Cyware Daily Threat Intelligence, April 01, 2020

Share Blog post

Threat actors have lately turned their attention to Raccoon stealer, making it more popular as a Malware-as-a-Service (MaaS). It has been observed that the malware uses Google Drive as part of its new evasion techniques. Researchers have identified three campaigns from the second half of 2019 that leverage this evasion technique to exfiltrate data from infected computers. While the first campaign was carried out using the RIG exploit kit, the remaining two were executed using the Fallout exploit kit.

In the past 24 hours, the infamous LimeRAT trojan also appeared in a unique attack campaign that used Microsoft Excel spreadsheet’s VelvetSweatshop default password bug to evade detection. The victims were sent phishing emails that included malicious and encrypted Excel files in ‘read-only’ mode.

Two major security incidents affecting Marriott International and SOS Online Backup were also reported in the last 24 hours. While the security breach at Marriott International affected the personal information of around 5.2 million guests, the data leak at SOS Online Backup exposed over 135 million records.

Top Breaches Reported in the Last 24 Hours

Marriott reports a data breach
Marriott International has suffered a data breach impacting the personal information of roughly 5.2 million hotel guests. The breach was discovered at the end of February 2020 after the firm noticed unauthorized access to the login credentials of two employees at a franchise property. The information compromised in the breach includes contact details, loyalty account information, personal information, and preferences of guests.

135 million records leaked
SOS Online Backup had leaked over 135 million records last year due to a misconfigured database. The exposed information included PII such as full names, email addresses, phone numbers, internal company details, and account usernames. The leaky database was taken offline on December 19, 2019.

Zoom leaks personal information
The popular video-conferencing app, Zoom, has been found leaking personal information of at least thousand of users, including their email address and photo. The issue lies in Zoom’s ‘Company Directory’ setting, thus giving strangers the ability to start a video call with them through the app.

Ozark Orthopaedics data breach
Arkansas-based Ozark Orthopaedics has disclosed a data breach that affected around 15,240 patients. The incident occurred late in 2019 after the health firm detected unusual activity in four employees’ email accounts. The affected accounts included some personal and medical information of Ozark patients.

Phishing attack on GoDaddy.com
A spear-phishing attack on GoDaddy.com gave phishers the ability to view and modify key customer records. This also enabled the attackers to change domain settings for a half-dozen GoDaddy customers, including transaction brokering site escrow.com. The domain name registrar has acknowledged the incident and revealed that it has locked the impacted accounts to prevent further changes.

Top Malware Reported in the Last 24 Hours

LimeRAT trojan campaign
Threat actors have been observed using Microsoft Excel spreadsheet’s VelvetSweatshop default password to deliver LimeRAT trojan. In this attack, the cybercriminals have also used a blend of other techniques to fool anti-malware systems by encrypting the content of the spreadsheet. Once the trojan is launched on a victim’s system, it allows the attackers to deliver ransomware, cryptominer, a keylogger, and create a bot client.

Raccoon Stealer’s previous campaigns
Researchers have uncovered three campaigns that used Fallout and RIG exploit kits to drop the Raccoon stealer. While the campaign leveraging the RIG exploit was launched in July 2019, the other two campaigns using Fallout exploit kit were carried out in October 2019. Once the Raccoon malware infected a machine, it connected to a Google Drive URL to decrypt the actual C2 server and initiate the data exfiltration.

Top Vulnerabilities Reported in the Last 24 Hours

Vulnerable Rank Math plugin
A critical privilege escalation vulnerability affecting the Rank Math WordPress plugin can allow attackers to gain administrator privileges of any registered users. The vulnerability exists in an unprotected REST-API endpoint of the plugin which has around 200,000 downloads. The flaw can also enable attackers to lock admins out of their sites by revoking their administrator privileges. The flaw has been patched in version 10.0.41 of the plugin.

Top Scams Reported in the Last 24 Hours

SilverTerrier hacker group
A group of Nigerian scammers called SilverTerrier has attempted an average of more than 90,000 attacks per month last year. The group is specialized in business email compromise attacks and has been around since 2014. The group was responsible for a 1,163% uptick in attacks against the professional and legal services industry last year. The SilverTerrier hacker group typically relies on remote-access trojan tools to siphon data from a victim. Over the past five years, the group has been tracked using 13 different RAT families to compromise users’ systems.

 Tags

rig exploit kit
rank math plugin
velvetsweatshop default password
limerat trojan
ozark orthopaedics
silverterrier hacker group

Posted on: April 01, 2020

Get the Daily Threat Briefing delivered to your email!


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.


Join Thousands of Other Cyware Followers!