18 September 2017

Week in review: major security incidents in September 11-17

Week in review: major security incidents in September 11-17


-         FireEye in its report announced about increase of attacks against cryptocurrency exchanges performed by hackers from North Korea. Researchers for the cybersecurity company have been observing hackers’ activity since 2016. During this time malicious users compromised 4 wallets in Yapizon, 3 cryptocurrency exchanges in North Korea, British news portal.

A hacking group TEMP.Hermit, supposedly related to North Korean government is under suspicion.

-         Researchers for Checkpoint Gal Elbaz and Dvir Atias discovered a new method allowing any ransomware to bypass modern security products. The technique, dubbed Bashware, takes advantage of the WSL (Windows Subsystem for Linux) mechanism and runs ELF an EXE malicious payloads to bypass next-generation anti-viruses and anti-ransomware.

-         For past 2 months WordPress websites have been spreading a new backdoor.

A malicious code was detected in Digital Widgets plugin for WordPress. Until the malicious code was revealed, about 200,000 users, having installed the plugin, became affected. The backdoor tracked information on the system and passed to external servers.

Investigations performed by security expert David Law and companies White Fir Design and Wordfence showed that the man behind plugin spam was the Briton Mason Soiza. He bought the plugin May 19, 2017, for $15,000 and developed new affected versions during all this time.


-         Sophos revealed a new RAT, dubbed Kedi. Trojan has been delivered during phishing attacks in Gmail and used malicious payloads pretending to be a Citrix utility.

Kedi’s noticeable feature is the ability to communicate with its C&C via Gmail, DNS and HTTPS requests.

-         Security experts detected 8 BlueBorne vulnerabilities, targeting over 5 billion users. The issue affects the Bluetooth implementations in Android, iOS, Microsoft, and Linux and allows a remote attacker to compromise the system via Bluetooth.

-         LinkedIn again became the victim of malicious activity. Experts for MalwareBytes reported that attackers used previously hacked long standing and trusted accounts to spread phishing messages containing a shared document and malicious link via the InMail feature. When following the link, the victim is redirected to a phishing site for Gmail or other email providers which require registration. The total number of compromised accounts is currently unknown.

-         A popular Netherlandish cryptocurrency exchange LiteBit.eu became the subject of cyberattack for the second time. The first issue dates back to August 5.

Eventually, hackers accessed customers’ personal information (email address, hashed password, IBANs, phone number, address and portfolio data) while no bitcoin was stolen. Litebit site administration reported that they have already called to the police and the Dutch Data Protection Authority for investigation.

-         During customer beta testing of Cisco Talos new exploit detection technology, the security experts identified a two-stage backdoor in CCleaner v5.33. The compromised version was distributed by Avast from official website repository. It was signed using a valid certificate that was issued to Piriform Ltd. (former owner of CCleaner). The incident was detected on September 12. A total level of the malicious impact is mega-huge. As of November 2016, a number of CCleaner downloads amounted over 2 billion and is increasing by about 5 million new users every week.


-         Russian-speaking hackers were observed to use a new variant of the RouteX malware to infect Netgear routers and perform attacks against Fortune 500 firms.

The malware was uncovered and analyzed by the researchers at US-based cybersecurity firm Forkbombus Labs. Experts suggest that the revealed issue is connected with Russian hacker, dubbed Links.


-         Kromtech discovered a publicly available database containing confidential information of 593 328 citizens (Alaska voters). The database belongs to TargetSmart, a leading provider of political data and technology. The issue occurred due to CouchDB misconfiguration.

According to TargetSmart, data leak happened because of improper data protection by Equals3, an AI software company based in Minnesota. Equals3 chief executive Dan Mallin stated that there is no evidence that information was revealed by anyone except Kromtech experts.

-         OurMine continues to damage popular services. This time hacking group compromised an American multinational video hosting service Vevo. Attackers published over 3 TB of office documents, videos and promotional materials. Vevo representatives confirmed the leak and suggested that data were stolen in a result of phishing attacks targeting LinkedIn.

-         Experts for the Slovak National Security Office (NBU) discovered ten malicious libraries in Python code, uploaded on PyPI repository. Due to the service does not perform any security checks during new data upload, the malevolent packages have been active since June till September of the current year.

Hackers used typosquatting technique to upload malicious Python libraries with the installation script, setup.py containing a benign code.

The malicious code collects such data as name and version of the fake package, the username of the user who installed the package, the user's computer hostname and sends it to a Chinese IP address at "".


-         The Swiss Government informed about a cyberattack against Swiss Defense Ministry. The incident was revealed in July. Experts found that hackers were using software referring to Turla malware family.

The government doesn’t disclose details of the attack origin and actual damage it caused.

By Olga Vikiriuk

Back to the list

Latest Posts

Remote code execution in NetBSD – nasty and potentially wormable bug

Remote code execution in NetBSD – nasty and potentially wormable bug

NetBSD users are advised to install patched ASAP.
12 February 2018
Zero-day vulnerability in Adobe Flash Player

Zero-day vulnerability in Adobe Flash Player

Second zero-day this year. No remedy available.
1 February 2018
Jackpotting: Weird Attack On ATM

Jackpotting: Weird Attack On ATM

Jackpotting requires not only technical skills and great coordination but also acting skills, audacity and composure.
30 January 2018