Weekly Cybersecurity Incident Overview: October 30 – November 5, 2017

The past week was turbulent in terms of cybersecurity, with a notable increase in incidents related to cryptocurrency mining. Here’s a brief summary of the main events in the information security world from October 30 to November 5, 2017.

1. New Accusations Against “Russian Hackers”

The week began with renewed accusations against “Russian hackers.” Swedish TV channel SVT reported global attacks using unnamed ransomware. While details were scarce, journalists noted that 1.6 million people in Sweden alone received phishing emails containing malware.

Recent research shows that ransomware can be used not only for extortion but also to cover up cyber-espionage operations. For example, ONI and MBR-ONI ransomware were used in campaigns against several Japanese organizations with the sole purpose of erasing hackers’ tracks.

2. Updates on Fancy Bear (APT 28) Activities

New information emerged about the cybercriminal group Fancy Bear (APT 28), often linked to Russian intelligence. According to the Associated Press, hackers attempted to breach the email accounts of Ukrainian politicians, Russian opposition figures, and American military contractors. The agency obtained a list of attack targets, mostly located in the US, Ukraine, Russia, Georgia, and Syria, dating from March 2015 to May 2016.

Additionally, new details surfaced about the involvement of “Russian hackers” in the 2016 breach of the US Democratic National Committee. The Wall Street Journal reported that the FBI gathered evidence implicating six Russian officials in the attack, with Fancy Bear considered responsible.

3. Fraudsters Register 250 Domains in the Name of Trump Organization

Last week, it was revealed that scammers registered 250 domain names on behalf of the Trump Organization. In 2013, hackers gained access to the Trump Organization’s GoDaddy account, which is used for domain registration. The fraudsters created numerous shadow subdomains to distribute malware.

4. North Korean Hackers Target South Korean Shipbuilder

North Korean hackers also made headlines. Reuters reported that in April of the previous year, cybercriminals breached the database of South Korean shipbuilder Daewoo Shipbuilding & Marine Engineering, stealing blueprints for military vessels. The breach was discovered by a South Korean Ministry of Defense unit specializing in cybercrime investigations. The conclusion that North Korea was involved is based on hacking methods similar to those used in other attacks attributed to North Korean hackers.

5. The Dark Overlord Threatens Hollywood Studio

The hacker group The Dark Overlord, previously responsible for compromising Netflix’s computer network and leaking data from a prestigious London plastic surgery clinic, threatened to publish the client database of Hollywood recording studio Line 204. The studio’s client list includes Apple, Netflix, Funny or Die, ABC, HBO, Hulu, and others. The hackers threatened to release the stolen data if Line 204 did not meet their demands.

6. New Targeted Attacks on Financial Institutions

Kaspersky Lab experts reported new targeted attacks on financial organizations, mainly Russian banks, but also some in Armenia and Malaysia. The attacks used the Silence trojan, distributed via malicious emails.

Cryptocurrency Mining Incidents

As mentioned earlier, the past week saw several incidents related to cryptocurrency mining.

• At the start of the week, three apps in Google Play were found to contain hidden Monero miners. When users opened these apps, the miner would use their device’s resources to mine cryptocurrency.
• A hidden Monero miner was also discovered on the D-Link website. Each time a page was loaded, a separate domain with a hidden iframe element would load a script to mine cryptocurrency directly in the user’s browser.
• In addition to covert mining, security researchers highlighted another issue. According to Kaspersky Lab, the CryptoShuffler trojan steals cryptocurrency directly from wallets, targeting Bitcoin, Ethereum, Zcash, Dash, Dogecoin, and others.

Cybercriminals have learned to steal cryptocurrency not only from wallets.

Bitdefender specialists report that attackers can steal coins even before they reach a wallet. Cybercriminals scan the internet for Ethereum mining equipment running on ethos with default SSH credentials. Using these credentials, they gain access to the equipment and replace the owner’s Ethereum wallet address with their own. As a result, all mined cryptocurrency is sent to the cybercriminals instead of the equipment owner.