18 September 2017

Week in review: major security incidents in September 11-17

Week in review: major security incidents in September 11-17


-         FireEye in its report announced about increase of attacks against cryptocurrency exchanges performed by hackers from North Korea. Researchers for the cybersecurity company have been observing hackers’ activity since 2016. During this time malicious users compromised 4 wallets in Yapizon, 3 cryptocurrency exchanges in North Korea, British news portal.

A hacking group TEMP.Hermit, supposedly related to North Korean government is under suspicion.

-         Researchers for Checkpoint Gal Elbaz and Dvir Atias discovered a new method allowing any ransomware to bypass modern security products. The technique, dubbed Bashware, takes advantage of the WSL (Windows Subsystem for Linux) mechanism and runs ELF an EXE malicious payloads to bypass next-generation anti-viruses and anti-ransomware.

-         For past 2 months WordPress websites have been spreading a new backdoor.

A malicious code was detected in Digital Widgets plugin for WordPress. Until the malicious code was revealed, about 200,000 users, having installed the plugin, became affected. The backdoor tracked information on the system and passed to external servers.

Investigations performed by security expert David Law and companies White Fir Design and Wordfence showed that the man behind plugin spam was the Briton Mason Soiza. He bought the plugin May 19, 2017, for $15,000 and developed new affected versions during all this time.


-         Sophos revealed a new RAT, dubbed Kedi. Trojan has been delivered during phishing attacks in Gmail and used malicious payloads pretending to be a Citrix utility.

Kedi’s noticeable feature is the ability to communicate with its C&C via Gmail, DNS and HTTPS requests.

-         Security experts detected 8 BlueBorne vulnerabilities, targeting over 5 billion users. The issue affects the Bluetooth implementations in Android, iOS, Microsoft, and Linux and allows a remote attacker to compromise the system via Bluetooth.

-         LinkedIn again became the victim of malicious activity. Experts for MalwareBytes reported that attackers used previously hacked long standing and trusted accounts to spread phishing messages containing a shared document and malicious link via the InMail feature. When following the link, the victim is redirected to a phishing site for Gmail or other email providers which require registration. The total number of compromised accounts is currently unknown.

-         A popular Netherlandish cryptocurrency exchange LiteBit.eu became the subject of cyberattack for the second time. The first issue dates back to August 5.

Eventually, hackers accessed customers’ personal information (email address, hashed password, IBANs, phone number, address and portfolio data) while no bitcoin was stolen. Litebit site administration reported that they have already called to the police and the Dutch Data Protection Authority for investigation.

-         During customer beta testing of Cisco Talos new exploit detection technology, the security experts identified a two-stage backdoor in CCleaner v5.33. The compromised version was distributed by Avast from official website repository. It was signed using a valid certificate that was issued to Piriform Ltd. (former owner of CCleaner). The incident was detected on September 12. A total level of the malicious impact is mega-huge. As of November 2016, a number of CCleaner downloads amounted over 2 billion and is increasing by about 5 million new users every week.


-         Russian-speaking hackers were observed to use a new variant of the RouteX malware to infect Netgear routers and perform attacks against Fortune 500 firms.

The malware was uncovered and analyzed by the researchers at US-based cybersecurity firm Forkbombus Labs. Experts suggest that the revealed issue is connected with Russian hacker, dubbed Links.


-         Kromtech discovered a publicly available database containing confidential information of 593 328 citizens (Alaska voters). The database belongs to TargetSmart, a leading provider of political data and technology. The issue occurred due to CouchDB misconfiguration.

According to TargetSmart, data leak happened because of improper data protection by Equals3, an AI software company based in Minnesota. Equals3 chief executive Dan Mallin stated that there is no evidence that information was revealed by anyone except Kromtech experts.

-         OurMine continues to damage popular services. This time hacking group compromised an American multinational video hosting service Vevo. Attackers published over 3 TB of office documents, videos and promotional materials. Vevo representatives confirmed the leak and suggested that data were stolen in a result of phishing attacks targeting LinkedIn.

-         Experts for the Slovak National Security Office (NBU) discovered ten malicious libraries in Python code, uploaded on PyPI repository. Due to the service does not perform any security checks during new data upload, the malevolent packages have been active since June till September of the current year.

Hackers used typosquatting technique to upload malicious Python libraries with the installation script, setup.py containing a benign code.

The malicious code collects such data as name and version of the fake package, the username of the user who installed the package, the user's computer hostname and sends it to a Chinese IP address at "".


-         The Swiss Government informed about a cyberattack against Swiss Defense Ministry. The incident was revealed in July. Experts found that hackers were using software referring to Turla malware family.

The government doesn’t disclose details of the attack origin and actual damage it caused.

By Olga Vikiriuk

Back to the list

Latest Posts

Patch Tuesday: 60 vulnerabilities, 2 zero-days and good old LNK bugs

Patch Tuesday: 60 vulnerabilities, 2 zero-days and good old LNK bugs

Today Microsoft has released security fixes for 60 vulnerabilities in total. Among them 2 zero-days in Windows Shell and Internet Explorer.
15 August 2018
Microsoft patches for June 2018

Microsoft patches for June 2018

50 vulnerabilities patched, some of them are potentially wormable.
13 June 2018
VPNFilter, attacks on routers and why external scanning is essential for security

VPNFilter, attacks on routers and why external scanning is essential for security

How to protect your router from VPNFilter and other attacks.
8 June 2018
Featured vulnerabilities
Denial of service in Asterisk
Medium Patched | 24 Sep, 2018
Multiple vulnerabilities in MediaWiki
Low Patched | 21 Sep, 2018
Remote code execution in Microsoft Jet Database
High Not Patched | 21 Sep, 2018
Remote code execution in Mozilla Firefox
Medium Patched | 21 Sep, 2018
Multiple vulnerabiltiies in Mozilla Firefox ESR
Medium Patched | 21 Sep, 2018