During the last week we have observed 11 major cybersecurity events, involving attacks against Ukrainian and Russian organizations and security breaches affecting jQuery blog, offshore firm Appleby, and underground resource Basetools. Detailed information about the most noticeable cybersecurity incidents is provided below.

Monday

-         A popular browser-based service Coinhive confirmed massive security breach. The company offers website owners to embed a JavaScript to utilise their site visitors' CPUs power to mine the Monero cryptocurrency for monetisation.

Unknown actor hijacked Coinhive's DNS server and replaced Coinhive JavaScript miner to miner Monero for his own cryptowallet.

Attacker accessed Coinhive's CloudFlare account possibly by using an old password leaked in the Kickstarter data breach in 2014.

Tuesday

-         Ukrainian organizations became the subject of hackers attacks.
Officials of the international Odessa airport and the Kyiv metro informed its consumers about glitch of their service. Representatives of the airport announced an increase in the time for servicing passengers and working on troubleshooting. Kyiv metro notified a malfunction in the work of banking services when paying with bank cards.
Marina Tomko, spokeswoman for Ministry of Infrastructure of Ukraine, said that the department site was temporarily unavailable due to the adoption of measures for improving of information security due to the threat of cyberattack. The site of the State Aviation Service also does not work.

-         3 Russian mass media including Interfax and Fontanka suffered from malicious activities. According to experts for Group-IB, three Russian mass media were attacked with Bad Rabbit ransomware.

-         Hacking group Dark Overlord stole medical data and pictures of intimate plastic of celebrities from the London Bridge Plastic Surgery clinic. Attackers stated that personal data of celebrities and royal family members are at their disposal. In case hackers don't get any ransom for 'terabytes' of the revealed information they will make it publicly accessible.

-         A security researcher Wesley Neelen discovered a phishing campaign targeting users of Myetherwallet.com, the website providing storage for Ethereum cryptocurrency in online-purses.

During the campaign malicious actors stole about $15,875 in just 2 hours.

-         Unknown attackers compromised an underground resource Basetools.ws, used by criminals for sale of stolen credit cards, personal information and various hacking tools. Hacker compromised the website and left anonymous message with demand to pay ransom in amount of $50,000 for not sharing data on the site's administrator with US authorities, such as the FBI, DHS, DOJ, and the DOT (Department of Treasury).

As a confirmation of the words, the attacker added to the message data samples (login credentials for shells, backdoors, and spambots hosted on hacked sites; credentials for RDP servers; server SSH credentials, user data leaked from various breaches at legitimate sites) taken from the stolen database.

The blackmailer explained that the attack was a kind of revenge because the trading platform Basetools leads a dishonest game and manipulates the ratings of sellers.

Wednesday

-         The British newspaper Telegraph wrote about possible massive breach of confidential data in Appleby, a Bermuda-based offshore firm. According to Appleby, the leak affected number of the richest people in the UK. Disclosure of such data can result in the possible publication of the Appleby database by the International Consortium of Investigative Journalists (ICIJ) and other media organizations.

-         The Central Bank of the Russian Federation and other Russian banks observed an attempt of malicious actors to hack its networks with Bad Rabbit malware. FinCERT called the attacks unsuccessful but stated that it can be continued.

Bad Rabbit can not only encrypt the files but also steal accounts from the affected system and download additional malicious modules.

Thursday

-         The official jQuery blog, one of the most popular JavaScript libraries used by millions of sites, was hacked by attackers under the pseudonyms str0ng and n3tr1x.

There is no evidence of compromising the jQuery server. The malicious actors just performed the blog's deface and posted a message: "There were S.O.A. Hacked by str0ng and n3tr1x. Greetings from Characteros.dll". The jQuery team removed the message immediately after the attack.

Probably, hackers managed to compromise the account of one of the members of the jQuery team, Lee Silber (Leah Silber), and use her password, stolen as a result of data leakage. It is also possible that attackers could gain unauthorized access to the website through exploitation of a 0-day vulnerability in Wordpress.

-         Catholic Charities of Saratoga, Warren and Washington Counties warned its clients about security breach that could lead to possible data compromise. The issue was first revealed on August 31 and affected about 4600 clients.

Hackers gained unauthorized access to the computer server in Glens Falls office and possibly stole customers' personal data including names, addresses, dates of birth, dates of services and health condition diagnosis codes, as well as some health insurance identification numbers.

Friday

-         Anonymous tried to compromise the official website of the official gazette of the Spanish government Boletín Oficial del Estado (BOE). The issue occurred at the moment when there should have been published measures taken by the council to resolve the crisis in Catalonia.

The attack was performed under the frame of the operation "liberation of Catalonia".

By Olga Vikiriuk
Analyst at Cybersecurity Help