Cybersecurity Incidents Weekly Review: January 8–14, 2018

Here is a brief overview of the main cybersecurity events that took place from January 8 to January 14, 2018.

1. Fancy Bears Hackers Leak IOC Correspondence

Last week, the hacker group Fancy Bears drew public attention by publishing correspondence between several members of the International Olympic Committee (IOC). According to the released documents, there is an ongoing struggle for influence over global sports between the IOC and the World Anti-Doping Agency (WADA). The hackers also claimed that the investigation into Russian athletes’ doping was politically motivated and aimed at discrediting the IOC. Shortly after the publication, cybersecurity experts from ThreatConnect warned about possible attacks by the group targeting the 2018 Winter Olympics in Pyeongchang, South Korea.

2. New Campaigns Spreading ZeuS and FakeBank Banking Trojans

Information emerged last week about two new campaigns distributing the ZeuS and FakeBank banking malware.

• ZeuS Trojan: In the first campaign, attackers spread a variant of ZeuS through the website of the Ukrainian accounting software developer Crystal Finance Millennium (CFM). Cisco experts noted similarities to the 2017 summer breach of the “Intellect-Service” company, when a backdoor was implanted into the M.e.doc accounting software, enabling the NotPetya ransomware attacks. However, unlike NotPetya, this ZeuS variant was distributed not via a vulnerable server, but through the CFM website using a malware downloader sent as an email attachment.
• FakeBank Trojan: The second campaign targeted Russian users, mainly clients of Sberbank, Leto Bank, VTB24, and other Russian banks. FakeBank disguises itself as a set of SMS/MMS management apps and intercepts SMS messages to steal users’ funds.

3. Cryptocurrency Mining Remains a Hot Topic

Cryptocurrency mining continued to be a relevant issue in the new year. Experts from AlienVault reported the discovery of a new loader that installed cryptocurrency mining software and sent the mined funds to servers at Kim Il Sung University in Pyongyang, North Korea. The malicious loader, first detected in late December 2017, was designed to install xmrig, an open-source Monero cryptocurrency miner.

4. Accusations Against Russian Hackers Over NotPetya Attack

The past week also saw renewed accusations against Russian hackers. The U.S. Central Intelligence Agency (CIA) suspected Russia of carrying out a cyberattack using the NotPetya ransomware against Ukraine in June 2017. The attack affected not only Ukrainian but also Russian companies. According to The Washington Post, citing classified CIA documents, the agency believes “with a high degree of confidence” that hackers from the Russian Ministry of Defense, specifically the Main Intelligence Directorate (formerly GRU), were behind the NotPetya attack on Ukraine. Jake Williams, founder of cybersecurity company Rendition Infosec, stated that the goal of the NotPetya attack was to “undermine Ukraine’s financial system.”