Overview of Information Security Incidents for the Past Week

This brief overview covers the main information security events that occurred from December 18 to December 24, 2017. The past week saw several notable incidents in Russia and worldwide, including the first successful attack on a Russian bank using the international SWIFT interbank system, ongoing attacks on cryptocurrency exchanges, the arrest of a ransomware group, and several large-scale data breaches. Here are the key events from the world of information security during this period.

1. First Successful SWIFT Attack on a Russian Bank

Early last week, media reported the first successful cyberattack on a Russian bank, in which the hacker group Cobalt used the international SWIFT financial messaging system to transfer funds. The attack was only partially successful, as the bank quickly noticed suspicious large transactions, including those in foreign currency. Globex was not the only bank targeted by Cobalt; over the weekend, it was revealed that hackers also attacked Sevastopol Marine Bank. Reports vary, with losses estimated at over 10 million rubles or as much as 24 million rubles.

2. Continued Attacks on Cryptocurrency Exchanges

Hackers remain interested in cryptocurrency and related platforms. On December 20, the decentralized cryptocurrency exchange EtherDelta announced a hack in which attackers gained access to its DNS server. Additionally, North Korean hackers have increased their activity, targeting cryptocurrency exchanges and users. Security researchers from Proofpoint discovered a new malicious campaign targeting organizations, companies, and individuals holding cryptocurrency, using the Gh0st RAT backdoor. Experts believe the Lazarus cybercrime group, allegedly linked to the North Korean government, is behind these attacks.

3. Malware Distribution via Facebook Messenger

Cybercriminals continue to invent new ways to spread cryptocurrency mining software. In one campaign, they used Facebook Messenger to install the Digminer malware, designed to mine Monero. According to Trend Micro, the campaign mainly targeted users in Ukraine, Azerbaijan, Vietnam, South Korea, the Philippines, Thailand, and Venezuela.

4. WordPress Sites Targeted for Monero Mining

In another operation, attackers targeted WordPress sites worldwide to install Monero mining software. The attackers used brute-force methods to compromise sites. According to WordFence, over 190,000 sites were attacked, and the campaign generated about $100,000 in cryptocurrency for the perpetrators.

5. Ransomware Group Arrested in Europe

Last Wednesday, Europol announced the arrest of members of a group distributing CTB-Locker and Cerber ransomware. The hackers rented ransomware as a service (RaaS) and spread it via email disguised as invoices. The criminals kept 70% of the ransom, sending the remaining 30% to the malware developers.

6. Major Data Breaches Reported

Several large-scale data breaches were reported last week. Due to a misconfigured Amazon S3 server belonging to data analytics company Alteryx, information on 123 million U.S. households was exposed online. The server contained data from Alteryx partners, including credit agency Experian and the U.S. Census Bureau. The exposed data included Experian’s ConsumerView marketing database and information from the 2010 U.S. Census.

7. Nissan Data Breach Affects 1.13 Million Customers

On December 21, Japanese automaker Nissan warned of a data breach affecting 1.13 million customers. The breach occurred after the computer network of the financial division of its Canadian subsidiary was hacked.

8. California Voter Data Leak

Security researchers from Kromtech reported a leak of data on more than 19 million California voters. The data was exposed online due to a misconfigured MongoDB database and was later stolen by hackers. The attackers used an automated script to scan the internet for unsecured MongoDB databases, deleted their contents, and demanded a ransom of 0.2 bitcoin for data recovery.

9. Accidental Police Broadcast in Australia

The week also saw an unusual incident: the Australian Federal Police accidentally broadcast a discussion about an operation to arrest a man suspected of spying for the North Korean government on Periscope. The broadcast lasted about a minute and did not reveal identifying details, but journalists were able to hear some important briefing information.