Security News

Hackers Target Bitcoin and USCYBERCOM Shares Malware | Avast

Avast Security News Team, 9 November 2018

Hackers work to steal Bitcoin, USCYBERCOM shares new malware repository, HSBC bank accounts breached and IoT botnet contributes to webmail spam

Cryptocurrency code breached, targeting Bitcoin exchanges

Earlier this week, hackers successfully breached StatCounter, a leading web analytics platform, in an attempt to steal bitcoins from cryptocurrency users. According to research from malware researcher Matthieu Faou, up to 700,000 web pages that were bundled with traffic tracking code from web analytics platform StatCounter were targeted in the breach, which  aimed at stealing cryptocurrency through a malicious script.

Like Google Analytics, StatCounter is an older, but still widely used real-time web analytics platform utilized by more than two million websites and generating stats on over 10 billion page views per month.

After further analyzing the code, the researchers found hackers managed not only to compromise StatCounter, but also successfully replaced its tracking script with JavaScript code designed to target customers of the Gate.io cryptocurrency exchange by generating Bitcoin addresses. If the URl or content in a given webpage contained references to “myaccount/withdraw/BTC” the malicious script would activate, connecting to the exchange and sending money directly to the hackers.

While it is not yet known how many end-users were actually impacted by this cyberattack or how much money the hackers pocketed, Gate.io issued a lengthy statement on its website touting that users’ funds are safe and providing recommendations on having two-factor authentication implemented to avoid being impacted in the future. StatCounter has yet to issue a public response.

U.S. Cyber Command shares malware samples with cybersecurity industry

The Cyber National Mission Force (CNMF), a subordinate unit to U.S. Cyber Command (USCYBERCOM), has been collaborating with both political allies and members of the cybersecurity community in an effort to “share unclassified malware samples it has discovered that it believes will have the greatest impact on improving global cybersecurity.”

The new project was started through an account on Google-owned VirusTotal, an online file-scanning service that also doubles as an online malware repository. The service simultaneously checks files using a variety of detection engines.  USCYBERCOM also created a new Twitter account where it tweets a link to new VirusTotal malware uploads. This is not intended to engage the public, but rather to act as a notification service for researchers.

After much talk about USCYBERCOM collaborating with public and private entities to help thwart cybercrime, their decision to upload malware samples was met with praise by leading voices from the cybersecurity industry.

“Strengthening collaboration against cybercriminals is always good news,” said Luis Corrons, Avast security evangelist. “Having an important actor like the U.S. Cyber Command sharing malicious samples with the industry will benefit all users worldwide.”  

HSBC confirms some of its US customers’ bank accounts were hacked

London-based HSBC, the world’s seventh largest bank, has warned some of its U.S. customers that their personal data was compromised in a breach that took place in October of this year. While the breach only impacts its U.S. operations, the bank says it has detected no signs of fraud.

In a notification to customers, HSBC said that once it spotted the breach, it "suspended online access to prevent further unauthorized entry" to impacted accounts. The notice also outlined information that may have been accessed, including “full name, mailing address, phone number, email address, date of birth, account numbers, account types, account balances, transaction history, payee account information and statement history where available.”

As many as 14,000 customers may have been affected by the hack. A HSBC spokeswoman said less than 1 percent of HSBC's U.S. customers were affected by the data breach. Yet, while the bank declined to quantify how many U.S. customers it has, the The Telegraph reports that the bank manages about 1.4 million U.S. accounts.”

“We regret this incident, and we take our responsibility for protecting our customers very seriously,” said HSBC in a public statement. The bank also made clear that they will be offering affected customers one year of credit monitoring and an identity theft protection service.

“We are used to data breaches affecting all kind of companies,” said Corrons. “However, financial entities are not usually victims. This isn’t because the data they maintain doesn’t hold value - it’s quite the opposite. The high value of the information makes it even more paramount that banks earn the trust of their customers. Thus, they typically have strong security defenses in place that are able to stop most attacks.” Corrons concluded, “This was not the case with the recent HSBC attack. Although the fact that only 14,000 accounts were affected (out of tens of millions of customers) would suggest this was a very small breach. So far no fraudulent use has been observed.”

IoT botnet infects 100,000 routers to spam webmail using five-year-old flaw

Security researchers are warning that over the last couple of months a botnet has been exploiting a five-year-old vulnerability to hijack home routers to send spam to Hotmail, Outlook and Yahoo.

Analysts working at Qihoo 360’s Netlab team say that they first identified the new botnet in September 2018. They have dubbed it “BCMUPnP_Hunter” because of its exploitation of a security hole in the Broadcom UPnP SDK that was first discovered in 2013.

This new botnet is made up of approximately 100,000 home routers and is thought to use the infected routers to connect to webmail services in an attempt to send out massive email spam campaigns.

First spotted in 2013, the Broadcom UPnP vulnerability was found on Cisco Linksys (now Belkin) WRT54GL routers, and a fix was created. Five years later, the BCMUPnP_Hunter botnet is scanning the internet for exposed UPnP interfaces and taking advantage of the flaw to seize control of unsecured routers, in order to run malicious code remotely upon them.

And, it seems no password is required. The vulnerability allows an attacker to execute malicious code on a remote router without needing to authenticate.

Victims are spread out pretty evenly across the globe, but the biggest concentration of infected routers are in India, China, and the US.

Corrons adds, “This is an example of a major security risk we are facing that will continue to worsen in the future, as more connected devices come online that users don’t know how or don’t bother to maintain. We all have to work together (governments, industry, users) to learn from our past mistakes and make changes to correct them. Twenty-years ago, OS and application updates were manual. Today, they are automatic, so users can receive security patches as soon as they are released. The same needs to happen for all types of connected devices, or we will all be at greater risk of attacks.”


Avast is a global leader in cybersecurity, protecting hundreds of millions of users around the world. Protect all of your devices with award-winning free antivirus. Safeguard your privacy and encrypt your online connection with SecureLine VPN

Learn more about products that protect your digital life at avast.com. And get all the latest news on today's cyberthreats and how to beat them at blog.avast.com.