Go to listing page

Cyware Weekly Threat Intelligence, September 16 - 20, 2019

Cyware Weekly Threat Intelligence, September 16 - 20, 2019

Share Blog Post

The Good

The week is almost over, but before we welcome the weekend let’s brush through the important happenings in the world of cybersecurity. Let’s begin with the positive advancements of this week. Engineers from Purdue University and Tohoku University have developed new hardware that demonstrates the basis of a probabilistic computer to efficiently solve problems in cybersecurity and other domains. An Israeli startup called GK8 has built a new cold storage cryptocurrency wallet that is electronically disconnected from other devices to minimize the attack surface. Milwaukee School of Engineering (MSOE) has opened a new cyber-learning facility with the aid of a $34m alumnus donation.

  • Experts from Purdue University and Tohoku University have built the first hardware to demonstrate the basis of a probabilistic computer called p-bits. These are capable of performing calculations that would normally require quantum computers. These computers are believed to help solve problems more efficiently in areas such as cybersecurity, data analytics, and financial services among others.
  • GK8, an Israeli startup, has built a cold-storage crypto wallet that has on-network capabilities. This technology ensures only uni-directional communication from the wallet to outside, and never the other way round. The digital wallet device is not electronically connected to other digital devices, to prevent attacks.
  • Milwaukee School of Engineering (MSOE) has opened a new cyber-learning facility with an alumnus donation of $34 m. The facility has several classrooms, laboratories, staff offices, and auditorium apart from a data center that houses an NVIDIA GPU-accelerated AI supercomputer.
  • Google removed two Chrome ad-blocker extensions that were using misleading names. Apart from taking on the names of popular extensions, they were also reported to be cookie-stuffing. This is a technique of adding extra information to a user’s cookie to earn commission for payments made on the sites.
  • ClassNK, a Tokyo ship classification society, has announced that it is forming a cross-sectional team of marine and security experts to boost cybersecurity. The approach is said to include various measures that will combine physical, technical, and organizational approaches to mitigate any risks.

The Bad

Many data breaches and cybercrimes were in the news this week. The personal data of 20 million Ecuador citizens was compromised owing to a leaky Elasticsearch database. Also, 24.3 million Lumin PDF’s users’ data that included names, gender, Google Access tokens among others were found on a hacking forum. Mobile users of hotel chains were hit in a Magecart attack to steal payment details and sensitive data.

  • The personal information of over 20 million Ecuador citizens was exposed because of a leaky Elasticsearch database. The exposed data includes personal information of individuals and family members, financial information, employment details, and other data. The database contained around 18GB of data, that appeared to be sourced from Ecuadorian government registries, an automotive association called Aeade, and an Ecuadorian national bank named Biess among others.
  • Carle Foundation Hospital fell victim to a data breach after three employee email accounts were compromised. Data belonging to certain patients who availed cardiology or surgery services at the hospital was believed to be compromised. The compromised data includes patient information such as names, dates of birth, diagnosis, and treatment.
  • Data of 24.3 million Lumin PDF users was found on a hacking forum. The data, which is on a 2.25GB ZIP file includes names, gender, Google Access tokens, email addresses, locale settings, and hashed password strings.
  • A phishing page was found pretending to be ‘The Guardian SecureDrop’ site. It promotes an Android application that performs malicious activities in the devices it infects. The page harvests unique codenames given to sources who submit information via the SecureDrop service.
  • Researchers analyzed over 2300 Picture Archiving and Communication System (PACS) servers and found out that at least 590 systems were unsecured, exposing more than 24.3 million patient records. The servers were spread across 59 countries including the United States, Brazil, Italy, and India.
  • Two unsecured MongoDB databases with 1,444,375 records of email accounts, 2,196,840 passwords strings, and 752,645 entries of usernames were discovered. The databases were found to belong to a criminal group that is responsible for the Gootkit malware.
  • An unprotected drive with 1.7 terabytes of data has exposed the installation details of SORM hardware by Nokia in coordination with Mobile TeleSystems (MTS). The exposed data also includes schematics, administrative credentials, email archives, and other materials relating to telecom infrastructure projects. At least 64 Russian telecommunication providers were also affected by this data breach. 
  • The personal data of customers of major airline companies owned by Lion Air and Malindo Air was found in an open AWS storage bucket. The exposed data includes names, email addresses, phone numbers, physical addresses, passport numbers, passport expiration dates, dates of birth, and passenger and reservation IDs.
  • Magecart card-skimming attack hit hotel chains across 14 countries. Mobile users of these hotel chains were targeted to steal payment card details and other sensitive information. Both the hotel websites were observed to be developed by a Spain-based company named Roomleader, whose module was compromised to inject malicious code.
  • Akamai has reported the fourth-largest DDoS attack the company has encountered in terms of the highest reflected amplification factor. The attack, that generated 35GB junk traffic per second, was said to be targeted at one of its clients in the gaming sector.
  • Scotiabank’s source code and sensitive data such as credentials for services, keys to access the bank’s backend systems and services in different parts of the world, and software blueprints were found on publicly accessible GitHub repositories.
  • Hackers have infected Click2Gov payment portals in 8 cities. Almost 20,000 payment records have been compromised and are said to be available on the dark web for sale. The affected cities include Deerfield Beach, Palm Bay, Milton, and Coral Springs in Florida to name a few.

New Threats

New vulnerabilities and malware came to light this week. The Emotet botnet has reappeared in a new campaign after a break. Nemty ransomware’s code has been upgraded but the threat actors have decided to retain the version number. In other news, thousands of misconfigured Google Calendars were discovered to be exposing sensitive data online.

  • German-speaking users fell victim to an Ordinypt spam campaign that hid behind job application emails. Although Ordinypt seems like ransomware, it is a wiper that destroys the encrypted files on the infected systems. It demands a ransom amount of 0.1473766 BTC, which is approximately $1,518.92.
  • InnfiRAT, a new malware that targets cryptocurrency wallet information and browser cookie data has been discovered. The malware is capable of taking screenshots of pages accessed on the infected machines and disabling certain antivirus software.
  • The infamous Nemty ransomware’s code has been updated to make it capable of killing processes and services. The update, that retained the same version number, was also found to have enriched the list of blacklisted countries.
  • A new malware dubbed MobiHok RAT that borrows code from SpyNote RAT was discovered. This RAT boasts of capabilities such as Keylogging, Terminal, Control of files, Control of camera, Control of SMS, Control of apps, and Control of contacts to name a few.
  • A privacy bug was discovered in Whatsapp’s ‘Delete for everyone’ feature that doesn’t delete the media accidentally sent to iPhone users. The files were still found in the iPhone’s camera roll, even after the message was deleted in Whatsapp.
  • The Emotet botnet resurfaced after a break since June. The latest campaign primarily targeted Poland and Germany among other countries. The campaign was observed to send phishing emails based on financial themes. Some of the emails were disguised as replies to previous email conversations.
  • Threat actors leveraged exposed Remote Desktop services to install TFlower ransomware on corporate networks. After deleting the shadow copies of files and encrypting them, a ransom note is displayed to the victims to contact certain email addresses for payment instructions.
  • A passcode bypass flaw was reported in iOS 13, which is scheduled to be made available for users next week. It allows hackers to access the phone book of the victim by following a series of seemingly harmless steps. This security flaw is yet to be patched.
  • Amadey botnet was delivered in a phishing campaign targeted at U.S. taxpayers. The emails, pretending to be from IRS, promised the recipients a tax refund to lure them into downloading malicious attachments.
  • MITRE’s Common Weakness Enumeration (CWE™) Top 25 Most Dangerous Software Errors list was updated for the first time after 2011. This is a list of critical weaknesses attackers may exploit to compromise networks and systems. "Improper Restriction of Operations within the Bounds of a Memory Buffer" or Buffer Overflow was ranked top with a 75.56 score.
  • Thousands of Google Calendars were found to be leaking private information online because of a misconfiguration. It was discovered that anyone could access and add events in more than 8000 calendars that were indexed by Google’s search engine.
  • The Smominru botnet was reported to have infected nearly 90,000 machines by exploiting the ExploitBlue vulnerability and performing brute force attacks on MS-SQL, RDP, and Telnet services. The infection rate was about 4,700 machines per day.


buffer overflow vulnerability
magecart attack
exploitblue vulnerability
nemty ransomware
amadey botnet
smominru botnet
emotet botnet

Posted on: September 20, 2019

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.