2018-1-02 Global Cyber Attack Reports

January 2, 2018


  • Researches have uncovered a Chinese campaign targeting US think tanks and non-governmental organizations. The threat actors collected employees’ credentials and deployed second-stage malware, which aims to search and steal documents containing strings such as “china” and “cyber”. The stolen data is intelligence-oriented, specifically regarding US political and military strategy towards China.
  • Check Point Researchers have discovered a crypto-mining script running through Morfix, the popular Hebrew to English online dictionary, without its users’ knowledge. According to Morfix, who have already revoked the questionable code, the mining was done by an advertisement network.
    Check Point IPS blade provides protection against this threat (Multiple Websites Mine Cryptocurrencies CPU Hijacking).
  • Attack attempts have been made against Magento websites running the helpdesk extension “Mirasvit Helpdesk”, allowing sites to show a “Chat with us” widget. The attacks are using a cross-site scripting vulnerability in the extension to steal payments data.
  • Three WordPress plugins were found to be hiding back-doors. The plugins, already removed from the official WordPress Plugins Directory, have approximately 90K active installs, and are used mostly in order to inject cloaked links into websites. This incident follows several recent discoveries of malicious plugins.
    Check Point IPS blade will provide protection against this threat in its next online package.
  • Several vulnerabilities in Oracle WebLogic, already patched by the vendor, are being exploited in cryptocurrency mining activities.
    Check Point IPS blade provides protection against this threat (Oracle WebLogic WLS Security Component Remote Code Execution (CVE 2017 10271; CVE 2017 3506).
  • A Russian block-chain expert and a managing director of the crypto-currency exchange EXMO, was allegedly kidnapped by criminals in Ukraine. EXMO has assured its customers that its operations were not affected by the incident and that the victim did not have direct access to accounts or personal data.


  • Mozilla has issued a critical security update addressing five flaws in its popular Thunderbird email platform. The most severe of the fixes is a critical buffer overflow vulnerability which affects Thunderbird running on the Windows operating system. The others affect Thunderbird’s RSS reader and the feed and email service.
  • Security researchers have revealed a fully functional kernel exploit for PlayStation 4 dubbed “namedobj”, which allows users to run arbitrary code on the device, write kernel-level modifications to the system, and also enable jailbreaking which allows install mods, games, and third-party applications.
  • A SOP (Same Origin Policy) bypass vulnerability has been discovered in the Samsung Internet Browser. The vulnerability affects hundreds of millions of Samsung Android devices world-wide. The vulnerability allows an attacker to steal data from browser tabs while the user visits an attacker-controlled site, session hijacking, and webmail manipulations.
    Check Point IPS blade will provide protection against this threat in its next online package.
  • Security researchers have discovered a vulnerability that affects GoAhead, a tiny web server package embedded in hundreds of thousands of IoT devices. The vulnerability may allow an attacker to remotely execute malicious code on devices that use the GoAhead web server package.
    Check Point IPS blade provides protection against this threat (GoAhead LD_PRELOAD Remote Code Execution; GoAhead CGI Scanner).



    • A new variant of CryptoMix ransomware has been seen in the wild, with the same encryption methods of its origin. The main changes in the variant regard to the email address for payment information and to the file extension that are appended to encrypted files – .tastylock.
    • Researchers have conducted research on the potential use of acoustic attacks in order to cause physical damage to hard disk drives (HDD). Specific frequencies can make an HDD stop working, proving lethal for computers and digital video recorders. A potential threat actor needs remote access to audio devices near target machines, while the targets themselves don’t necessarily have to have internet connections.
    • Security researchers have pointed at an alarming phenomenon of malicious applications gaining free access to sensor data on smartphones by exploiting a security flaw which exists on both iOS and Android operating systems. According to the report, the applications collect vast amounts of sensitive information of the devices’ owners, and use them in order to retrieve their PIN codes.



  • Check Point Research Publications
  • Global Cyber Attack Reports
  • Threat Research
February 17, 2020

“The Turkish Rat” Evolved Adwind in a Massive Ongoing Phishing Campaign

  • Check Point Research Publications
  • Global Cyber Attack Reports
  • Threat Research
January 22, 2020

The 2020 Cyber Security Report

  • Global Cyber Attack Reports
December 15, 2021

StealthLoader Malware Leveraging Log4Shell