11 December 2017

Week in review: Nicehash security breach and botnet Satori activity

Week in review: Nicehash security breach and botnet Satori activity

Last week (04.12-10.12) we have detected 9 major cybersecurity incidents, involving security and data breaches in the web-service Nicehash and the International Airport in Perth. It hasn’t been also without malicious activities by Satori botnet and the Quant Trojan. Below is the list of the most noticeable cybersecurity incidents along with brief description and commentary.


-         Security researchers for Qihoo 360 Netlab observed an increase in activity of botnet Satori (one of the options Mirai). The botnet includes about 280 thousand active devices and propagates ports 37215 and 52869.

The malware differs from other Mirai variants. Instead of Telnet component Satori uses two built-in exploits for remote connection to devices.

Experts suppose the botnet can be linked to another botnet based on Mirai, revealed in November this year. Both malware have the same file names, static functions and C2 protocols.

-         The hacking group Electronic Ghosts, related to ISIS, threatened a massive cyber attack against governments and military departments around the world on December 8, 2017.

According to cybersecurity analysts for JihadoScope hackers published a video in with their intention to begin "a large-scale cyberwar against the enemies of the Caliphate." Participants of the group also added that their first victim would be the United States.

-         Kromtech Security Center researcher revealed publicly available data of more than 31 million users of the popular virtual keyboard AI.type. The issue occured due to improper protection of the server by the application developer. The server was not password protected, as a result, anyone could get access to the client database, which included more than 577 GB of confidential information.

Disclosed data included full names of the device owners, phone numbers, gadget names and models, mobile network names, Android OS data, IMSI and IMEI identifiers associated with the phone number, places of residence, photos, as well as links and information related to profiles in social networks.

-         Security researchers from Forcepoint Security have discovered a new version of the Quant Trojan with a feature that allows to attack crypto-currency wallets.

The Trojan is a downloader program with the function of geographic targeting, as well as downloading and executing the .exe and .dll files.

The first file (bs.dll.c) allows to steal the cryptocurrency. The second (sql.dll.c) is the SQLite library required to run the third file zs.dll.c, which can be used to steal the victim's credentials.

Last year Quant was used by the hackers to spread malicious software Locky Zepto and Pony. Now the Trojan is sold on the Russian hacking forums for $275.


-         The largest cryptocurrency mining web-service Nicehash informed all customers about a massive security breach. Unknown actors managed to compromise Nicehash and steal all bitcoins from its main cryptocurrency wallets.

The incident was discovered after dozens of Nicehash clients reported loss of their bitcoins.The affected users stated their funds have been redirected to the wallet storing 4 736,42 bitcoins (more than $62 million).

As of December 11 the Nicehash website is still unavalable.


-         Matthias Gliwka, a Stuttgart-based software developer, discovered a publicly available Microsoft Dynamics 365 TLS certificate and its private key. The expert revealed the issue when he was working with the cloud version of Redmond's ERP system.

Access to the certificate and the private key allows malicious actors to conduct MITM-attacks and issue certificates, signed by the leaked private key.

-         The Bittrex currency exchange sent out photos of users and scanned images of their passports to other users by e-mails.

The spread information was initially received for KYC (know your customer) verification before performing any financial transactions.


-         UNC Health Care notified 24 000 of its customers about potential data breach, having taken place in October this year. Malicious actors might have compromise personal clients' information including patient names, addresses, phone numbers, employment status, employer names, birth dates and Social Security numbers.

The information was contained on a hard drive of a computer that was stolen from UNC Dermatology & Skin Cancer Center.


-         Vietnamese hacker Le Duke Hoang Hai managed to hack the computer systems of the International Airport in Perth (Australia) and steal a large number of important documents, including security data and construction plans.

The attacker used account of a third-party contractor to gain unauthorized access to the airport systems in March last year. Initially the hacker has been attempting to steal credit card information.

By Olga Vikiriuk

Analyst at Cybersecurity Help

Back to the list

Latest Posts

Patch Tuesday: 60 vulnerabilities, 2 zero-days and good old LNK bugs

Patch Tuesday: 60 vulnerabilities, 2 zero-days and good old LNK bugs

Today Microsoft has released security fixes for 60 vulnerabilities in total. Among them 2 zero-days in Windows Shell and Internet Explorer.
15 August 2018
Microsoft patches for June 2018

Microsoft patches for June 2018

50 vulnerabilities patched, some of them are potentially wormable.
13 June 2018
VPNFilter, attacks on routers and why external scanning is essential for security

VPNFilter, attacks on routers and why external scanning is essential for security

How to protect your router from VPNFilter and other attacks.
8 June 2018
Featured vulnerabilities
Denial of service in ImageMagick
Low Patched | 22 Oct, 2018
Multiple vulnerabilities in NAS devices
High Not Patched | 22 Oct, 2018