Cyware Weekly Cyber Threat Intelligence May 7 - 11, 2018

The Good


While every week in cybersecurity seems to more daunting than the last, this past week also saw government agencies and security professionals make notable progress towards threat detection and improving defenses. The first EU-wide cybersecurity law went into effect, the US House passed a bill to help train small businesses in cybersecurity and the Australian Parliament House is getting its own cybersecurity operations center. Meanwhile, Android P is bringing new privacy and security updates.


  • The first EU-wide legislation on cybersecurity - NIS Directive - came into force on May 9, to ensure critical infrastructure firms are prepared for and protected from cyberattack and computer network failure. Operators of “essential services” such as health, water, energy, transport and digital infrastructure that fail to report breaches or outages to regulators within 72 hours could face fines of up to £17 million, as per the new law.
  • Google announced at its I/O event on Thursday, that Android P will come with new privacy and security updates including limits on what apps can access when you’re not actively using them. Starting with Android P, apps are given permission to your location, microphone, camera or network status when the app is running in the background.
  • In the US, the House passed a bill aimed at helping small businesses better defend themselves against cyberattacks and threats. As per the legislation, the Small Business Administration will establish a “cyber counseling certification program” to train employees in cybersecurity at small business development centers.
  • Meanwhile, the Australian Parliament House will get its own $9 million cybersecurity operations centre to “enhance cybersecurity protection for the parliamentary computing network.” Overseen by the Department of Parliamentary Services, the centre will be responsible for the Parliament House internet services, email addresses and device management of MPs, senators and staff.

The Bad


This week saw a fresh round of data breaches and cyberattacks impacting organizations and individuals worldwide. FLEETCOR Technologies and an Arizona city suffered data breaches while Android app Drupe accidentally exposed sensitive user data. Copenhagen’s city bike service was also hacked while a crowdfunding website for a Yes vote in Ireland suffered a DDoS attack.

  • FLEETCOR Technologies revealed that it suffered a data breach in April after its gift card systems were accessed by an unauthorized party. The company said it identified suspicious activity on systems involving its Store Value Solutions gift card business. It said a “significant number” of gift cards at least six months old and PIN numbers were accessed in the breach, but did not include personally identifiable information (PII).
  • Popular Android app Drupe, downloaded over 10 million times, inadvertently left users’ photos, selfies, audio messages and other sensitive data exposed online. The data was publicly available on unsecured servers on Amazon Web Services. Drupe said the exposed files were sent through Drupe Walkie Talkie and other feature that allows images to be sent during a call. It claimed these features have been used by less than 3% of its users, noting that the issue has been resolved and exposed files deleted.
  • Copenhagen’s city bikes network Bycyklen was hacked by an unidentified hacker who deleted its entire database and disabled users’ access to the bicycles. Bycyklen said the hack was “rather primitive”, but noted it was likely carried out “by a person with a great deal of knowledge of its IT infrastructure.” No data was stolen in the attack, but the firm advised users to change their PIN codes for the bikes.
  • The Together for Yes campaign which is calling for a Yes vote in the upcoming Eighth Amendment referendum in Ireland said its crowdfunding website was hit with a DDoS attack. The attack temporarily knocked the website hosted by CauseVox offline at 5:45pm which the agency said would “ordinarily be a peak time for donations.” The interruption also affected CauseVox’s security infrastructure.
  • The city of Goodyear, Arizona, temporarily disabled its online utility payment system after a resident reported fraudulent activity on the card used to pay a utility bill. The city has begun a forensic investigation into the breach that could affect 30,000 customers. The city said severe vulnerabilities within the software used for some payment card transactions were likely exploited. The affected server has been disabled and customers have been advised to monitor their payment card statements.

New Threats


Security researchers uncovered new strains of malware such as the Maikspy malware that comes disguised as a fake Mia Khalifa-themed game. Druppalgeddon 2.0 is still plaguing websites with over 400 sites hit by a cryptomining campaign. Meanwhile, the PoS malware TreasureHunter’s source code was leaked on a cybercrime forum.

  • Over 400 websites running on the Drupal content management system, including government and university sites, were targeted by a cryptomining campaign exploiting the critical CVE-2018-7600 remote-code execution vulnerability, dubbed Drupalgeddon 2.0. Some of the websites affected included those of Lenovo, the San Diego Zoo, UCLA and more.
  • Researchers discovered a series of legitimate websites that have been found delivering the notorious Gandcrab ransomware. Cisco Talos researchers said the key issue for these compromised websites were multiple vulnerabilities in outdated software - ripe for the picking for adversaries. Some of the affected websites included a courier service in India and a WordPress site for a herbal medicine seller.
  • Trend Micro researchers discovered the Maikspy malware that comes disguised as an adult game named after former adult film actress Mia Khalifa. Targeting Windows and Android users, the fake game app is promoted on social media to distribute the malicious link. The link redirects users to a website that distributes other malicious apps, connects to a C&C server and uploads data from infected devices including account info, phone numbers, contacts, photos, SMS messages and more.
  • Flashpoint researchers said the source code of the TreasureHunter PoS malware has been leaked on a Russian-speaking underground forum. Following the source code’s release in March 2018, researchers predict the leak will likely inspire a new round of nasty PoS malware strains much like previous source code leaks for Mirai, BankBot and Zeus have done so in the past.  






  • Share this blog:
To enhance your experience on our website, we use cookies to help us understand how you interact with our website. By continuing navigating through Cyware’s website and its products, you are accepting the placement and use of cookies. You can also choose to disable your web browser’s ability to accept cookies and how they are set. For more information, please see our Privacy Policy.