14 November 2017

Week in review: major cybersecurity incidents in November 6-12

Week in review: major cybersecurity incidents in November 6-12

Last week we have observed 10 major cybersecurity incidents, involving security and data breaches in US-based ride hailing firm Fasten and the Ethereum-wallet Parity, new APT activities from Sowbug, OceanLotus (also known as APT32), APT28 (or Fancy Bear). Below is the list of the most noticeable cybersecurity incidents along with brief description and commentary.


-         Security experts for Volexity reported malicious activity of the hacking group OceanLotus (also known as APT32). The threat actors managed to compromise over 100 websites including official website of Philippines president Rodrigo Duterte.

Most of the sites attacked by the group belong to organizations and private individuals from Vietnam. The remaining sites belong to organizations located in countries bordering on Vietnam or the Philippines. Among hacked organizations were the Association of Southeast Asian Nations (ASEAN), several ministries in Cambodia and Laos, the Chinese company BDStar, China National United Oil Corporation and other oil and gas companies, as well as the official website of the Armed Forces of the Philippines.

According to the researchers, hackers compromised sites of strategic importance for the subsequent implementation of cyberattacks.

-         An unknown user Devops199 accidentally exploited a vulnerability in the source code of the Ethereum-wallet Parity that led to "freeze" of other users' accounts. The problem impacted 71 cryptocurrency wallets containing about $ 285 million.

Parity developers are aware of the problem and have already released a patch. The vulnerability affects only multi-user wallets created after July 20 this year.


-         Symantec detected a cyber espionage campaign targeting government organizations in Brazil, Peru, Ecuador, and Argentina. Security experts suppose the campaign has been conducted by a nation-state APT group Sowbug.

The group is aimed at gathering foreign policy information from diplomatic and government entities in the region. Besides, malicious actors also targeted organizations in Southeast Asia and broken into government organizations in Brunei and Malaysia.

Sowbug activity was identified in March 2017 when Symantec discovered a brand new backdoor Felismus being used against South East Asia. To reduce chances to be caught Sowbug developed its own sophisticated malware and worked only beyond working hours.

The hacking group has been firstly revealed in 2015, when it was trying to steal documents from a division of the ministry that was responsible for foreign relations with a nation in the Asia-Pacific region. The campaign has been lasting for 4 months (between May and September) and all this time hackers remained undetected.

-         McAfee Advanced Threat Research analysts observed a well-known hacking group APT28 (or Fancy Bear) exploiting a recently disclosed technique involving Microsoft Office documents and a Windows feature called Dynamic Data Exchange (DDE).

The campaign supposedly started on October 25.

Hackers were spreading a first-stage malware Seduploader via the document referencing the New York City attack. Malicious actors were also using documents referencing Saber Guardian, a multinational military exercise conducted by the U.S. Army in Eastern Europe in an effort to deter an invasion (by Russia) into NATO territory.

-         Analysis from Trend Micro showed that the cyber espionage group "Tick" (also known as Bronze Butler or REDBALDKNIGHT) is using steganography to avoid their backdoor Trojan detection. Stenography helps not only to bypass firewalls but also change second-stage C&C communication.

The threat actor prefers such tools as the downloader Gofarer and the data-stealing Trojan Daserf. The China-based group mostly targets Japanese government agencies and organizations in the biotechnology, electronics manufacturing, and industrial chemistry sectors. Daserf was currently used in attacks against organizations in South Korea, Russia, Singapore, and China.


-         Security experts for Avira Virus Lab identified a new variant of Locky ransomware. This time was spreading via Microsoft Word and Libre Office documents. The hackers trick the victim into double-clicking the image file (envelope) placed in the bait document, infect the system and encrypt all files on it.

During the last weeks developers of the Locky ransomware began to use new attack techniques to evade detection. One of such techniques is the use of the Dynamic Data Exchange (DDE) protocol that allows transfer data between applications.


-         Researchers for Trend Micro spotted a new Android malware using Toast Overlay Attack. TOASTAMIGO leverages vulnerability CVE-2017-0752 and affects all versions of Android OS except the latest (8.0/Oreo).

TOASTAMIGO is contained into legitimate Android apps. When installed on the device the affected application asks for Accessibility permissions for it to work. After getting such permissions TOASTAMIGO is able to perform arbitrary actions or commands and install its another variant AMIGOCLICKER.


-         Kromtech Security Center researchers discovered information leak affecting million customers of the US-based ride hailing firm Fasten. The company currently operates in Austin, Texas and Boston, Massachusetts.

Breached data include consumers' names, emails, phone numbers, credit card data, links to photos, device IMEI numbers, GPS data and users’ taxi routes.

According to Kromtech the exposure occurred due to unsecured Apache Hive database. Revealed information can be used by hackers to spy on people monitoring everyday routine and activities.

-         One of the Sweden's most popular radio stations Mix Megapol was hijacked by unknown user to spread ISIS propaganda. A pirate transmitter has been broadcasting the ISIS recruitment song 'For the sake of Allah' for about 30 minutes. The incident was revealed only after the listeners began to call the radio station with claims.

It's still unknown whether ISIS was trying to recruit people in the Malmo area into the terrorist group or it was just a joke.

-         Muslim hactivists Di5s3nSi0N attacked the Amaq news agency (a terrorist organization banned in the Russian Federation). Hackers also published the list including email addresses of almost 2,000 subscribers of the resource. The issue took place just 3 hours after Amaq stated that their e-mail service is almost impossible to hack.

The Di5s3nSi0N attack was carried out as part of the #silencetheswords campaign aimed at hacking resources related to the ISIS.

By Olga Vikiriuk

Analyst at Cybersecurity Help

Back to the list

Latest Posts

Patch Tuesday: 60 vulnerabilities, 2 zero-days and good old LNK bugs

Patch Tuesday: 60 vulnerabilities, 2 zero-days and good old LNK bugs

Today Microsoft has released security fixes for 60 vulnerabilities in total. Among them 2 zero-days in Windows Shell and Internet Explorer.
15 August 2018
Microsoft patches for June 2018

Microsoft patches for June 2018

50 vulnerabilities patched, some of them are potentially wormable.
13 June 2018
VPNFilter, attacks on routers and why external scanning is essential for security

VPNFilter, attacks on routers and why external scanning is essential for security

How to protect your router from VPNFilter and other attacks.
8 June 2018
Featured vulnerabilities
Denial of service in ImageMagick
Low Patched | 22 Oct, 2018
Multiple vulnerabilities in NAS devices
High Not Patched | 22 Oct, 2018