Cyware Daily Threat Intelligence, April 02, 2020

Share Blog post

The surge in the use of remote communication and collaboration tools amid the ongoing quarantine scenario has brought attention to existing security flaws in such tools. Now, the video conferencing app, Zoom, has come under the scanner due to the discovery of two zero-day vulnerabilities in its macOS client. These flaws could allow attackers to gain admin privileges and access the user’s microphone and camera. On top of this, security experts have also found a Universal Naming Convention (UNC) path injection vulnerability in the Zoom Windows client that could allow attackers to steal user credentials.

Meanwhile, cybercriminals have also been developing new strains of malware to destroy the data stored on targeted systems. Researchers have spotted COVID-19 themed data wiping malware that steals sensitive data such as users’ passwords and erases the Master Boot Record (MBR), preventing users from recovering their infected devices.

Top Breaches Reported in the Last 24 Hours

MakeFrame skimmer attack
Security researchers uncovered a new ongoing Magecart skimmer campaign that has compromised 19 different e-commerce websites so far. The new skimmer, dubbed "MakeFrame," injects HTML iframes into webpages to steal customers’ payment data. The researchers have attributed the MakeFrame attacks to Magecart Group 7 due to its use of compromised sites to host the skimming code, load the skimmer on other websites, and siphon off the stolen data.

Watering hole campaign
An extensive attack campaign has been reported that targets Windows users from a certain Asian religious and ethnic group.  The campaign uses a series of watering-hole websites that trick users by displaying fake Flash updates to initiate drive-by downloads. The malicious scripts ultimately install the “Godlike12” backdoor written in Go language and two versions of the open-source Stitch Python backdoor.

Top Malware Reported in the Last 24 Hours

New COVID-19 wiper malware
Researchers have discovered several new strains of COVID-19 themed malware that are designed to destroy the data stored on infected systems. One of the new malware poses as a "CoronaVirus ransomware” to distract users while it steals sensitive data, such as user credentials, in the background. Consequently, the malware rewrites the Master Boot Record (MBR) to prevent users from recovering their infected devices.

Vollgar botnet campaign
Researchers spotted an active Vollgar botnet campaign that has been hijacking Microsoft SQL (MSSQL) database servers for nearly two years. The botnet campaign has been launching brute-force attacks against MSSQL databases to gain admin access and install Monero cryptocurrency mining scripts. The campaign is reportedly targeting nearly 3,000 new MSSQL databases each day.

Trojanized Zoom app
Security researchers at Bitdefender spotted trojanized versions of the Zoom video conferencing app being distributed via third-party marketplaces. The Zoom clone apps infect users’ devices with adware and trojan payloads to generate revenue and steal their information.

Top Vulnerabilities Reported in the Last 24 Hours

Zero-day flaws in Zoom
Two different zero-day flaws were discovered in the macOS version of the Zoom video conferencing application. The zero-day flaws could allow local, unprivileged attackers to gain root privileges and access victims’ microphone and camera. Besides, researchers  discovered a Universal Naming Convention (UNC) path injection vulnerability in the Zoom Windows client that could allow attackers to steal user credentials.

Linux kernel patch
A patch has been released to address a Linux kernel vulnerability that can allow attackers to escalate privileges on Ubuntu Desktop. The vulnerability, tracked as CVE-2020-8835, is classified under high severity. The flaw originates from the lack of proper validation of user-supplied eBPF programs.

Exploits for Windows SMBGhost flaw
Security experts have released proof-of-concept (PoC) exploits for the CVE-2020-0796 Windows flaw, also known as SMBGhost, that can allow hackers to escalate local privileges. The issue stems from a pre-remote code execution flaw that resides in the Server Message Block 3.0 (SMBv3) network communication protocol. The vulnerability affects systems running Windows 10 Version 1903, Windows Server Version 1903 (Server Core installation), Windows 10 Version 1909, and Windows Server Version 1909 (Server Core installation). 

Top Scams Reported in the Last 24 Hours

FInancial relief scams 
Security researchers have reported an increase in phishing scams that promise victims financial relief during the coronavirus pandemic. These campaigns leverage current news headlines and updates from governments regarding COVID-19 relief funds to trick users into clicking on malicious links or downloading attachments laced with malware payloads. In many cases, these campaigns also impersonate healthcare or government organizations to appear legitimate. 

Phishing kit targets credit union
Researchers from the security firm Sucuri discovered a new phishing page targeting the customers of Randolph-Brooks Federal Credit Union (RBFCU), a large financial institution located in Texas with over 850,000 members. The phishing campaign uses spoofed pages to steal user information, including email address, username, passwords, user-agent, IP address, and secret questions for account recovery.


 Tags

coronavirus phishing attack
zoom
zero day vulnerabilities
makeframe card skimmer
vollgar botnet
covid 19 themed malware

Posted on: April 02, 2020

Get the Daily Threat Briefing delivered to your email!


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.


Join Thousands of Other Cyware Followers!