27 November 2017

Week in review: major cybersecurity incidents in November 20-26

Week in review: major cybersecurity incidents in November 20-26

Last week we have observed 12 major cybersecurity incidents, involving security and data breaches in transport company Uber, the Ministry of Social Services of Australia and online service Imgur. It hasn't been also without malicious activities by such hacking groups as Lazarus APT and Cobalt. Below is the list of the most noticeable cybersecurity incidents along with brief description and commentary.


-         A member of the Security Service of Ukraine (SSU) together with public prosecutions department revealed a hacking group whose members stole funds from bank cards of clients, including government ones. Attackers managed to theft over 10 mln UAH (about $ 376K).

Using malware malicious actors gained access to data and duplicated the details of payment cards with the help of special technical means. According to the Security Service of Ukraine the attackers withdrew money from more than 1.5 thousand bank cards.

-         Analysis from Trend Micro showed that the hacking group Cobalt has changed its tactics. Earlier campaigns of the group were focused on banking clients. Nowadays Cobalt is targeting ATMs and European financial organizations.

The previous attacks against Russian-speaking financials were partially launched in summer 2017. Attackers were sending phishing emails on behalf of clients of targeted organizations, arbitration court or a company specializing in cyber security.

In September the group was exploiting the CVE-2017-8759 vulnerability in the Microsoft .NET Framework to install a backdoor Cobalt Strike on the victim's computer.

According to ReversingLabs, Cobalt was also using a 17-year-old vulnerability in Microsoft Office Equation Editor CVE-2017-11882.

-         Security experts for McAfee and Palo Alto Networks discovered a malicious activity by North Korea linked group Lazarus APT. The hacking group has been using a new strain of Android malware to target SWIFT banking system and perform the Operation Blockbuster.

Palo Alto Networks links the malware with the Lazarus’s attack on the SWIFT banking system and with the Operation Blockbuster.

According to the researchers, Lazarus was behind other large-scale cyber espionage campaigns, including the Troy Operation, the DarkSeoul Operation, and the Sony Picture hack.

-         Malwarebytes experts identified a campaign, distributing a new version of the malware Proton for macOS through a fake Symantec blog.

The domain and the address of the fake resource look legitimate, but the email address is suspicious. Links to the blog are distributed through both fakeand legitimate accounts on Twitter.

Having affected the system, Proton starts collecting various data, including passwords, personal information, .keychain files, browser data, 1Password manager content, etc. The collected information is stored in a hidden folder.

Experts believe that the organizer of the campaign could access the accounts with the help of stolen logins and passwords or by deceiving people to promote links to a fake resource.

-         National Cyber Security Centre of Saudi government detected a new APT campaign targeting the country. The attack involved the use of «Powershell» and aimed at government computers.

Saudi Arabia has already suffered from another malware dubbed «Shamoon». Particularly, the victim of the massive cyber attack became Saudi Aramco, the world's biggest oil company.


-         International transport company Uber reported about the massive data breach it has been hiding from its customers for a year.

In October last year, unknown actors hacked the company's servers and stole personal data of 57 million of its customers and drivers. Revealed information included names and email addresses of 50 million passengers and personal data of 7 million drivers, including 600 thousand numbers issued in the US driver's license).

Two cybercriminals accessed the repository on GitHub, used by Uber programmers, and acquired the credentials of the company's employees. Using this credentials, attackers logged on to Amazon Web Services, stole the data archive and demanded a ransom, threatening otherwise to publish the stolen information.

The company's management decided not to make the incident public and preferred to pay ransom in the ammount of $ 100K.

-         The 31-year-old Ukrainian woman lured about 1 million UAH ($ 38K) from her employers, dating agency dating.com.

The woman has been working for the dating agency since 2012. At the end of 2015, she has found a hacker who helped her to attack anastasiadate.com, and demanded 100 thousand UAH (about $ 3.5 thousand) to restore the website. However, a year later the site was attacked again. This time, the attackers demanded to transfer about 470 thousand UAH in cryptocurrency. A week later, the resource was blocked again. The last attack on the website was carried out on November 17 this year. In total, the company's management had to pay to the blackmailers about 1 million UAH.

After investigation experts found that the attacks were carried out from the Ukrainian city Cherkassy.


-         A visitor of one of the restaurants in Austria became the victim of malicious actors who have stolen bitcoins from his account for amount more than € 100 thousand.

The incident occurred when a man connected to the public wireless network of the restaurant to check the value of his digital currency. The bitcoins were transferred to an «unknown, untracked account». At the moment, it is unclear whether the account was hacked before a man entered an unprotected network.


-         The Ministry of Social Services of Australia warned 8.5 thousand of its former and current employees about the leakage of their personal data stored by one of the contractors. According to the notification, the incident affected «employee profiles in the departmental credit card management system until 2016». Credit cards data, names of employees, logins, working phone numbers, working electronic addresses, system passwords were compromised.

The press secretary of the agency believes the information was publicly available from June 2016 to October 2017. Currently, all data are properly protected.

-         Unknown actors hacked the websites of Danish supermarket chains Bilka and Fotex during its attempt to start Black Friday sales campaigns. Attacker were sending numerous requests to refresh the websites and cause a Distributed Denial of Service (DDoS) attack.


-         The Department of the National Police of Ukraine informed about spreading of Scarab virus through the largest spam botnet «Necurs».

Cybersecurity experts have found that over 12.5 million emails containing files with a new version of Scarab ransomware were sent using Necurs. Emails containing Scarab were masked as archives with scanned images.

After successful encryption, the virus creates and automatically opens a text file («IF YOU WANT TO RECEIVE ALL YOUR FOLDERS BACK, PLEASE, READ IT.TXT»), and then places it on the desktop.

The amount of ransom required for files decryption is not indicated in the message. However, attackers warn that the amount of ransom will increase over time, until the victim does not contact the authors of Scarab e-mail or BitMessage.

-         One of the largest online services for the storage and exchange of images Imgur confirmed a security breach it suffered in 2014. According to the resource, the leak affected about 1.7 million user accounts.

As representatives of the site said, hackers stole 1.7 million e-mail addresses and passwords, encrypted using the outdated SHA-256 algorithm.

The incident was discovered by Troy Hunt who notified representatives of Imgur about the incident on November 23 this year.

By Olga Vikiriuk

Analyst at Cybersecurity Help

Back to the list

Latest Posts

Patch Tuesday in December 2018: 1 zero-day and more than 100 bugs fixed by Microsoft and Adobe

Patch Tuesday in December 2018: 1 zero-day and more than 100 bugs fixed by Microsoft and Adobe

Vulnerability statistics for Patch Tuesday in December 2018.
12 December 2018
Patch Tuesday: 60 vulnerabilities, 2 zero-days and good old LNK bugs

Patch Tuesday: 60 vulnerabilities, 2 zero-days and good old LNK bugs

Today Microsoft has released security fixes for 60 vulnerabilities in total. Among them 2 zero-days in Windows Shell and Internet Explorer.
15 August 2018
Microsoft patches for June 2018

Microsoft patches for June 2018

50 vulnerabilities patched, some of them are potentially wormable.
13 June 2018
Featured vulnerabilities
Denial of service in GraphicsMagick
Low Patched | 18 Dec, 2018
Cross-site scripting in Lxml
Low Patched | 18 Dec, 2018
Multiple vulnerabilities in Jenkins
High Patched | 18 Dec, 2018
SQL injection in Katello
Low Patched | 17 Dec, 2018