Cyware Daily Threat Intelligence, April 08, 2020

Share Blog post

Malware authors are constantly developing sophisticated strains of existing malware to expand their malicious activities. Lately, security experts have unearthed a new botnet dubbed Dark Nexus, that borrows code from Mirai and Qbot botnets. The botnet is capable of performing DDoS attacks and credential stuffing attacks on a wide range of IoT botnets.

While threat actors continue to expand their attack surfaces, organizations are not far behind in patching the exposed security holes. Google has released security updates for 50 vulnerabilities affecting its Android operating system. Four of these flaws are rated as ‘Critical’ and affect 8.0, 8.1, 9 and 10 of Android.

Apple has also fixed a FaceTime bug and a Bluetooth bug by releasing iOS and iPadOS 13.4.1. The FaceTime bug affects devices running versions prior to 9.3.6 of iOS and versions prior to 10.11.6 of OS X EI Capitan.

Top Breaches Reported in the Last 24 Hours

HMR attacked by Maze ransomware
Hammersmith Medicines Research Ltd. (HMR) had suffered an attack from Maze ransomware. The incident had occurred on March 14, 2020, following which the ransomware operators had stolen the data hosted on HMR’s network. The attackers had eventually released the data on their ‘News’ site on March 21 when the research company denied paying the ransom. The stolen records contained the personal information for volunteers whose surnames began with D, G, I, J.


Top Malware Reported in the Last 24 Hours

Fake Malwarebytes website
Threat actors have created a fake Malwarebytes website that is used as a channel to distribute the Fallout exploit kit, which later spreads Raccoon Stealer. The fake Malwarebytes domain was registered on March 29 via REGISTRAR OF DOMAIN NAMES REG.RU LLC and is currently hosted in Russia at 173.192.139[.]27.

Dark Nexus botnet
Researchers have come across a new botnet named Dark Nexus, that shares similarities with Qbot and Mirai botnets. The botnet is capable of performing DDoS attacks and launching credential stuffing attacks against a broad range of IoT devices, video recorders, and thermal cameras. There are three different versions of the Dark Nexus botnet which has been around for three months.

Anchor backdoor malware
FIN6 APT group and the operators of the Trickbot malware have paired up together to target several organizations with Anchor backdoor malware. The attack campaign, which has been active for the past six months, is initiated through malspam. Most of the enterprises that include Point of Sale (PoS) systems have fallen victim to the campaign.

XHelper trojan
XHelper trojan, which has been around since March 2019, has infected at least 45,000 devices across the globe. The malicious payload connects with the C2 server of attackers after scanning and sending device information, including OS firmware version, manufacturer name, and model. Later, it fetches another payload, the Triada trojan, which uses a set of exploits to obtain device root privileges.

Top Vulnerabilities Reported in the Last 24 Hours

Google patches 50 bugs
Google has issued security patches for 50 vulnerabilities affecting its Android operating system. These include patches for four ‘Critical’ issues that could lead to remote code execution. The vulnerabilities are tracked as CVE-2020-0070, CVE-2020-0071, CVE-2020-0072, and CVE-2020-0073 and impact versions 8.0, 8.1, 9 and 10 of Android.

FaceTime bug fixed
Apple has released iOS and iPadOS 13.4.1 to fix a FaceTime bug. The issue existed in the devices running iOS versions prior to 9.3.6 and OS X versions prior to 10.11.6. The new iOS version also addresses a bug with the Settings app where choosing Bluetooth from the quick actions menu on the Home Screen would fail.

Google release Chrome 81
Google has released Chrome 81 with 32 security fixes for Windows, macOS, and Linux operating systems. Three of these flaws, rated as ‘Critical’ severity, include a use-after-free vulnerability (CVE-2020-6454) in extensions, a use-after-free vulnerability (CVE-2020-6423) in audio, and an out of bounds read (CVE-2020-6455) in WebSQL.

Top Scams Reported in the Last 24 Hours

Scammers target stimulus package
Scammers are impersonating financial institutions to steal stimulus checks from Americans. In this scam, the scammers send phishing emails that appear to come from a major financial institution. The body of the email claims that the fund has been put on hold as the recipient needs to verify the account. The email contains a link to a fake website that looks similar to a legitimate financial institution.

Gift card scam
A new gift card scam that asks employees to buy digital gift cards has been doing the rounds on the internet. The scammers pretend to be a company’s CEO or some other high-level executive and send an email to employees on the pretext of employee bonus or a vendor payment.

 Tags

hammersmith medicines research ltd hmr
mirai botnet
raccoon stealer
malwarebytes website
facetime bug
dark nexus

Posted on: April 08, 2020

Get the Daily Threat Briefing delivered to your email!



More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.



Join Thousands of Other Cyware Followers!