Security Review for September 16-22, 2019

Briefly about the main events of the past week.

After several months of inactivity on the Web, one of the most dangerous botnets became active – Emotet. On September 16, security researchers recorded new spam mailings containing malicious files and links to malicious downloads. The victims of the campaign are users who speak Polish and German.

The Smominru botnet, used by its operators for data theft and mining of cryptocurrencies, also demonstrates extraordinary activity. In August of this year alone, the botnet infected more than 90 thousand computers around the world. The campaign affected US-based universities, medical firms, and even cybersecurity companies, as well as systems in China, Taiwan, Russia, and Brazil. The main victims of the campaign were devices running versions of Windows 7 and Windows Server 2008.

Due to a vulnerability in the server of the fiscal data operator (OFD) “Dreamkas”, 14 million records about legal entities and individuals, as well as data on purchases and taxes paid, were in the public domain. The leaked information included TIN, addresses, company names, email addresses of 3 thousand users of the “Buy-ka” discount program, phone numbers of representatives, as well as information about transactions, assortment and prices of goods.

Researchers have discovered a new campaign in which the cybercriminal group Tortoiseshell attacked at least 11 IT firms, most of which are located in Saudi Arabia. The intent of the attackers was allegedly to compromise company customers. In some cases, attackers managed to gain administrator privileges, as well as infect several hundred computers in an attempt to find the data they need, such as IP addresses and information about network connections.

UpGuard specialists revealed confidential documents in the public domain, revealing details about the use of technical means on the networks of Russian telecom operators to provide the functions of operational-search measures (SORM). 1.7 TB of sensitive data, including schemes, administrator credentials, email archives, and other materials that shed light on the infrastructure of telecommunications companies, were stored on an unsecured rsync server that anyone could get access to.

An open database was found on the Web with personal information of more than 20 million citizens of Ecuador, including data from Julian Assange, to whom the authorities granted political asylum from 2012 to April 2019.

The unsecured Elasticsearch server was owned by Novaestrat, an Ecuadorian consulting company that provides services in the areas of analytics, strategic marketing and software development. The Ecuadorian authorities initiated an investigation into the data leak, which resulted in the arrest of the Executive Director of Novaestrat.

  • ru
  • en