3 October 2017

Week in review: major security incidents in September 25 – October 1

Week in review: major security incidents in September 25 – October 1

Monday

-         The Guardian reported about breach affecting one of the world’s “big four” accountancy firm Deloitte. Attackers compromised the firm’s global email server via “administrator’s account” and thieved confidential emails and plans of some of its blue-chip clients. However, usernames, passwords, IP addresses, architectural diagrams for businesses and health information were also compromised.

Attack was discovered in March this year but hackers are believed to access the system in October or November 2016.

-         Experts for TrendMicro observed the first malicious software exploiting Dirty COW to gain administrative privileges and access the device to inject backdoor. Over 5000 users from 40 countries became the victims of the attacks.

The issue dubbed ZNIU affects over 1.2 applications running on Android with 64-bit ARM / X86 architecture. When working on the device with 32-bit processor, ZNIU uses application KingoRoot and exploit Iovyroot to gain root access to the system.

Tuesday

-         Sonic Drive-In, a fast-food chain with nearly 3,600 locations across 45 U.S. states, became the victim of data breach. Hackers stole unknown number of credit and debit card accounts to sell them in shadowy underground cybercrime stores.

The first attempt of the attack was observed in Oklahoma City-based Sonic by KromTech researcher. Last week multiple financial institutions began to report about fraudulent transactions on cards previously used in Sonic.

-         Hackers from North Korea managed to compromise the website of one of the South Korean defense company and steal a self-ejection technology used for launching ballistic missiles from submarines. Attackers might have also obtained drawings of a submarine prototype, which is going to be put into service in 2020.

-         Researchers for Kaspersky Lab revealed a target cyberattack using modified code of CVE-2015-1641 vulnerability. It was spread via malicious RTF documents and dubbed Microcin due to microini, one of the malicious components it uses.

Security researchers found that affected files were sent only to the visitors of the forums dedicated to receiving preferential apartments by Russian militaries and their families.

The malicious code affects mostly .doc, .ppt, .xls, .docx, .pptx, .xlsx, .pdf, .txt and .rtf files which are later packed into archive, protected with a password and sent to a remote server.

-         Security experts for Malwarebytes Labs discovered cyber espionage attack targeting a Saudi Arabia Government entity.

Hackers sent emails with MS Word document containing a malicious VBScript. After the document is opened, the script uses its proxies to download data from Pastebin website and convert it into two scripts, a PowerShell and a Visual Basic one. The scripts help attackers to modify Microsoft Office security settings, to exfiltrate data and communicate with C&C server.

Thursday

-         Amadeus stated that they came across the “network problem” on Tuesday morning. A glitch in booking and registration system led to work disruption of many airports from all over the world.

Saturday

-         Unknown hackers compromised R6DB service website, wiped the company's database via automated bot and left a ransom message with demand to pay.

R6DB spokesperson commented that the issue occurred because remote connections were left enabled and some information was lost for good. As the staff has never stored any personal data on Rainbow Six Siege players, the database included only player statistics.

Sunday

-         Malicious users broke Ethereum Initial coin offering (ICO) process after compromising its website. Hackers placed a specially crafted link, making the investors to send their money to improper cryptocurrency wallet.

Etherparty website administration revealed the attack in 15 minutes after it began and suspended the website. In 95 minutes it was resumed and ICO procedure continued.

Neither number of suffered users nor amount of payments got by hackers are currently unknown. Nevertheless, Etherparty promised to compensate “all affected contributors for the inconvenience”.

By Olga Vikiriuk
Analyst at Cybersecurity Help

Back to the list

Latest Posts

Week in review: Nicehash security breach and botnet Satori activity

Week in review: Nicehash security breach and botnet Satori activity

The article contains a brief report of cybersecurity incidents for the past week.
11 December 2017
Week in review: major cybersecurity incidents in November 27-December 3

Week in review: major cybersecurity incidents in November 27-December 3

The article contains a brief report of cybersecurity incidents for the past week.
6 December 2017
Week in review: major cybersecurity incidents in November 20-26

Week in review: major cybersecurity incidents in November 20-26

The article contains a brief report of cybersecurity incidents for the past week.
27 November 2017