targeted by hackers last week who defaced its website and stole users’ personal data. Several Ticketfly database files were later found posted to a public server containing over 26 million email addresses as well as users’ names, phone numbers, home and billing addresses. The online ticketing service’s website and app were offline several days following the hack.
  • Transamerica said it suffered a breach with hackers stealing around 45,000 customers’ personal and financial data, employment details and Social Security numbers. The company said the incident likely occurred between March 2017 and January 2018.
  • Scammers have been targeting hotels and guest houses featured on Booking.com with detailed phishing messages to steal financial details. Customers then received emails asking them for their payment details after these properties were phished. Booking.com said its systems were not compromised, adding that it has notified all potentially affected customers.
  • Kenna security researchers found widespread Google Group misconfigurations  exposing organizations’ internal data. As many as 10,000 firms were found publicly exposing some form of sensitive data after many Google Groups visibility were accidentally configured to “public”. Fortune 500 companies, universities, hospitals and even some US government agencies were affected.
  • Atlanta’s police department admitted “years” worth of police dashcam footage were destroyed in the recent SamSam ransomware attack that crippled the city’s municipal services in March. Atlanta Police Chief Erika Shields said the data loss could potentially compromise DUI cases “if the officer’s testimony is not where it needs to be.” However, she said she isn’t worried since there are other pieces of evidence.
  • Researcher Ruben Santamarta managed to successfully hack into in-flight airplane WiFi networks from the ground. The IO/Active researcher said he accessed on-board WiFi networks including passengers’ Internet activity and read the planes’ satcom equipment. Santamarta plans to demonstrate the hack during his Black Hat USA talk in August.

New Threats


Attackers unleashed a fresh batch of malware and enhanced capabilities of older strains. VPNFilter malware is more widespread than we thought while the RIG exploit kit has added an IE zero-day. Operation Prowli has infected over 40,000 devices while North Korean hackers are using NavRAT against South Korean targets.

  • The notorious VPNFilter malware has been found to be worse than previously thought. Cisco Talos researchers initially said the destructive malware has infected more than 500,000 consumer-grade routers worldwide including Linksys, MikroTik, Netgear, TP-Link networking equipment and QNAP network-attached storage (NAS) devices. Now researchers have updated this list to include those manufactured by Asus, Huawei, D-Link, ZTE, Ubiquiti and Upvel.
  • Cybercriminals have incorporated the recently disclosed Internet Explorer zero-day vulnerability to the RIG exploit kit to deliver Monero miners. The remote code execution vulnerability, CVE-2018-8174, was patched by Microsoft in May. However, researchers say hackers are actively exploiting the zero-day flaw to infect unpatched Windows PCs on a global scale.
  • A new traffic manipulation and cryptomining campaign dubbed Operation Prowli has already affected over 40,000 devices in 9000 organizations across industries. Guardicore Lab researchers said Prowli targets vulnerable platforms such as CMS servers, DSL modems, backup servers and IoT devices using exploits, password brute-force attacks and weak configurations.
  • Cisco Talos researchers discovered North Korean hacking outfit Group 123, also known as Reaper and APT37, are using a remote access trojan dubbed NavRAT to attack South Korean targets. Using the US-North Korea summit as a decoy, the trojan is embedded in a malicious Hangul Word Processor document. The malware itself has keylogging capabilities and is capable of downloading, uploading and executing commands on infected systems.





  • Share this blog:
To enhance your experience on our website, we use cookies to help us understand how you interact with our website. By continuing navigating through Cyware’s website and its products, you are accepting the placement and use of cookies. You can also choose to disable your web browser’s ability to accept cookies and how they are set. For more information, please see our Privacy Policy.