Cyware Daily Threat Intelligence April 13, 2018

RadRAT Espionage Tool
The espionage tool, which went unnoticed since 2015, has made a comeback featuring extremely interesting lateral movement mechanisms that include Mimikatz-like credentials. RadRAT has several remote access capabilities that offer full control over the seized computers. Using this tool, hackers can read any file, list the shares of machines on the network, obtain a list of files inside a directory, or get their sizes.

Compile Error in GandCrab
Researchers have discovered a compile error in GandCrab ransomware that blocks the VBScript from executing. However, this error only affects operations that try to infect victims via malicious Word files that users receive via spam emails. Experts believe that the error will soon be fixed by the threat actors.

EITest Sinkholing
Security researchers have managed to sinkhole EITest, thereby preventing millions of redirects a day. EITest relies on compromised websites to direct users to exploit kit (EK) landing pages. Researchers substituted these with a sinkhole to stop operations. Drupalgeddon2 flaw exploitation
A critical flaw, dubbed Drupalgeddon2 (CVE-2018-7600), was discovered by researchers. This flaw allows hackers to perform remote code execution on default or common Drupal installations. On the brighter side, there have been no multiple exploitations yet. Only a couple of attempts took place from a few IP addresses.

LimeSurvey vulnerabilities
An unauthenticated persistent cross-site scripting (XSS) vulnerability and an authenticated arbitrary file write vulnerability were found in LimeSurvey 2.72.3. Hackers can exploit these flaws to execute code on the targeted web server and gain control. Users are advised to update to the new version 3, to stay safe.

Vulnerabilities in NASA CFITSIO Library
Three remote code execution vulnerabilities have been discovered by security researchers in NASA CFITSIO library version 3.42. Attackers can leverage a stack-based buffer overflow and overwrite arbitrary via the library. The three vulnerabilities are dubbed CVE-2018-3846, CVE-2018-3847 and CVE-2018-3849. Inogen Inc
The medical technology company, Inogen Inc., suffered a data breach via a vulnerable employee email account. The breach exposed customer information--like customer name, contact information, and Medicare identification number. The breach is believed to have occurred between January and March 2018.

Bitcoins stolen from Coinsecure
The Indian bitcoin exchange firm, Coinsecure, lost bitcoins worth $3 Million after its wallets got hacked. Nearly 438 bitcoins were stolen in the breach. The company could only realize the loss after users who had bought bitcoins from the platform complained that they were not able to access their funds for the past few days. Hackers have erased data logs of the affected wallets, leaving no trails about where the bitcoins were transferred.