Cybersecurity Incidents Weekly Review: February 12–18, 2018

Data breaches, phishing and cryptomining campaigns, and the emergence of new botnets have become routine occurrences—hardly a week goes by without reports of such incidents, and last week was no exception. Here’s a brief overview of the most notable events from February 12 to 18, 2018.

1. NotPetya Ransomware Attacks Attributed to Russia

One of the most high-profile events last week was the accusation by several countries that Russia was behind the summer NotPetya ransomware attacks. On Thursday, February 15, the UK government made this accusation, soon followed by similar statements from the US, Australia, Canada, and New Zealand. The Kremlin categorically denied any involvement, calling the allegations “groundless and unsubstantiated.”

2. Coinhoarder Group’s Phishing Campaign via Google AdWords

Experts from Cisco Talos revealed details about the Coinhoarder group, which used Google AdWords to make money. In this phishing campaign, attackers legally purchased ads through Google AdWords and placed links to phishing sites in Google search results related to Bitcoin. This tricked users into visiting fake sites and entering their credentials, which were then used to steal funds from their accounts. The group reportedly earned around $50 million in Bitcoin using this scheme.

3. New Cryptomining Campaign Targeting Android Users

Cryptocurrency hunters continue to invent new ways to mine digital assets. For example, researchers from Malwarebytes discovered a new campaign targeting Android device users. Criminals lure users to their sites and, while the victims are entering a CAPTCHA, mine Monero cryptocurrency using the victims’ device resources.

4. Emergence of New IoT Botnets: DoubleDoor

New IoT botnets continue to appear online. Recently, a botnet called DoubleDoor was discovered, capable of bypassing firewalls and modem protections using exploits for known vulnerabilities. According to experts, DoubleDoor first uses an exploit for vulnerability CVE-2015-7755 (a backdoor in Juniper Networks ScreenOS, which powers Netscreen firewalls). This allows the malware to bypass the firewall, after which it uses a second exploit for vulnerability CVE-2016-0401 in ZyXEL PK5001Z modems.

5. FedEx Data Leak Exposes 119,000 Customers

Researchers at Kromtech Security Center found data on 119,000 FedEx customers publicly accessible due to a misconfigured Amazon S3 server owned by Bongo International LLC, a company FedEx acquired in 2014. The exposed database contained scanned copies of passports, driver’s licenses, and other documentation from FedEx customers worldwide, including the US, Mexico, Canada, Australia, Saudi Arabia, Japan, China, and several European countries.

6. Western Union Warns of Potential Data Breach

Last week, Western Union warned its customers about a possible leak of confidential information following a hacker attack on one of the company’s IT partners. The compromised archive contained customer contact details, bank names, internal employee identification numbers, money transfer amounts, as well as transaction times and IDs. The breach did not affect customers’ bank card data, and Western Union’s internal payment and financial systems were not compromised.