26 September 2017

Week in review: major security incidents in September 18-24

Week in review: major security incidents in September 18-24


-         Coldshell, a malware analyst for Stormshield, revealed a new variant of Locky ransomware, adding an .ykcol extension to the encrypted files.

The malware is distributed via spam emails. The victim receives a message with a subject line of Status of invoice containing 7zip attachment. This attachment includes .vbs file that downloads Ykcol ransomware from remote server and executes it.

Yet researchers haven’t found any way to decrypt encrypted files without paying ransom that amounts to .25 BTC (about $1025 USD).

Moreover, Locky doesn’t work alone. TrendMicro in its blog reported about discovery of new spam campaigns delivering double portion of ransomware – Locky and FakeGlobe. Through the use of such way of infection attackers can encrypt files a few times. Therefore, the victim will have to pay twice for its decryption.

Later, on September 21, the security campaign notified about new wave of attacks, targeting millions of users from India, US, Japan, Mexico, Russia, China, and Chile.

-         Experts from SfyLabs detected a new Android banking Trojan Red Alert 2.0.

When the user opens banking or social media app, the malware displays HTML-based overlay on top of the original app showing an error and requiring reauthentication. Red Alert collects the victim’s credentials and delivers them to its C&C server that allows attackers to access valid bank accounts to perform rascally transactions or social media apps to spread spam. Moreover, Trojan is also able to obtain contact list from the device and control SMS function.

Red Alert author actively develops the malware: new HTML overlays are created every 2 days. On hacking forums Trojan is available for rent for $500.

-         Experts for Kromtech Security Center found a public repository containing 540,642 accounts for car tracking devices in Amazon S3 bucket. The uncovered data belongs to SVR Tracking (company that specializes in “vehicle recovery») and contains logins / passwords, emails, VIN (vehicle identification number), IMEI numbers of GPS devices and other data.

Kromtech revealed the issue on September 18 and notified SVR on September 20.


-         Chris Vickery, security expert for UpGuard found about 1 Gb of confidential data in public access. Revealed information belongs to Viacom Inc., the owner of Paramount Picture, MTV, Comedy Central and Nickelodeon.

According to Viacom executives, there are no evidence that data were reached by any malicious users otherwise the attackers might be able to perform devastating attacks against Viacom and its affiliates.

-         Irish National Teachers Organization (INTO) notified RTE about data breach, which affected about 30,000 Irish teachers. The organization informed all users, whose materials were stolen and assured that no financial information (credit-card data or passwords) were accessed.

On the basis of preliminary investigation, performed by Office of the Data Protection Commission of Ireland, the hackers may have used the compromised server as a platform for sending out spam messages.


-         Lawrence Adams, a founder of Bleepingcomputer, discovered a variant of CryptoMix, appending .SHARK extension to the encrypted files. The malware uses 11 public RSA-1024 encryption keys and can function without Internet connection.

-         The top U.S. markets regulator informed about disclosure of the Securities and Exchange Commission (SEC) database. SEC stated that attack dates back to 2016 but massive data leak was revealed just last month ago.

Hackers accessed non-public confidential information by exploiting a vulnerability in the test filing component of the system. Stolen data were used for insider-trading or manipulating U.S. equity markets.


-         Researchers at MalwareHunterTeam detected a special kind of malware, called nRansom. When infected the system, ransomware shows a warning about file encryption and demands unusual ransom: at least 10 nude photos. The pop-up window is made up of several images of the fictional children's character Thomas the Tank Engine and a smiley face with the writing "FUCK YOU!!!". On the background plays a looped music – from a file called your-mom-gay.mp3 that is actually the Curb Your Enthusiasm theme song. Security experts aren’t sure whether this ransomware isn’t prank.

-         National Bank of Canada reported about improper functioning of its website that might lead to exposure of data of about 400 clients. Some customers’ data were accessible for other customers when they were filling the electronic form on the bank's website. The issue occurred due to improper setting of the form.


-         Due to unknown error Adobe staff published in PSIRT blog a private PGP-key. After detection of breach by security researcher Juho Nurminen, Adobe published a modified public key. Experts believe that leaked key wasn't accessed by any malicious user.

-         US Department of Homeland Security informed that election systems in 21 states were targeted by hackers during 2016. After durable investigation experts say that attackers were able to steal only small amount of data.

In last September US government has already reported about attempts to influence election system in about 20 states. Multiple intelligence agencies suspect the Russian government.


-         Data of SMART Physical Therapy patients were compromised by TheDarkOverlord. Attackers managed to access the information stored in Patterson PTOS software because of use of weak passwords.

-         Anonymous Greece performed a DoS attack against the Greek auctioning government website for the sale of debtors' houses. The website was inaccessible for 10 hours. Hacking group on its Facebook page published a message to Greek government protesting against foreigners who purchase houses of poor Greeks.


-         A Russian-based hacking group Fancy Bear (APT28) exploits an unpatched vulnerability in Google Accelerated Mobile Pages (AMP) to disguise malicious websites and perform phishing attacks to access accounts of Gmail users.

The attacks mostly target journalists who investigate law violations performed by people from Russian government.

By Olga Vikiriuk
Analyst at Cybersecurity Help

Back to the list

Latest Posts

Patch Tuesday: 60 vulnerabilities, 2 zero-days and good old LNK bugs

Patch Tuesday: 60 vulnerabilities, 2 zero-days and good old LNK bugs

Today Microsoft has released security fixes for 60 vulnerabilities in total. Among them 2 zero-days in Windows Shell and Internet Explorer.
15 August 2018
Microsoft patches for June 2018

Microsoft patches for June 2018

50 vulnerabilities patched, some of them are potentially wormable.
13 June 2018
VPNFilter, attacks on routers and why external scanning is essential for security

VPNFilter, attacks on routers and why external scanning is essential for security

How to protect your router from VPNFilter and other attacks.
8 June 2018
Featured vulnerabilities
Denial of service in Asterisk
Medium Patched | 24 Sep, 2018
Multiple vulnerabilities in MediaWiki
Low Patched | 21 Sep, 2018
Remote code execution in Microsoft Jet Database
High Not Patched | 21 Sep, 2018
Remote code execution in Mozilla Firefox
Medium Patched | 21 Sep, 2018
Multiple vulnerabiltiies in Mozilla Firefox ESR
Medium Patched | 21 Sep, 2018