During the last week we detected 15 major cybersecurity incidents among which are KRACK attacks, the massive data breach in South Africa and cryptocurrency exchange Bithumb hack. It hasn't been also without malicious activities by such hacking groups as APT28, Anonymous, Black Oasis and Leviathan. The most noticeable cybersecurity events of the past week are listed and described below.
- BW Group confirmed that it became a victim of cyberattack in July 2017. In summer hackers managed to gain unathorized access to computer systems of the organization. BW Group IT department has already took actions to rectify the matter.
- Mathy Vanhoef of imec-DistriNet from KU Leuven revealed a serious weakness in WPA2 protocol affecting Wi-Fi networks from all over the world. The weakness can be exploited by using Key Reinstallation Attacks (KRACKs).
The attack targets the 4-way handshake of the WPA2 protocol. KRACK allows hackers to steal or manipulate any personal data that were believed to be safely encrypted.
- Bithumb, the largest cryptocurrency exchange in South Korea and the world, suffered from a security breach that affected 30,000 users. The anonymous hacking group sent phishing emails to Bithumb employees, gained control over Bithumb system and compromised users' sensitive personal and financial information.
The cryptocurrency exchange has been the subject of hack in June 2017. The issue resulted in the loss of $1 million in cryptocurrency funds.
FireEye security researchers believe that such incidents are the work of North Korean hackers.
- Proofpoint experts observed an increase in the activity of the hacking group Leviathan. Hackers regularly conduct campaigns to distribute malicious software to steal confidential data from maritime industries, naval defense contractors, and associated research institutions from the US and Western Europe.
The hacking group has been active since at least 2014. However, during the last 2 month the hacking group showed itself exploiting 2 0-day vulnerabilities CVE-2017-8759 and CVE-2017-0199 and spreading NanHaiShu trojan to target companies engaged in the construction of warships, submarines and other naval vessels.
According to Kaspersky Lab, the vulnerability has been used by the Middle East hacking group Black Oasis to deliver FinSpy spyware. To exploit the vulnerability, attackers has been sending out MS Office documents with a built-in ActiveX object.
On October 19, experts for Proofpoint identified that CVE-2017-11292 was also exploited by hackers from APT28 (also known as Sofacy or Fancy Bear) to distribute malware DealersChoice to the government agencies and private companies in the US and Europe, related to the aerospace industry.
- Information security researcher Troy Hunt discovered the largest data breach in South Africa. Over 30 mln unique personal records including South African ID numbers have been leaked on the Internet. Exposed information contains data from at least as far back as the early 1990s.
A presumable data of the breach is March 2017. Hunt supposed Dracore Data Sciences, South African company specializing in data acquisition and processing, may be a source of the revealed database.
- Researchers for Symantec detected a new version of Necurs botnet spread via malicous emais. This variant of the loading programm possesses nontypical for botnet functions: it gathers information about the affected device, makes a screenshot, sends it to the remote server and installs the Locky ransomware (Ransom.Locky) or Trickybot (Trojan.Trickybot).
- The consumers of Domino’s Australia have reported in their Facebook and Twitter that they have been receiving spam emails. The pizza seller turned to the Australian information commissioner with request to investigate customer personal data breach. The company stated that it hasn't been compromised but the problem is in “former supplier’s systems”, with which Domino stopped working in July 2017.
Domino’s Australia doesn't report the actual date of the issue but tells that investigations are still performed.
- Security experts for Trend Micro uncovered a new ransomware distributed by the Magnitude exploit kit. Magniber (detected as RANSOM_MAGNIBER.A and TROJ.Win32.TRX.XXPE002FF019) is targeting South Korea via malvertisements on attacker-owned domains/sites. A new payload Magniber checks the language of the infected system and can be fully executed only if the installed language is Korean.
- ESET researchers published an alert about Eltima Software hack. The applications company provides (free Elmedia Player player and the download manager Folx) are trojanized with the OSX/Proton malware. The Trojan is able to steal cookies, history and credentials stored in browsers, SSH keys, information about crypto-currency purses, information about Tunnelblick VPN settings, PGP keys and data from 1Password, macOS keychain.
Eltima Software commented that only users who downloaded the software on October 19 are affected.
- The Department of Homeland Security and Federal Bureau of Investigation warned about attacks that have been targeting the nuclear, energy, aviation, water and critical manufacturing industries along with government entities since at least May 2017. The main aims of the hackers are to compromise organizational networks and steal credentials for accessing computer networks.
Symantec researchers determined that attackers are "potentially politically motivated" to conduct attacks against companies in Turkey and the USA.
- Whole Foods Market informed customers that about 100 its locations across the United States suffered from security breach in September. According to the company, the largest number of affected locations is in California.
The company revealed unauthorized access to some payment systems on September 23. Further investigation showed that some stores were reached on March 10. Malicious actors were spreading the malware to collect credit cardholder names, account numbers, card expiration dates, and internal verification codes. Transactions on Amazon.com have not been impacted.
- Czech Statistical Office (Český statistický úřad) became the subject of "large-scale and complex" DDoS attacks during the counting of votes in the elections to the lower house of parliament. Malicious actors disabled work of volby.cz and volbyhned.cz sites. However, they failed to compromise the infrastructure used for counting votes and subsequent independent data processing. The consequences of attacks were completely eliminated, and the normal operation of resources was restored.
- Cisco Talos found a new malicious campaign, conducted by a well-known actor Group 74 (aka Tsar Team, Sofacy, APT28, Fancy Bear). This time the hacking group turned its focus toward participants of the Cyber Conflict U.S. conference organized by the NATO Cooperative Cyber Defence Centre of Excellence on 7-8 November 2017 at Washington, D.C. Unlike previous campaigns attackers were spreading a new variant of Seduploader by flyer documents containing not a 0-day vulnerability or Office exploit but a malicious Visual Basic for Applications (VBA) macro.
- Under the frame of the operation "liberation of Catalonia", the international hacking group Anonymous attacked the People's Party and three ministries of Spain. In such a way malicious actors take a stand against the application by the Spanish authorities of the 155th article of the Constitution to suspend the existence of autonomy.
First the attackers blocked access to the Constitutional Court of the country. Then the websites of the ministries of economy, development and justice as well as the Internet page of the People's Party were hacked.
By Olga Vikiriuk
Analyst at Cybersecurity Help