Go to listing page

Cyware Weekly Threat Intelligence, June 29 - July 03, 2020

Cyware Weekly Threat Intelligence, June 29 - July 03, 2020

Share Blog Post

The Good

With the number of cybercrimes increasing day by day, it has become an utmost priority to heighten the cybersecurity vigilance across the organizations. Taking this into account, federal authorities have released many advisories related to synthetic identity theft and cyberattacks through Tor networks and IPsec VPNs. Meanwhile, the International Organization for Standardization (ISO) has published three new standards to improve the security of IoT devices.
  • The U.S. Federal Reserve has issued guidelines for financial organizations on how to mitigate synthetic identity fraud. The experts have recommended a multi-layer approach to effectively identify and mitigate such types of frauds.
  • The Cybersecurity Security and Infrastructure Security Agency (CISA) has shared tips on defense against cyberattacks via Tor network - that is used by threat actors to hide their identity and real IP address. The advisory has been created with contributions from the Federal Bureau of Investigations (FBI).
  • The ISO has published three new standards to increase security and seamless communication between IoT devices. The standards are ISO/IEC 21823, ISO/IEC TR 30164, and ISO/IEC TR 30166.
  • The Australian Signal Directorate (ASD) has been assigned a fund of over $1 billion amid the rise in cyberattacks against the nation’s governments and businesses. The amount will be used over the next 10 years to disrupt foreign cybercriminals and better identify malicious hackers.
  • A group of academics has developed a new SSO algorithm that aims at security user information, including username and passwords, from being accessed by third-party services and applications.
  • The U.S. National Security Agency (NSA) has published an advisory to warn about potential threats on IP Security Virtual Private Networks (IPsec VPNs). It has provided recommendations on how to secure IPsec tunnels which can be exploited to steal sensitive data contained within the traffic.

The Bad

The week saw one of the worst data leaks of the year due to misconfigured databases. A set of SQL databases containing 14 million users records from 945 websites was dumped for sale on the dark web. On the other hand, a data breach broker claimed to have sold over 1.3 million people’s records stolen from 14 different websites.

  • A data breach at CNY Works exposed the names and social security numbers of around 56,000 users. The firm claimed that there was no evidence of misuse of the stolen data.
  • The Evil Corp gang’s new ransomware, WastedLocker, was used to infect dozens of the U.S. newspaper websites owned by the same company. These attacks relied on fake software update alerts that delivered the malicious payload.
  • A hacker took over nearly 23,000 unsecured MongoDB databases with an intent to get ransom from victim companies. The affected company was given two days time to pay the asked ransom, failing which the data would be leaked online. Additionally, the hacker threatened to contact the local GDPR authority to report the leak.
  • Printer manufacturer, Xerox Corporation, became the latest victim of Maze ransomware. The attackers had breached the company on June 25 and stole nearly 100 GB worth of data.
  • Unsecured databases belonging to two Chinese firms - Xiaoxintong and Shanghai Yahua Smartech - had leaked millions of user records. The compromised information included mobile numbers, hashed passwords, and more.
  • Around 250,000 sets of personally identifiable information of users were leaked in a targeted multi-stage bitcoin scam. The scam affected users in the UK, Australia, South Africa, the U.S., Singapore, Spain, and Malaysia.
  • A collection of SQL databases linked with 945 websites were up for sale on the dark web. These databases included approximately 150GB data of nearly 14 million people.
  • Decentralized finance liquidity provider, Balancer Pool, disclosed a sophisticated hack that tricked the firm into releasing $500,000 worth of tokens.
  • A data breach broker claimed to have sold databases containing over 1.3 million records on the dark web. These databases belonged to 14 companies that included HomeChef, Footters, Revelo, Tokopedia, Fluke, DarkThrone, JamesDelivery, and Playwings.
  • Eight U.S. cities using Click2Gov web-based software were hit in Magecart skimming attacks. This enabled the attackers to steal personal and credit card information from customers.
  • One of the broadcasting sites of France Télévisions was hit in a cyberattack. However, the attack did not affect its antennae.
  • Five dating apps used in the U.S. and East Asia leaked millions of customer records due to unprotected databases. These affected apps include CatholicSingles, Yestiki, SPYKX, Blurry, Charin, and Kyuun.
  • V Shred exposed the Personally Identifiable Information (PII) of over 99,000 customers and trainers following an unsecured AWS S3 bucket. The bucket contained 1.3 million files, totaling about 606 GB of data.
  • A database containing more than 300,000 BMW car owners was offered for sale on an underground forum. The data exposed included full names, email addresses, vehicle numbers, and dealer names.
  • NetWalker operators claimed attacks on Trinity Metro by publishing some of the stolen data on the internet. The data included contents related to “Accounting and HR Shared,” “Daily Operations Documents,” “Planning Documents,” and “Security.”

New Threats

In addition to data leaks, the cybersecurity landscape witnessed the notoriety of other malware such as Trickbot, Alina PoS, and XMRig. All these malware have now evolved with extra stealing and evasion capabilities to affect more and more people.

  • The Sodinokibi ransomware gang began the first dark web auction of legal data stolen from Grubman Shire Meiselas and Sacks. The stolen data belonged to high-profile celebrities such as Mariah Carey, Nicki Minaj, and LeBron James.
  • Threat actors continued to evolve the capabilities of several existing malware such as Trickbot, Alina PoS malware, and XMRig to expand their attack surfaces. While the new variant of Trickbot checked for screen resolution as an anti-VM check, the latest version of Alina malware used the DNS Tunneling method to exfiltrate payment card details from PoS systems. Meanwhile, the new XMRig variant masquerades as Windows Management Instrumentation (WMI) service to unleash cryptomining payloads.
  • Two new ransomware, named EvilQuest and Try2Cry, were found targeting users. The EvilQuest is distributed on torrent sites bundled with a software app named Little Snitch. On the other hand, Try2Cry adopts USB flash drives spreading LNK files.
  • The terror of Snake ransomware is spreading far and wide. According to researchers, this ransomware will pose a unique threat to companies with industrial control systems. Since its inception, Snake has struck two firms - Honda and Enel Group.
  • FakeSpy Android malware operators were discovered impersonating postal services in the U.S., China, and Europe to steal financial data from users. The attack was carried out through phony messages.
  • Researchers revealed that the Windows drivers used in ATMs and PoS devices could be abused to allow attackers to escalate privileges and gain deeper access into the targeted system. Ultimately, this would enable them to steal money or customer data.
  • Google removed 25 malicious apps from the Google Play Store for stealing Facebook credentials. These apps were developed by the same threat actor group.
  • Magecart attackers are using an EXIF metadata of an image file to hide their skimmer code and load on to retail sites. The skimmer code is loaded on websites using a WordPress e-commerce plugin.
  • Researchers demonstrated a new hack technique on Industrial Control Systems (ICS). This can be done by remotely injecting keystrokes through an industrial barcode scanner that is connected to the computer.
  • The Valak information stealer is being distributed in ongoing campaigns targeted at enterprises in North America, South America, and Europe. The malware is propagated via malicious spam alongside secondary payloads such as Gozi and IcedID.


alina pos malware
wastedlocker ransomware
sso algorithm
cny works
france televisions
australian signal directorate asd
xerox corporation
mongodb databases

Posted on: July 03, 2020

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.