Go to listing page

Cyware Daily Threat Intelligence, April 16, 2019

Cyware Daily Threat Intelligence, April 16, 2019

Share Blog Post

The infamous ‘GnosticPlayers’ hacker is back in the headlines with a massive fifth set of stolen data. This time, the hacker has put up a total of 65.5 million user records on sale on the Dream Market forum. The data has been stolen from six different companies that include the names of MindJolt, Wanelo, iCracked, Yanolja, Evite and Moda Operandi. The hacker is reportedly selling the new batch of data for 0.843 Bitcoin ($4,350) on the underground marketplace forum. 

In another major data breach incident, Wipro, a multinational IT corporation, has confirmed that it has fallen victim to a phishing attack recently. The firm became aware of the incident after it detected abnormal activities in a few employee accounts. As part of security measures, Wipro has implemented remedial steps to contain the affected accounts and prevent the attack.

The past 24 hours also saw the emergence of two new malware - Scranos rootkit and Ransom.Win32.BITPAYMER.TGACAJ. While Scranos is distributed via cracked software or fake apps disguised as legitimate software, Ransom.Win32.BITPAYMER.TGACAJ spreads via a command-line tool PsExec that allows the execution of malicious processes on remote computers.

Top Breaches Reported in the Last 24 Hours

Gnosticplayers’ fifth set of stolen data on sale
The popular ‘Gnosticplayers’ hacker has put up the fifth set of user records on sale. This time, the hacker has exposed a total of 65.5 million records on the Dream Market forum. This data has been stolen from six new companies that include the names of MindJolt, Wanelo, iCracked, Yanolja, Evite and Moda Operandi. The hacked data is being sold for 0.8463 Bitcoin on the underground market forum. 

Wipro confirms data breach
Wipro Ltd. has confirmed about a phishing attack on its IT systems. The IT giant learned about the attack after it detected abnormal activities in a few employee accounts. Upon discovery, the firm was quick at taking action and promptly began an investigation. The affected employees have been identified. It has also implemented remedial steps to contain & mitigate the attack.       

Pregnancy Club fined
The Information Commissioner’s Office (ICO) has slapped a £400,000 fine on Pregnancy club Bounty UK Limited for sharing personal details of 14 million individuals. Personal data included data related to pregnancy and those of expectant mothers. The information was collected through membership registration in both the club’s website and mobile application. 
Top Malware Reported in the Last 24 Hours

New variant of BitPaymer ransomware
A new variant of BitPaymer ransomware named Ransom.Win32.BITPAYMER.TGACAJ has been found to be distributed via PsExec to infect a US manufacturing company. The attack occurred on February 18, 2019, after hackers gained access to an account with administrator privileges. This allowed attackers to run malicious commands that could copy and execute the BitPaymer variant.

Fake Instagram assistance app
Three malicious Instagram assistance apps have been found distributing  Android/Trojan.Spy.FakeInsta malware to infect Iranian users. The fake apps are distributed via Google Play Store and have recorded over 50,000 installs. Once installed, the app opens to a splash page which asks for Instagram credentials. The malicious apps are LikeBegir, Aseman Security and Followkade.

Scranos rootkit
Scranos is a powerful new malware strain that is distributed via cracked software or trojanized applications disguised as legitimate software. The malware includes a rootkit driver that allows hackers to gain boot persistence and take full control of users’ systems. Once installed, the rootkit communicates with the attackers’ C2 server and downloads one or more payloads.

Top Vulnerabilities Reported in the Last 24 Hours

Yellow Pencil plugin vulnerability
A privilege escalation vulnerability in Yellow Pencil Visual Theme Customizer plugin has exposed 30,000 WordPress sites to several attacks. The vulnerability exists in the yellow-pencil.php file. It can allow unauthenticated users to perform unwanted actions such as change arbitrary options that are meant only for site administrators. Site owners running the vulnerable plugin have been advised to remove it from their sites immediately.   

PoC for zero-day flaw in Win32K
Proof-of-Concept (PoC) for a recently patched Use-After-Free vulnerability in Win32K has been released recently. Tracked as CVE-2019-0859, the flaw is present in the CreateWindowEx function. All 64-bit versions of Windows (from Windows 7 to Windows 10) are affected by the vulnerability.

Flaws in Shimo VPN Helper Tool
Researchers from Cisco Talos have discovered multiple vulnerabilities in the Shimo VPN Helper Tool. The vulnerabilities are detected as CVE-2018-4004, CVE-2018-4006, and CVE-2018-4008. While CVE-2018-4004 resides in the disconnectService function, CVE-2018-4006 exists in the writeConfig functionality. The CVE-2018-4008 is present in the RunVpncScript command.

Top Scams Reported in the Last 24 Hours

Airbnb customers duped   
Scammers are using a powerful software-as-a-service tool called ‘Land Lordz’ to dupe Airbnb customers. The tool aids scammers in the creation and management of fake Airbnb offerings. It can also send messages to users which advertises the list of fake properties. The service can be availed by paying a monthly subscription of $550. This kick-starts the fake Airbnb scam. Once the potential victims reach out to scammers to ask for more details about the list, they are redirected to a phishing site that looks similar to the real Airbnb.com. The fake site captures usernames and passwords submitted by the users. In order to stay safe from such scams, users are advised to pay a closer look at the URL address before providing the details.


shimo vpn helper tool
privilege escalation vulnerability
bitpaymer ransomware
scranos rootkit

Posted on: April 16, 2019

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.