28 August 2017

Week in review: major security incidents in August 21-27

 Week in review: major security incidents in August 21-27

This week began with reports about attacks on Sony PlayStation Network social pages and Enigma Project website.

The first attack was performed on Sunday, August 20, by hacking group from Saudi Arabia, dubbed OurMine.

After gaining full control over company’s Twitter and Facebook pages, hackers called Sony up to contact them and buy their cyberattack protection service. The group named itself cybersecurity group and promised not to leak any data. The attack method is currently unknown but it’s supposed that the group used passwords obtained from previous breaches in earlier attacks against MySpace, LinkedIn etc.

After Enigma Project compromise, an unknown hacker or a group of hackers managed to steal 1,487.9 in cryptocurrency (about $475000). The attackers changed the HTTP address and tricked the victims to send their cryptocurrency to the controlled by them cryptocurrency wallet Ethereum. The total amount of money stolen via this platform exceeds 225$ mln.

On August 22, Proofpoint researchers detected a new ransomware and dubbed it Defray. The malware is spread via Microsoft Word documents attached to the emails. Usage of the ransomware was observed twice – on August 15, in attack against Healthcare and Education, and in a week, on August 22, targeting Technology and Manufacture verticals.

Three days after, Proofpoint observed Deputy Dog’s activity (also known as APT17) in spearphishing attacks. The hackers were spreading malicious emails containing the subject line "Wanna see the Game of Thrones in advance?" with a file "game of thrones preview.docx” and a link to a fake video. Once opened, it executes a malicious PowerShell script and begins installation of “9002” remote access Trojan (RAT).

The same 9002 RAT was earlier used in Operation Aurora, Operation Ephemeral Hydra and attacks against Asian countries.

The hackers reached British clinics and stole confidential data of 1.2 million patients. SwiftQueue confirmed the data breach and pointed out that hackers compromised only 32500 “lines of administrative data” including such personal information as names, birthday dates, phone numbers and emails. The group, however, didn’t manage to access medical records and passwords that were safely encrypted. According to Anonymous, they stole 11 million records as well as passwords.

On Friday, August 25, unknown unknown attackers compromised NHS Lanarkshire and cause small number of procedures and appointments to be cancelled. As it became known, hackers used a new type of ransomware - a programme called Bitpaymer. The malicious software locks away files, demands ransom in cryptocurrency and utters threats in case of payment absence.

On August 22, the hotel booking service Groupize reported about corporate data leak. The incident took place on August 9, and was revealed by Kromtech Security Center researchers. The hackers stole around 3000 documents containing contracts between hotels, customers or Groupize, credit cards’ payment authorization forms (with full CC#, expiration dates and CVV codes).

On August 22, Russian-linked hacking group Fancy Bear published on their website medical data of footballers, supposedly using doping. The given information was previously stolen from FIFA governance emails.

The released data demonstrate results of UK Anti-Doping control in 2015. A number of players, caught doping in 2015-2016, amounts to 350. Some of them used not only doping but also drugs.

Fancy Bear stated that they have obtained data from various sources and blamed the officials for lying that football “is free of doping”.

The published files also contain names of Carlos Tevez, who has played for Manchester United, Manchester City and West Ham, former Chelsea and United playmaker Juan Sebastian Veron and ex-United defender Gabriel Heinze.

On August 22, researchers of ISSP Labs detected a new wave of cyberattacks in Ukraine. Unknown hackers compromised web server of a Ukraine-based accounting software firm Crystal Finance Millennium and were spreading links to malware, placed on this server, via phishing emails.

The victims of ransomware were demanded to send ransom to a certain Bitcoin wallet. The first entry was noticed on August 15, which suggests that the attack took place in the middle of August or a bit earlier.

The researchers also outlined that hackers used 3 different malicious payloads: a downloader called Smoke Loader (aka Dofoil), a banking trojan called Chthonic, a piece of ransomware called PSCrypt (known in Ukraine earlier).

In the morning, on August 24, DreamHost reported about DDoS attack against their website by unknown hackers.

As it’s known, recently the Department of Justice accused DreamHost of planning riots on President Donald Trump's inauguration day and demanded from the host of controversial sites to reveal the logs of visitors to DisruptJ20 (an anti-Trump website). DreamHost refused to give required information and explained that it can be used to create an extensive list of Trump’s opponents.

Recently WannnaCry malware was observed again. This time in LG self-service kiosk in South Korea. On Monday, August 21, the company confirmed that malicious code, causing some terminals to delay, was in fact WannaCry variant.

After detecting attack on August 14, LG Electronics asked KISA (Korea Internet & Security Agency) for help. The companies made everything possible not to allow the ransomware to spread over other parts of organization. Nowadays KISA is still investigating how WannaCry managed to infect LG network.

On August 25-26, Japan was hit by widespread Internet disruption starting at 03:22 UTC and continuing about 25 minutes.

At 03:23 BGPstream began to publish a great number of alerts that Google announces the peering LAN prefixes of a few well known Internet exchanges. Such actions showed some problems with Google’s BGP advertisements and indicated BGP hijack and multiple leaks.

The issue led to delay or access block to websites and online services of dozens of organizations and ISPs from all over the word. Now the Internal Affairs and Communications Ministry of Japan is investigating the reason of this large-scale Internet disruption.

By Olga Vikiriuk.

Back to the list

Latest Posts

ATM Skimmers: What You Should Know

ATM Skimmers: What You Should Know

We hear about data breaches every day, criminals sell credit cards details (numbers, expiration date, and cardholders’ names) on black markets, and more people become victims of identity theft.
16 November 2017
Review of November’s Patch Tuesday for Microsoft, Adobe, and Mozilla

Review of November’s Patch Tuesday for Microsoft, Adobe, and Mozilla

The TOP software vendors fixed yesterday 153 vulnerabilities.
15 November 2017
Week in review: major cybersecurity incidents in November 6-12

Week in review: major cybersecurity incidents in November 6-12

The article contains a brief report of cybersecurity incidents for the past week.
14 November 2017