28 August 2017

Week in review: major security incidents in August 21-27

 Week in review: major security incidents in August 21-27

This week began with reports about attacks on Sony PlayStation Network social pages and Enigma Project website.

The first attack was performed on Sunday, August 20, by hacking group from Saudi Arabia, dubbed OurMine.

After gaining full control over company’s Twitter and Facebook pages, hackers called Sony up to contact them and buy their cyberattack protection service. The group named itself cybersecurity group and promised not to leak any data. The attack method is currently unknown but it’s supposed that the group used passwords obtained from previous breaches in earlier attacks against MySpace, LinkedIn etc.

After Enigma Project compromise, an unknown hacker or a group of hackers managed to steal 1,487.9 in cryptocurrency (about $475000). The attackers changed the HTTP address and tricked the victims to send their cryptocurrency to the controlled by them cryptocurrency wallet Ethereum. The total amount of money stolen via this platform exceeds 225$ mln.

On August 22, Proofpoint researchers detected a new ransomware and dubbed it Defray. The malware is spread via Microsoft Word documents attached to the emails. Usage of the ransomware was observed twice – on August 15, in attack against Healthcare and Education, and in a week, on August 22, targeting Technology and Manufacture verticals.

Three days after, Proofpoint observed Deputy Dog’s activity (also known as APT17) in spearphishing attacks. The hackers were spreading malicious emails containing the subject line "Wanna see the Game of Thrones in advance?" with a file "game of thrones preview.docx” and a link to a fake video. Once opened, it executes a malicious PowerShell script and begins installation of “9002” remote access Trojan (RAT).

The same 9002 RAT was earlier used in Operation Aurora, Operation Ephemeral Hydra and attacks against Asian countries.

The hackers reached British clinics and stole confidential data of 1.2 million patients. SwiftQueue confirmed the data breach and pointed out that hackers compromised only 32500 “lines of administrative data” including such personal information as names, birthday dates, phone numbers and emails. The group, however, didn’t manage to access medical records and passwords that were safely encrypted. According to Anonymous, they stole 11 million records as well as passwords.

On Friday, August 25, unknown unknown attackers compromised NHS Lanarkshire and cause small number of procedures and appointments to be cancelled. As it became known, hackers used a new type of ransomware - a programme called Bitpaymer. The malicious software locks away files, demands ransom in cryptocurrency and utters threats in case of payment absence.

On August 22, the hotel booking service Groupize reported about corporate data leak. The incident took place on August 9, and was revealed by Kromtech Security Center researchers. The hackers stole around 3000 documents containing contracts between hotels, customers or Groupize, credit cards’ payment authorization forms (with full CC#, expiration dates and CVV codes).

On August 22, Russian-linked hacking group Fancy Bear published on their website medical data of footballers, supposedly using doping. The given information was previously stolen from FIFA governance emails.

The released data demonstrate results of UK Anti-Doping control in 2015. A number of players, caught doping in 2015-2016, amounts to 350. Some of them used not only doping but also drugs.

Fancy Bear stated that they have obtained data from various sources and blamed the officials for lying that football “is free of doping”.

The published files also contain names of Carlos Tevez, who has played for Manchester United, Manchester City and West Ham, former Chelsea and United playmaker Juan Sebastian Veron and ex-United defender Gabriel Heinze.

On August 22, researchers of ISSP Labs detected a new wave of cyberattacks in Ukraine. Unknown hackers compromised web server of a Ukraine-based accounting software firm Crystal Finance Millennium and were spreading links to malware, placed on this server, via phishing emails.

The victims of ransomware were demanded to send ransom to a certain Bitcoin wallet. The first entry was noticed on August 15, which suggests that the attack took place in the middle of August or a bit earlier.

The researchers also outlined that hackers used 3 different malicious payloads: a downloader called Smoke Loader (aka Dofoil), a banking trojan called Chthonic, a piece of ransomware called PSCrypt (known in Ukraine earlier).

In the morning, on August 24, DreamHost reported about DDoS attack against their website by unknown hackers.

As it’s known, recently the Department of Justice accused DreamHost of planning riots on President Donald Trump's inauguration day and demanded from the host of controversial sites to reveal the logs of visitors to DisruptJ20 (an anti-Trump website). DreamHost refused to give required information and explained that it can be used to create an extensive list of Trump’s opponents.

Recently WannnaCry malware was observed again. This time in LG self-service kiosk in South Korea. On Monday, August 21, the company confirmed that malicious code, causing some terminals to delay, was in fact WannaCry variant.

After detecting attack on August 14, LG Electronics asked KISA (Korea Internet & Security Agency) for help. The companies made everything possible not to allow the ransomware to spread over other parts of organization. Nowadays KISA is still investigating how WannaCry managed to infect LG network.

On August 25-26, Japan was hit by widespread Internet disruption starting at 03:22 UTC and continuing about 25 minutes.

At 03:23 BGPstream began to publish a great number of alerts that Google announces the peering LAN prefixes of a few well known Internet exchanges. Such actions showed some problems with Google’s BGP advertisements and indicated BGP hijack and multiple leaks.

The issue led to delay or access block to websites and online services of dozens of organizations and ISPs from all over the word. Now the Internal Affairs and Communications Ministry of Japan is investigating the reason of this large-scale Internet disruption.

By Olga Vikiriuk.

Back to the list

Latest Posts

Week in review: major security incidents in September 11-17

Week in review: major security incidents in September 11-17

The article contains a brief report of cybersecurity incidents for the past week.
18 September 2017
Patch Tuesday review: zero-day vulnerability in .NET Framework and 82 other bugs

Patch Tuesday review: zero-day vulnerability in .NET Framework and 82 other bugs

Microsoft patched 83 vulnerabilities in total.
12 September 2017
Exploring dark web: Marketplaces for wannabe hackers

Exploring dark web: Marketplaces for wannabe hackers

The top markets for criminals: some research into Deep Web.
12 September 2017
Featured vulnerabilities
Remote code execution in Foxit Reader
High Not Patched | 23 Sep, 2017
Remote code execution in Google Chrome
High Patched | 23 Sep, 2017
Command execution in Digium Asterisk GUI
High Not Patched | 22 Sep, 2017
Authentication bypass in Ctek SkyRouters
Low Patched | 22 Sep, 2017

Future events
Location: Hotel Grandior, konferenční centrum,Na Poříčí 42, Praha 1
End date: 2017-10-06

6. října 2016 na Vás čeká bohatý program, v rámci kterého představí své vize a novinky pro rok 2017 přední odborníci české IT scény. Nenechte si ujít důležité informace z oblasti licencování, technologických trendů, cloudových a poradenských služeb či produktových novinek předních světových výrobců softwaru!

Akce se koná v konferenčním centru hotelu Grandior, Na Poříčí 42, Praha 1.

Předběžný program:

Dopolední blok IT Inspiration

  • IT pro firmy nové generace
  • Digitální transformace a internet věcí z pohledu Microsoftu
  • Novinky a trendy v IBM Cloud Computingu

Odpolední blok Advisory & Security

  • Nový licenční program Enterprise Advantage
  • Force audit výrobce: Rizika, prevence a průběh
  • Hybridní licencování
  • Prezentace společnosti Comguard
  • Platforma Pyracloud by SoftwareONE

Blok Cloud

  • Firma As A Service
  • Virtualizace a cloudová řešení VMware
  • Jak na to: Transformace do cloudu
  • Prezentace společnosti Veeam
  • Ochrana informací a správa identit
  • BYOD

Registrovat se můžete na stránkách konference.

CIO Business World je partnerem akce.

Location: Na Strži 65/1702, Praha 4
Links: http://financnictvi.konference.cz/

Technologické inovace ve finančním sektoru (FINTECH). Kybernetická bezpečnost, risk management, decision engine, datová analýza, reporting, platformy bezpečnostních technologií, mobilní aplikace v globálním světě financí, projektové řízení, případové studie.
Location: Bajkalská 25/A, Bratislava
Links: http://bdd.exponet.sk/

Explózia dát je nepochybne sprievodným javom súčasnosti. Preto aj problematika bezpečnosti a dostupnosti dát zaznamenáva prevratný rozvoj a jej obsah a rozsah sa mení tiež v súvislosti s vývojom nových technológií. Ochrana dát sa netýka len jednotlivých zariadení, ale aj sietí, online úložísk a služieb. Množstvo dát, portfólio zariadení a úložisk sa tiež významne rozširuje s nástupom internetu vecí. Konferencia sa zameriava na aktuálne trendy a možnosti lepšej ochrany a efektívnej práce s dátami.
Location: Na Strži 65/1702, Praha 4
Links: http://did.konference.cz/

Konference přinese aktuální témata, vystoupení předních odborníků z praxe i z akademického prostředí, případové studie. V popředí zájmu budou big data, data analytics, propojování interních a externích dat, business intelligence, geodata, open data,  big data ve finančnictví, vzdělávání i astronomii.