Cyware Daily Threat Intelligence April 05, 2018

New MacOS backdoor
OSX_OCEANLOTUS.D, a new MacOS backdoor is detected, being propagated by the OceanLotus APT group. The backdoor uses malicious Word document distributed via spam emails to spread itself. The emails appear to be coming from HDMC, a Vietnamese organization and ask users to enable Macros. Users are advised to steer clear from blindly clicking on email attachments to stay safe.

KevDroid malware
An Android RAT, KevDroid, was detected with capabilities of stealing contacts, messages, credentials, multi-factor tokens (SMS MFA) and phone history. By access sensitive information, the malware allows hackers to carry out banking/financial fraud. When used in a corporate environment, the malware can also lead to cyber espionage. Intel Remote Keyboard vulnerabilities
The popular Android and iOS app, Intel Remote Keyboard, has a critical vulnerability (CVE-2018-3641) that could allow network attackers to inject keystrokes into remote keyboard sessions. By exploiting this bug, attackers can also execute malicious code on the user's Android device. The product is discontinued by Intel. Users are requested to uninstall the app immediately.

Apache Struts2 flaws
Windows-based systems are being impacted by the Apache Struts 2 Jakarta Multipart Parser remote code execution cryptocurrency mining campaign (CVE-2017-5638) to mine Electroneum coins. To stay safe, users must patch the flaw and implement web application firewalls to block such attacks.

Cisco Smart Install clients are vulnerable
A buffer overflow vulnerability has been discovered in the Smart Install feature of Cisco IOS/IOS XE Software. Leveraging this flaw will allow hackers to send a maliciously crafted Smart Install message to an affected device, take over vulnerable devices or trigger a reload and crash. Updates to patch the issue have been released. Administrators are advised to install these patches asap. Facebook data, stolen
In a shocking news, Facebook announced that cybercriminals used its Search tools to scrape data from the profiles of all of its 2.2 billion users. Hackers used the platform to discover the identities and collect information. Even though only "Publicly-viewable" information was stolen, it has the potential to launch social engineering campaign. Facebook has already disabled the tool.

CareFirst phishing attack
The health insurer, CareFirst BlueCross BlueShield, recently fell victim to a phishing attack. The email account of an employee of the firm was hacked using a phishing email. Using this email account, hackers gained access to names, identification numbers, and dates of birth of around 6800 members. Social Security numbers of eight individuals were also exposed.

Customers of Delta Airlines affected
Customers payment information of Delta Airlines may be breached in a cyber attack on a partner organization, (24)7.ai, a chat services provider. (24)7.ai reportedly exposed online customer payment information for a few of its customers between September and October 2017. Delta confirmed that no personal information of these customers has been exposed.