Go to listing page

Cyware Weekly Cyber Threat Intelligence September 10-14, 2018

Cyware Weekly Cyber Threat Intelligence September 10-14, 2018

Share Blog Post

The Good

Friday’s here at last! That means it’s time to catch up on the biggest cybersecurity stories from the week gone by. But first, Let's tip our hats to the experts, law enforcement and firms making strides towards improving the security of people, devices and infrastructure against increasingly dubious threats. The hacker behind the JPMorgan cyberattack was nabbed by US feds. British cops arrested a teen DDoS-for-hire group leader. Meanwhile, researchers developed a way to store cryptocurrency passwords in DNA.

  • Russian citizen Andrei Tyurin was extradited from the nation of Georgia to face charges in the US over the massive JPMorgan Chase hack in 2014. The suspect was a major player in several cyber attacks against multiple finance-related firms including Dow Jones & Co., E*Trade Financial Corp, Scottrade Financial Services and Fidelity Investments. The JPMorgan Chase hack alone saw the compromise of about 76 million customers.
  • Russian national Peter Yuryevich Levashov pleaded guilty to operating the Kelihos botnet to facilitate a global spam and credential-stealing operation. The 38-year-old programmer - dubbed one of the world’s most notorious criminal spammers - had operated multiple botnets since the 1990s such as Storm and Waledac.
  • On the other side of the pond, British police arrested hacker George Duke-Cohan who pleaded guilty to three counts of making hoax bomb threats. The 19-year-old was the leader of the hacking collective “Apophis Squad” that launched DDoS attacks against ProtonMail, Tutanota and other sites over the summer.
  • On the research side, a group of asset managers and biotechnologists have created a cold storage data vault named Carverr that can store cryptocurrency passwords in synthetic DNA. The cryptocurrency password can be stored inside a drop of liquid in a micro tube of DNA that contains about a quadrillion copies of a digital wallet.

The Bad

Over the past week, several security breaches, data leaks and cyber attacks came to light. Data firm Veeam exposed over 200GB of customer records. FreshMenu failed to disclose a 2016 breach while Edinburgh University suffered a cyberattack.

  • Data management firm Veeam accidentally exposed a database containing more than 200GB of customer records, including names, email addresses and IP addresses. Security researcher Bob Diachenko discovered the database online that did not have a password. It contained two collections of 199.1 million email addresses and 244.4 million records aggregated over a four-year period between 2013 and 2017.
  • Dozens of popular iPhone apps have been quietly sharing the location data of “tens of millions of mobile devices” with third-party data monetization firms, security researchers at the GuardianApp project discovered. Data collected by these apps included Bluetooth beacons, Wi-Fi network names, accelerometer data, battery charge status and cell network names. Some of the offending apps included ASKfm, Perfect365, Homes.com and more.
  • Popular delivery service platform Freshmenu failed to disclose a massive data breach in 2016 that affected over 100,000 users. The security incident was revealed by security expert Troy Hunt’s HaveIBeenPwned service. Data compromised included names, addresses and detailed order histories.
  • Edinburgh University was hit by a cyberattack this week that crippled its computer systems for hours. UK non-profit Jisc said a “number of universities” were targeted this week noting that DDoS attacks typically increases around the time new students are enrolling for courses or returning to university. A university spokesman said no data was compromised in the attack.

New Threats

Multiple threat actors have been coming out of the woodwork. Iran-linked Domestic Kitten has been spying on ISIS supporters for years. Chinese-speaking LuckyMouse is using malicious NDISProxy drivers to distribute Trojans. New Mirai and Gafgyt botnet variants are targeting multiple exploits. PyLocky ransomware has been focusing on Europe while a new Kronos variant is exploiting a Microsoft Office flaw.

  • Iran-linked APT Domestic Kitten has been quietly spying on Iranian and Kurdish citizens as well as ISIS supporters since 2016 using malicious, data-stealing mobile apps. Three malicious apps used by the group included a wallpaper changer, an app purporting to offer news updates from Kurdish news website ANF and a fake version of Vidogram. Data collected from compromised phones included contact lists, text messages, geolocation, photos and more.
  • Chinese-speaking APT LuckyMouse is using malicious NDISProxy Windows drivers and stolen digital certificates to distribute Trojans. The seemingly legitimate security certificates actually belong to Chinese security software developer LeagSoft and are believed to be stolen. The exploited driver tool is used to infect lsass.exe system process memory.
  • New variants of the notorious Mirai and Gafgyt botnets are using multiple vulnerabilities to compromise IoT devices. One of the flaws is the CVE-2017-5638 Apache Struts vulnerability that was exploited in the Equifax breach. A recently-disclosed flaw in SonicWall's Global Management System is also being exploited.
  • TrendMicro researchers spotted a new strain of ransomware named PyLocky that seems to be targeting European businesses and attempts to piggyback off of the success of the infamous Locky ransomware. The malware is being spread via invoice-themed spam emails.
  • A new variant of the Kronos malware named Osiris has been spotted by security researchers at Securonix. The malware is being distributed via malicious emails that contain documents which exploit a buffer flow vulnerability in the Microsoft Office Equation Editor Component.


jpmorgan chase hack
kelihos botnet
pylocky ransomware
cyware weekly

Posted on: September 14, 2018

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

The Virtual Cyber Fusion Suite