Cyware Daily Threat Intelligence, April 06, 2020

Share Blog post

Leveraging zero-day vulnerabilities to gain control over systems and networks is one of the go-to attack vectors for cybercriminals. In a new report revealed by Qihoo 360, it has been found that the DarkHotel APT group has exploited a zero-day vulnerability in Sangfor SSL VPN servers to gain remote access to the networks of government agencies in China and other Chinese diplomatic missions operating abroad. The attack campaign began in March and has resulted in the compromise of more than 200 VPN servers. 

An organized campaign that aims to spread Kinsing malware on compromised Docker servers has also come to the notice of security experts. The attack relies on misconfigured Docker Daemon API ports which are exploited to initiate the download of the malware and run a cryptominer.   

Meanwhile, Mozilla has patched two critical use-after-free vulnerabilities in Firefox that were exploited in the wild. While one of these flaws exists due to the mContentViewer not being released properly, the other is caused by a race condition triggered by the handling of a ReadableStream. 

Top Breaches Reported in the Last 24 Hours

Rostelecom hijacks over 200 CDNs
The traffic of more than 200 Content Delivery Networks (CDNs) and cloud hosting providers was redirected by Rostelecom in a BGP hijacking attack last week. The attack lasted for about an hour and affected over 8,800 internet traffic routes. The impacted companies included Google, Amazon, Facebook, Akamai, Cloudflare, GoDaddy, Hetzner, and Linode.  

SBA’s PII exposed
The federal agency revealed that the personally identifiable information (PII) for some of the Small Business Administration’s (SBA) loan applicants may have been exposed to other applicants online. The incident occurred due to a security flaw in the loan application site. The issue was immediately resolved and the application portal was relaunched to avoid exposure of sensitive data.

Top Malware Reported in the Last 24 Hours

Kinsing malware
Researchers have observed a new Bitcoin-mining campaign, targeting misconfigured open Docker Daemon API ports. It has been found that thousands of attempts are being made every day to compromise such containers as part of the campaign. The purpose of these attacks is to deploy Kinsing malware in the final stage of the infection to run cryptominers. 

Zoom Installer used to spread coinminer
Threat actors have compromised legitimate installers of the video conferencing app, Zoom, to distribute a Coinminer dubbed Trojan.Win32.MOOZ.THCCABO. The compromised installers are available for download from fraudulent websites. The Coinminer is capable of collecting system information such as Graphics Processing Unit (GPU), operating system version, video controllers and processors, and more.

Emotet attack
Microsoft shared details of an Emotet attack on an organization named Fabrikam (a placeholder name given by Microsoft in its case study). The attack relied on a phishing message that was opened by an internal employee. This unleashed the malware, which later infected the organization’s systems and halted core services by saturating the CPU usage on Windows devices.   

Malicious apps
Researchers uncovered thousands of Android apps containing hidden backdoors and blacklists. This discovery was made using a tool named INPUTSCOPE. The research involved more than 150,000 applications, out of which 30,000 were pre-installed apps extracted from Samsung smartphones’ firmware. Nearly 12,706 apps were found containing some sort of backdoors and some 4,028 apps included blacklist secrets. 

Sangfor SSL VPN servers targeted
A new attack campaign linked to the DarkHotel APT group targeted more than 200 Sangfor SSL VPN servers by exploiting a zero-day vulnerability. 174 of these servers were located on the networks of government agencies in Beijing and Shanghai, and the networks of Chinese diplomatic missions operating abroad. This included countries like Italy, Pakistan, Indonesia, Thailand, the UAE, Israel, Malaysia, Iran, Ethiopia, and India.   
  
Top Vulnerabilities Reported in the Last 24 Hours

Mozilla patches two Firefox flaws
Mozilla has released an update for its Firefox web browser to patch two critical use-after-free vulnerabilities that have been exploited in attacks in the wild. One of the flaws is tracked as CVE-2020-6819 and the other is identified as CVE-2020-6820. Both the flaws have been addressed with the release of Firefox 74.0.1 and Firefox ESR 68.6.1. 

HP Support Assistant flaws
Ten critical vulnerabilities found in HP Support Assistant can expose Windows computers to remote code execution attacks. This can allow attackers to elevate privileges or to delete arbitrary files. The flaws include five local privilege escalation flaws, two arbitrary file deletion vulnerabilities, and three remote code execution vulnerabilities. HP has patched some of these vulnerabilities, while the remaining are yet to be patched. 

 Tags

rostelecom
bitcoin mining campaign
kinsing malware
darkhotel apt group
sangfor ssl vpn servers
inputscope

Posted on: April 06, 2020

Get the Daily Threat Briefing delivered to your email!


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.


Join Thousands of Other Cyware Followers!