Category: Threat Brief

Cryptojackers Grow Dramatically on Enterprise Networks

Cryptojacking — threat actors placing illicit cryptocurrency miners on a victim’s systems — is a growing threat to enterprise IT according to a just-released report from the Cyber Threat Alliance (CTA). CTA members have seen miner detections increase 459% from 2017 through 2018 and there’s no sign that the rate of infection is slowing.

The joint paper, written with contributions from a number of CTA members (including Cisco Talos, Fortinet, McAfee, Rapid7, NTT Security, Sophos, and Palo Alto Networks), points out that there is little unique in the methods cryptojackers use to infect their victims; defending against cryptojackers is identical in almost every respect to defending against other threats.

Read more about the findings of the new report on DarkReading.

Magecart claims another victim in Newegg merchant data theft

Earlier this week researchers confirmed a massive payment card skimming scheme operated by Magecart which compromised the online store of broadcaster ABS-CBN; now, the cyberthreat group has claimed a fresh victim in Newegg.

Researchers from RiskIQ, together with Volexity, revealed that California-based retailer Newegg is the latest well-known merchant to succumb to the threat actors. The security firm said in a blog post that a payment skimming scheme has been in operation since August 13.

Read more about the recent activities of hacking group Magecart on ZDNet.

FBI: Phishing Attacks Aim to Swap Payroll Information

The FBI’s Internet Crime Complaint Center (IC3) reports a wave of social engineering attacks aiming to steal employees’ login credentials so they can break into online payroll accounts.

Attackers send their targets phishing emails designed to capture login credentials, the IC3 states. They use these to access employees’ payroll, change their bank account data, and add rules so the victim doesn’t receive alerts regarding direct deposit changes. From that point, money is redirected to an account controlled by the attacker; usually a prepaid card.

Read more about the new wave of social engineering scams on DarkReading.

Access to over 3,000 backdoored sites sold on Russian hacking forum

Hackers are selling access to over 3,000 breached websites on an underground hacking forum for Russian-speaking users, according to a new report by Flashpoint. The forum is named MagBO and is a relative newcomer on the hacking scene, where other services HackForum,, xDedic, Nulled, or Mal4All have already made a name for themselves.

But according to Flashpoint, this forum has its own niche, and that niche is in selling web shells to already-hacked websites. “Essentially, the breached websites host some sort of backdoor that would enable buyers to log in to them,” Vitali Kremez, Director of Research at Flashpoint explained to ZDNet.

Read more about the findings of the new Flashpoint report on ZDNet.

Dangerous Pegasus Spyware Has Spread to 45 Countries

The infamous Pegasus spyware, which targets iPhones and Android devices, has allegedly infiltrated 45 different countries across the globe — and six of those countries have used surveillance malware in the past to abuse human rights, a group of researchers claim.

Researchers from The Citizen Lab scanned the internet in a massive project that took place between 2016 and 2018, sniffing out servers associated with the Pegasus mobile spyware, attributed to Israel-based company NSO Group as an offering for state-level actors around the world.

Read more about the malicious Pegasus spyware that has been active since August 2016, on Threatpost.

US State Department reveals data breach, employee information exposed

The US State Department has confirmed a data breach which has led to the exposure of employee data. As reported by Politico, the personally identifiable information (PII) of some of the State Department’s workforce has been exposed, however, the data breach is not thought to impact more than one percent of the staff roster.

No technical details of the security incident have been released to the public, nor who may be responsible. The State Department says it is currently investigating the incident.

Read more about the US State Department data breach on ZDNet.

Cybercrime: Ransomware remains a ‘key’ malware threat says Europol

Ransomware remains the top malware threat to organisations, causing millions of dollars of damage and remaining a potent tool for cyber criminals and nation-state attackers. The rise of highly targeted file-locking malware campaigns and the threat posed by nation-state backed campaigns, means ransomware “remains the key malware threat in both law enforcement and industry reporting,” warns Europol’s 2018 Internet Organised Crime Threat Assessment (IOCTA) report.

Ransomware families like Cerber, Cryptolocker, Crysis, CTBLocker, Dharma and Locky are cited among those most damaging to businesses over the past 12 months.

Read more about the findings of the new Europol report on ZDNet.

Database with 11 Million Email Records Exposed

A huge customer database containing 11 million records that include personal details, has been discovered sitting online, unprotected. The data was available from a MongoDB instance set up on the hosting infrastructure from Grupo-SMS USA, LLC, and could be accessed by anyone able to find the path to it.

Independent security researcher Bob Diachenko found the information by scanning the internet using publicly available tools. His research revealed that the dataset had been last indexed by Shodan search engine on September 13, but it is unclear how long it was open for access before that date.

Read more about the major data leak on BleepingComputer.

Websites Attack Attempts Rose in Q2

New data shows attackers are trying to sneak past malware scanners on websites using stealthy hacks such as cryptojacking and malicious JavaScript.

Website security service provider SiteLock analyzed data from 6 million customer websites for the second quarter of 2018 and found that a website, on average, suffers 58 attack attempts per day – or one every 25 minutes – an increase of 16% since the first quarter of this year. That jump comes after a dip in attack attempts from the fourth quarter of 2017 (63 attempts each day) to Q1 of this year (50 per day).

Read more about the findings of the new SiteLock report on DarkReading.

GovPayNow Leak of 14M+ Records Dates Back to 2012

Government Payment Service (GovPayNet) has been alerted to a leak of more than 14 million customer records dating back to 2012, KrebsOnSecurity reported this week.

GovPayNet is used by nearly 2,300 government agencies in 35 states to process online payments for traffic tickets, bail payments, court-imposed fines, and other fees. The service operates under the Web domain, which was found leaking customer data including names, addresses, phone numbers, and the last four digits of credit card numbers.

Read more about the GovPayNow data leak on DarkReading.