Cyware Daily Threat Intelligence, April 05, 2019

Share Blog Post

Mass phishing campaigns have always been a preferred attack vector for malicious actors. Given the ease with which they are implemented, these type of attacks have taken a toll on a range of businesses and users. Lately, security researchers have come across large-scale phishing campaigns that are being carried out by Necurs botnet operators. The attackers are using over a dozen US-based web servers to distribute 10 malware families. The malware hosted on the servers includes five families of banking trojans, two families of ransomware and three information stealers. These malware families are delivered via malicious VB macros that come embedded in Microsoft Word documents.

That’s not all. A new variant of phishing attack has also been discovered in the past 24 hours. Experts have found that the new version of the attack involves the use of a legitimate tool called SingleFile as the obfuscation method to avoid detection. Apparently, SingleFile is a web extension for Google Chrome and Mozilla Firefox that allows users to save a webpage as a single HTML file. However, bad actors are using the web extension to copy the log-in pages of legitimate websites.

Talking about data breaches, the pharmaceutical giant Bayer has disclosed that it has suffered a  cyber attack in early 2018. The attack is the work of a hacking group known as Winnti, who is believed to have used malicious software to spy on Bayer’s activities.  

Top Breaches Reported in the Last 24 Hours

Bayer suffers a cyber attack
Bayer, Germany’s largest pharmaceutical company, revealed that it has suffered a cyber attack in early 2018. The company learned about the attack after it found malicious software on its computer network. Investigators believe that it is the work of a Chinese-based hacking group known as Wicked Panda or Winnti. Although the investigation is still underway, an initial probe has found that there is no evidence of data theft.   

DePaul phishing attack
New York- and Carolina-based DePaul healthcare service-provider has fallen victim to a phishing attack. The attack occurred on February 1, 2019, after hackers gained access to an employee email account. The incident has affected 41,000 health program clients. The compromised information includes patients’ medical information, names, dates of birth and Social Security numbers. Upon discovery, the firm was quick at taking action and immediately secured the affected email account belonging to the employee.  

Top Malware Reported in the Last 24 Hours

US-based web servers targeted
More than a dozen US-based web servers have been found distributing a collection of malware families. This includes five families of banking trojans, two families of ransomware and three information stealers. The operators of Necurs botnet are said to behind the phishing campaigns. In each of these campaigns, email was used as the primary attack vector. 

Phishing attack use SingleFile extension
SingleFile is a web extension for Google Chrome and Mozilla Firefox that allows users to save a webpage as a single HTML file. However, cybercriminals have found a way to use the web extension as a part of their phishing campaign. They are using SingleFile as an obfuscation method for copying the log-in pages of legitimate websites. 

BasBanke trojan
Security experts have discovered a new Brazilian banking trojan, named BasBanke. The malware spreads via Facebook and WhatsApp messages. These messages redirect the victims either to the official Google Play Store or to a website hosting malicious APK packages. BasBanke is capable of stealing credentials & payment card details, capturing screenshots and intercepting SMSes.

Top Vulnerabilities Reported in the Last 24 Hours

Xiaomi secures Guard Provider app
Xiaomi has fixed a security flaw discovered in a pre-installed security app ‘Guard Provider’. The flaw could enable potential attackers to launch Man-in-the-Middle (MitM) attacks. The vulnerability is due to insecure network traffic to and from ‘Guard Provider’ as well as the use of multiple SDKs.

Apache patches multiple flaws
Apache has released security updates to fix a series of vulnerabilities in its HTTP Web Servers. The update fixes six security flaws, three of which are rated as ‘critical’. It affects all the versions up to 2.4.38. The vulnerabilities have been fixed in the new 2.4.39 version. All users, are therefore urged to update servers to the latest version.

WebAccess SCADA software patched
Advantech has issued security patches to fix three vulnerabilities in WebAccess SCADA software. The vulnerabilities affect all the versions of WebAccess prior to 8.3.5. The security flaws are tracked as two critical remote code execution flaws (CVE-2019-6552, CVE-2019-6550) and a high-severity denial-of-service (DoS) issue (CVE-2019-6554).
Top Scams Reported in the Last 24 Hours

London Blue scammers evolve
London Blue Scammers are back in a new BEC campaign that targets employees in Asia who work for companies in the US, Australia or Europe. The group has been found spoofing the email address of the target company’s CEO in order to trick their victims. In another instance, the group was found using a merger & acquisition theme to target high-profile victims. Using this technique, the scammers had managed to trick an international vendor into transferring around 30 percent of the price quoted to a Mexican bank. 


basbanke trojan
london blue scammers
man in the middle mitm attacks
phishing campaigns

Posted on: April 05, 2019

Get the Daily Threat Briefing delivered to your email!

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

Join Thousands of Other Cyware Followers!