Weekly Cybersecurity Incident Summary: December 4–10, 2017

This brief overview highlights the main cybersecurity events that took place from December 4 to December 10, 2017. The past week saw several significant incidents, including the takedown of the major Andromeda botnet, a hack of the cryptocurrency mining service NiceHash, a warning about a large-scale cyberattack from the Muslim hacker group Electronic Ghosts, and a data leak affecting 31 million users of the popular virtual keyboard AI.type. Read on for a summary of these and other key events.

1. Surge in Attacks on Cryptocurrency Services

The rapid rise in Bitcoin’s value has unsurprisingly attracted increased attention from cybercriminals targeting cryptocurrency services. Hardly a week goes by without news of another platform being hacked and digital currency stolen. Last week was no exception: the largest web-based cryptocurrency mining service, NiceHash, fell victim to hackers who stole over 4,000 bitcoins. The attackers managed to steal only the funds stored in NiceHash’s local wallets. Clients of cryptocurrency services can fall victim not only to hackers but also to administrative errors by service providers.

2. Bittrex Exchange Accidentally Leaks User Data

For example, the cryptocurrency exchange Bittrex accidentally emailed user data to the wrong recipients. Specifically, users who had completed KYC verification but were rejected by Bittrex received support emails notifying them not only of their own rejection but also of the rejection of several other users. The emails also included attachments with images of documents belonging to other rejected users.

3. Andromeda Botnet Takedown

Last week, Europol, Eurojust, and the FBI, with the help of cybersecurity experts, disrupted the largest Andromeda botnet, which distributed the Gamarue malware (also known as Wauchos). The network consisted of 464 separate botnets and infected about 1.1 million computers each month. The law enforcement operation disabled around 1,500 domains and IP addresses used in the botnet’s command-and-control infrastructure. According to the Investigative Committee of the Republic of Belarus, authorities arrested a member of the Andromeda group who sold malware on underground forums and administered some of them.

4. New Botnets Continue to Emerge

Despite law enforcement efforts, new botnets continue to appear online. Experts from Qihoo 360 Netlab reported a surge in activity from the Satori botnet (a variant of Mirai), which includes about 280,000 active devices. The Satori malware scans ports 37215 and 52869 and differs from previous Mirai variants. While earlier versions of Mirai infected vulnerable devices and then loaded a Telnet component to scan the internet for new victims, Satori uses two built-in exploits for remote device access instead. This makes Satori an IoT worm capable of self-propagation without needing to download additional components.

5. AI.type Keyboard Data Leak Affects 31 Million Users

About 31 million users of the popular virtual keyboard AI.type were affected by a data leak caused by the app’s developer failing to secure the server properly. The server operated without password protection, allowing anyone to access the company’s client database, which contained over 577 GB of confidential information. The company collected a significant amount of sensitive user data, including the device owner’s full name, phone number, device name and model, mobile network name, screen resolution, installed language packs, Android OS version, IMSI and IMEI identifiers, email address linked to the phone number, home address, photos, as well as links and information related to social media profiles.

6. Electronic Ghosts Hacker Group Threatens Large-Scale Cyberattack

At the end of last week, members of the Electronic Ghosts hacker group, associated with ISIS (a terrorist organization banned in Russia), announced their intention to “launch a large-scale war against the enemies of the Caliphate” and conduct a massive cyberattack on governments and military agencies worldwide on December 8, 2017. The hackers also stated that their first target would be the United States.