Go to listing page

Cyware Weekly Cyber Threat Intelligence January 21-25, 2019

Cyware Weekly Cyber Threat Intelligence January 21-25, 2019

Share Blog Post

The Good

We’re back with the most interesting cybersecurity news of the week. Let’s start with all the good events that happened in the cybersecurity landscape. Mitsubishi Electric Corporation announced this week that it has developed a multi-layered defense technology to protect connected vehicles from cyber attacks. Red Hat announced the release of its Podman project that provides enhanced security to Containers. Meanwhile, North Carolina(NC) has recently witnessed a newly proposed bill to strengthen customer data protection.

  • Mitsubishi Electic Corporation has developed as multi-layered defense technology that protects connected vehicles from cyber attacks by strengthening their head unit’s defense capabilities. This multi-layer defense technology helps achieve more secure vehicle systems in accordance with the increasing popularity of vehicles that are equipped for connection to external networks.
  • Red Hat has announced the release of its open-source Podman project on January 17, 2019. The Podman project has integrated multiple core security capabilities which enables organizations to run their containers securely. The core security capabilities include rootless containers and improved username space support for better container isolation.
  • North Carolina(NC) has recently witnessed a newly proposed bill centered around consumer data protection. The bill focuses on incorporating better security measures on consumer data. The bill proposes to classify ransomware attacks as breaches and proposes to provide credit freeze services to all citizens.

The Bad

Several data breaches and massive cyber attacks occurred over the past week. An online Casino group inadvertently exposed over 108 million records containing information such as bets, wins, deposits, and more. An unprotected ElasticSearch database exposed almost 24 million loan documents. Yet another unprotected ElasticSearch server containing 4 million intern applications exposed online. In the meantime, Nest security camera was hacked to broadcast warning of North Korea missile attack.

  • An ElasticSearch server of an online casino group was left publicly available without a password, accessible to anyone. The leaky server exposed almost 108 million records containing information such as bets, wins, deposits, withdrawals, including payment card details.
  • An unprotected ElasticSearch database was left publicly available online without authentication for at least a period of two weeks which resulted in the exposure of almost 24 million bank loan and mortgage documents. The exposed documents included documents from Citigroup, Wells Fargo, Capital One, and the Department of Housing and Urban Development among others.
  • A misconfiguration in the ElasticSearch server of AIESEC exposed at least 4 million intern applications. The exposed applications involved personal information such as email addresses, full names, dates of birth, gender, applicants’ reasons for applying for the internships, and interview details.
  • Financial services firm Cebuana Lhuillier suffered a data breach resulting in the compromise of almost 900,000 clients' personal information. The compromised private data included clients’ dates of birth, addresses, and source of income. However, no transaction details were compromised in the incident.
  • A massive cyber attack in Alaska has left almost 100,000 private data of households possibly compromised. The attack was the result of a virus infecting the public computer systems in the Division of Public Assistance (DPA). The computer systems contained critical personal information such as Social Security Numbers and residential addresses.
  • A family in Orinda, California experienced a broadcast warning coming from their Nest security camera. Attackers managed to hack their Nest surveillance system and broadcast a warning of an incoming nuclear missile attack from North Korea. The surveillance system was compromised by a stolen password which was exposed online.
  • ATLAS admin’s Steam account got hacked by an individual, causing their server to be taken offline for almost 5 and a half hours. Group of players found a technical exploit and used it to flood the server with whales, dragons, and PewDiePie spam messages.
  • BlackRock, the world’s largest asset manager, has accidentally posted sensitive information belonging to thousands of financial adviser clients on its website. The exposed information was spread across three spreadsheets and included names and email addresses of advisers who bought BlackRock’s exchange-traded funds (ETFs).

New Threats

Over the past week, several vulnerabilities and malware strains emerged. The infamous banking trojan Emotet was spotted again this week in a new form. A new ransomware family tracked as ‘Anatova’ was discovered by security researchers. Another new strain of ransomware dubbed as ‘hAnt’ was spotted targeting Bitcoin mining rigs. Last but not least, Redaman, a banking trojan that emerged in 2015 was back again, this time targeting Russian banks.

  • The infamous banking trojan Emotet has emerged again with a new form. This time, it packs a new feature that evades spam filters allowing attackers to send more emails. The Trojan spreads itself with different genuine-looking email addresses.
  • A new strain of ransomware dubbed as ‘hAnt’ has been spotted targeting Bitcoin mining rigs, primarily in China. The ransomware infected mining rigs include Antminer S9 and T9 devices used for Bitcoin mining and Antimer L3 rigs used for Litecoin mining. In a few instances, Avalon miner equipment used for Bitcoin mining was also affected.
  • A new malware campaign distributing Ursnif banking Trojan was detected by researchers. The malware campaign uses PowerShell to achieve fileless persistence to avoid detection. The campaign uses an already well-known payload delivery method which employs Microsoft Word documents containing a malicious VBA macro.
  • The prolific GandCrab ransomware reemerged with a set of trojans that are capable of stealing users’ sensitive data. The new attacks have been observed launching two variants of GandCrab, a variant of BetaBot and a variant of AZORult infostealer malware.
  • A new attack campaign distributing a new variant of RogueRobin trojan has been observed by security researchers. The attack was performed by DarkHydrus threat actor group against targets in the Middle East. The new variant was propagated via a malicious macro that comes embedded within an Excel document.
  • A new strain of ransomware dubbed Phobos has been spotted targeting businesses worldwide since mid-December. This ransomware shares similarity with Dharma ransomware. Like Dharma, Phobos ransomware exploits open or poorly secured RDP ports to sneak inside networks and execute a ransomware attack.
  • A new malspam campaign in the guise of an ‘emergency exit map’ is making rounds in the cyberspace. Apparently, the spam emails with malicious attachments in the campaign carry a fake message claiming to be an updated version of an exit map in the recipient’s building. The malicious Word doc attachments in the emails ultimately install the GandCrab ransomware.
  • A new ransomware family tracked as ‘Anatova’ has been spotted by security researchers recently. Infections with the ransomware have been observed all over the world, most of them being in the United States, followed by some countries in Europe.
  • Redaman, a banking trojan that emerged in 2015 reemerged again with more enhanced capabilities such as terminating running processes, smart card monitoring etc. This time, the trojan has targeted customers of Russian banks and institutions by sending emails with .rar archives disguised as PDF.


redaman banking trojan
gandcrab ransomware
insecure elasticsearch servers
phobos ransomware
anatova ransomware

Posted on: January 25, 2019

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

The Virtual Cyber Fusion Suite