9 October 2017

Week in review: major security incidents in October 2-8

Week in review: major security incidents in October 2-8


-         A group of hackers compromised the websites of the Autonomous Community of Madrid and forums related to the national police in protest after the events in the referendum on the independence of Catalonia on October 1. Although over 2 mln people spoke for independency of the autonomous community, Madrid refused to acknowledge the referendum as legitimate.

The attack is believed to be linked with international hacking group Anonymous. Attackers stated that they managed to steal pеrsonal data of police officers.

-         Kromtech Security Center experts reported that they have found ElasticSearch server, hosting private information of about 1,133 National Football League (NFL) players and their agents. The researchers firstly identified the publicly available server on September 26. Earlier this year Kromtech team also discovered over 4,000 ElasticSearch servers hosting PoS malware files.


-         FireEye warned about expanding of a new FormBook malware attack targeting mainly aerospace, defense and manufacturing vendors in the USA, Russia, India and South Korea.

The malware is on free sale and can be spread via different file types (PDFs with download links, DOC and XLS files with malicious macros, archive files (ZIP, RAR, ACE, and ISOs) containing EXE payloads).

FormBook allows to log keystrokes, steal clipboard contents, and extract data from HTTP sessions. Total number of victims is currently unknown.

-         The Wall Street Journal accused Russian hackers of stealing U.S. cyber secrets from National Security Agency in 2015. The issue was revealed in spring 2016. WSJ believes that attackers used antivirus software from Moscow-based Kaspersky Lab to access data.

-         Disqus confirmed security breach involving 17.5 mln accounts. The incident took place in July 2012, however it became known on October 5 only. The issue was revealed and reported by Troy Hunt.

Disqus is currently investigating the security breach.

-         Researchers for Palo Alto Networks Unit 42 identified a large scale FreeMilkphishing campaign.

Security experts think the attacks have been active since at least May 2017. Hackers have been using a remote code execution vulnerability in Microsoft Office and Wordpad CVE-2017-0199 to install PoohMilk and Freenki payloads.

The main victims of the campaign are a bank based in the Middle East, trademark and intellectual property service companies based in Europe, an international sporting organisation and individuals with indirect ties to a country in North East Asia.

-         Skyhigh Networks has detected an ingenious new botnet attack against Office 365 accounts. The attack has been active since May 2017 and was dubbed ‘KnockKnock’ due to the technique, operated by hackers.

Malicious actors attack only a small amount of users (less than 2%) and reduce attempts to hack each account to 3-5 times. The crooks use small botnets composed of 83 IP addresses across 63 networks, registered in China, Russia, Brazil, US, Argentina, Gabon, Azerbaijan, Malaysia.


-         Forrester, one of the world's leading market research and investment advisory firms, announced that its service became the victim of security breach. The outside hackers stole valid Forrester.com user credentials and took over the website. No confidential client and employee data or financial information was compromised.

-         Proofpoint researchers have been observing a malicious activity by the so-called KovCoreG group for a year. Attackers were distributing Kovter and fraud malware through fake browser or Adobe Flash updates. The issue affected only users from the USA, UK, Canada and Australia.

The infection chain in this campaign appeared on PornHub and abused the Traffic Junky advertising network.


-         The security intelligence group RedLock published a report about companies having suffered from Amazon Web Services compromise. Malicious actors target AWS to mine cryptocurrency bitcoins. The hackers accessed Amazon's cloud servers as its administration consoles weren't protected with passwords. Deeper research showed that attackers "were executing a bitcoin mining command from one of the Kubernetes containers".

Among victims are multi-billion dollar, multi-national companies Aviva and Gemalto. Redlock has already informed them about the incidents but no answer has been given yet.

By Olga Vikiriuk
Analyst at Cybersecurity Help

Back to the list

Latest Posts

Patch Tuesday: 60 vulnerabilities, 2 zero-days and good old LNK bugs

Patch Tuesday: 60 vulnerabilities, 2 zero-days and good old LNK bugs

Today Microsoft has released security fixes for 60 vulnerabilities in total. Among them 2 zero-days in Windows Shell and Internet Explorer.
15 August 2018
Microsoft patches for June 2018

Microsoft patches for June 2018

50 vulnerabilities patched, some of them are potentially wormable.
13 June 2018
VPNFilter, attacks on routers and why external scanning is essential for security

VPNFilter, attacks on routers and why external scanning is essential for security

How to protect your router from VPNFilter and other attacks.
8 June 2018
Featured vulnerabilities
Denial of service in Asterisk
Medium Patched | 24 Sep, 2018
Multiple vulnerabilities in MediaWiki
Low Patched | 21 Sep, 2018
Remote code execution in Microsoft Jet Database
High Not Patched | 21 Sep, 2018
Remote code execution in Mozilla Firefox
Medium Patched | 21 Sep, 2018
Multiple vulnerabiltiies in Mozilla Firefox ESR
Medium Patched | 21 Sep, 2018