8 November 2017

Week in review: major cybersecurity incidents in October 30 – November 5

Week in review: major cybersecurity incidents in October 30 – November 5

Last week we have observed 10 major cybersecurity incidents, involving data breaches affecting personal data of 50,000 Australian employees and 46.2 mln Malasian mobile subscribers, financial losses in London galleries, malicious activities with Silence Trojan and InPage word processor. Below is the list of the most noticeable cybersecurity incidents along with brief description and commentary.


-         Lowyat.net confirmed that mobile phone numbers of 46.2 mln subscribers from all major mobile carriers in Malasia have been leaked online. Except mobile numbers, revealed information also included the login names, nationality, and hashed passwords leaked from Jobstreet.com, Malaysian Medical Association, and Malaysian Housing Loan Applications websites.

The breach supposedly occurred between 2014 and 2015.

-         The Investigative Committee of the Republic of Belarus has finished the investigation concerning a criminal case regarding embezzlement of $1.5 mln from banks in Belarus, Kyrgyzstan and Azerbaijan.

A 29 years-old malicious actor from Moldova and Russian Federation uploaded a ransomware to access and gain full control over the banking systems. Then he selected people who were supposed to take money out of compromised ATMs in different countries.


-         South Korean opposition lawmaker suspected North Korea of Daewoo Shipbuilding & Marine Engineering Co Ltd’s (042660.KS) hack in April 2016. As a result of attack North Korea possibly stole South Korean warship blueprints used for building warships, including an Aegis-class vessel and submarines.

Kyung Dae-soo of the main opposition Liberty Korea Party said he was absolutely sure of North Korea being involved in the attack.

Investigations showed that the hacking method used to target Daewoo Shipbuilding was very similar to other attacks that North Korea was thought to be behind.

-         Kaspersky Lab identified a new Trojan stealing cryptocurrency from users' cryptocurrency wallets, dubbed CryptoShuffler. Trojan is aimed at Bitcoin, Ethereum, Zkash, Dash, Dogecoyne and other cryptocurrencies.

CryptoShuffler is an example of a secret malware that attempts not to give itself away and not to influence the performance of the infected system whenever it's possible. This Trojan analyzes data that gets to the clipboard. After identification of a cryptocurrency wallet address, CryptoShuffler replaces it with another. As a result, the victim sends money to the hackers.

-         Security experts for Seekurity detected a Javascript-miner on the official D-Link website (dlinkmea.com). The miner allows to mine cryptocurrency Monero just in the user's web browser.

The issue was revealed on October 10 after a Facebook user Ahmed Samir reported about a super high CPU usage when visiting D-LINKMEA (D-Link Middle East website).


-         Researchers for Kaspersky Lab discovered a new targeted attack on not only Russian but also Malasian and Armenian financial institutions. The attack is dubbed “Silence” due to the Silence Trojan the hackers used.

The malicious actors were spreading spear-phishing emails containing "Microsoft Compiled HTML Help" file to gain a longstanding access to an internal banking network for making video recordings, learning how everything works and using required knowledge to steal as much money as possible.

The similar attack technique was previously observed in Carbanak and other hacking groups.


-         A Polish security researcher going by the moniker “Wojciech” found the personal details of almost 50,000 Australian employees of several government agencies, banks and a utility exposed online. Revealed data (full names, passwords, IDs, phone numbers, and email addresses as well as some credit card numbers and details on staff salaries and expenses) were left openly accessible as a result of a misconfigured Amazon S3 bucket.

Information exposure mostly impacted such organizations as: insurer AMP (about 25,000 staff records), utility UGL (17,000 records), Rabobank (1500 records), the Department of Finance (3000 records), the Australian Electoral Commission (1470 records), the National Disability Insurance Agency (300 records).

-         Palo Alto's Unit 42 researchers revealed a new attack exploiting vulnerability in InPage word processor program. InPage exploit files have very similar shellcode and contain variants of the CONFUCIUS_B malware family, a backdoor commonly detected as “BioData”, and a previously unknown backdoor named MY24.

The documents make the security experts suggest that the threat actors are politically or militarily motivated.

InPage as an attack vector has been observed only once by Kaspersky Lab in 2016.


-         Along with attacks of Bad Rabbit malware, Ukrainian organizations suffered from a powerful hidden phishing campaign. Hackers were sending phishing emails allegedly on behalf of the software developer. The campaign was mostly aimed at users of the 1C platform.

The head of the Ukrainian cyber police, Sergei Demedyuk stated that hackers were trying to gain "remote invisible access" to steal financial and confidential information.

-         Wealthy Mayfair art dealers including Hauser & Wirth, and London-based dealers Simon Lee, Thomas Dane, Rosenfeld Porcini and Laura Bartlett became the victims of cyberattack.

The galleries were hit by email scams and lost between £10,000 and £1 million. The hackers gained access to the email accounts to monitor incoming and outgoing messages. Then attackers were spreading fraudulent invoices from the identical gallery email address and convincing clients to send money on the hacker's bank account.

By Olga Vikiriuk
Analyst at Cybersecurity Help

Back to the list

Latest Posts

Patch Tuesday: 60 vulnerabilities, 2 zero-days and good old LNK bugs

Patch Tuesday: 60 vulnerabilities, 2 zero-days and good old LNK bugs

Today Microsoft has released security fixes for 60 vulnerabilities in total. Among them 2 zero-days in Windows Shell and Internet Explorer.
15 August 2018
Microsoft patches for June 2018

Microsoft patches for June 2018

50 vulnerabilities patched, some of them are potentially wormable.
13 June 2018
VPNFilter, attacks on routers and why external scanning is essential for security

VPNFilter, attacks on routers and why external scanning is essential for security

How to protect your router from VPNFilter and other attacks.
8 June 2018
Featured vulnerabilities
Denial of service in ImageMagick
Low Patched | 22 Oct, 2018
Multiple vulnerabilities in NAS devices
High Not Patched | 22 Oct, 2018