- BlackOasis: APT group that uses zero day vulnerabilities to target victims recently observed using CVE-2017-11292.
- Leviathan: Cyber espionage group that targets organizations and high-value personnel in defense and government sector via spear-phishing campaigns.
- APT28: Now exploiting CVE-2017-11292. The malicious payloads were created hurriedly in attempt to leverage vulnerability before target companies patch the vulnerable software.
- Pizza Hut data breach: Users who used website and mobile application during 28-hour period (from the morning of October 1, 2017 – midday on October 2, 2017) affected. Payment card details exposed. Notification Letter from Pizza Hut.
- Hyatt Data breach: Data breach at selected locations exposed payments card details of customers who visited affected locations (including Pune India) between March 18, 2017 and July 2, 2017. Hyatt provided notification to affected users with list of all affected locations. Countries affected includes People’s Republic of China, Korea, Japan, Europe, India, Southeast Asia, Pacific, United States United States and few others.
- Far Eastern International Bank (FEIB): Malware payloads associated with Lazarus group used to target FEIB.
- Chase Brexton: Phishing attack exposed 16K patient’s information.
- Namaste Health Care: Ransomware attack health care.
- Catholic United Financial: Data breach at financial company.
- Data dump found that likely exposed details of millions: After analysis by various researchers it is speculated that the data belongs to GoVault, platform operated by Dracore.
Exploit Kits (EK):
- Malvertising campaign: Rig EK -> SmokeLoader (downloader) -> AZORult (infostealer)
- Malvertising campaign: Rig EK -> SmokeLoader (downloader) -> XMR Miner (crypto currency miner)
- Coalabot: HTTP DDoS bot based on code for August Stealer . Available for sale @ $300.
- DarkComet RAT: Microsoft Word documents -> exploits CVE-2012-0158 -> downloads malicious HTA file -> executes PowerShell -> downloads DarkComet RAT campaign.
- Orcus RAT: Microsoft Word documents (VBA/macros enabled) -> exploits CVE-2017-8759 -> downloads malicious HTA file -> executes PowerShell -> Orcus RAT payload.
- CryptoMix Ransomware: New variant of the CryptoMix ransomware infecting users. Encrypted files renamed with .x1881 extension. Includes functionality to infect users even in offline mode.
- Sage 2.2 ransomware: Ransomware dropped via Blank Slate malspam campaign. The campaign previously delivered Locky ransomware variant with .asasin extension. Two delivery methods:
- Spam email -> Microsoft Word documents (VBA/macros enabled) -> downloads and executes Sage 2.2 ransomware
- Sage ransomware: delivered via BlankSlate campaign.
- Crimeware kit: Malware toolkit to target ATM machines available for sale on underground forums.
- Locky/Ykcol campaign: Message from KM_C224e themed malspam.
- Zberp and Atmos banking Trojan: Neutrino bot, aka Kasidet, campaign delivering banking Trojans Zberp and Atmos.
- Remcos and NjRAT: Spear phishing campaigns against several embassies of various European countries and finally delivering Remcos and NjRAT.
- Hacker’s Door: Chinese backdoor hitting victims again.
- WaterMiner: An Evasive crypto currency miner.
- Magniber: New ransomware targeting South Koreans via Magnitude Exploit Kit.
- Proton RAT: Supply-chain attacks delivering Proton RAT.
- TrickBot: Efax themed malspam campaign delivering banking Trojan.
- Ursnif: New evasive techniques used by banking Trojan.
- HydraPOS: Targeted campaign against Brazilian POS systems.
- KRACK (Key Reinstallation Attacks): Vulnerability in WPA2 protocol that allows hackers to intercept Wi-Fi passwords or steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos. Nearly all Wi-Fi devices vulnerable to the vulnerability. Proof-of-concept (POC) for possible attack displayed by researchers.
- Dynamic Data Exchange (DDE) vulnerability used to deliver malware: Several hackers are leveraging vulnerability DDE feature in MS word leading to remote command execution.
- CVE-2017-11292 : Critical zero day vulnerability in Adobe Flash Player affected players in internet browsers and desktop run-time versions. Patch released by Adobe October 16, 2017, but vulnerability already being exploited in wild (e.g. Vortex ransomware)
- CVE-2017-9367 & CVE-2017-9368 : Remote code vulnerability in BlackBerry Workspaces Servers.
- CVE-2017-15361 : Newly discovered ROCA vulnerability that could expose RSA encryption keys.