Cyware Daily Threat Intelligence, April 16, 2020

Share Blog post

It was only last week that security researchers had come across a new and sophisticated Dark Nexus botnet that shared similarities with the notorious Mirai botnet. Now, following the same pattern, a new botnet, dubbed Mozi, has been discovered that borrows source code from Mirai, Gafgyt, and IoT Reaper botnets. The newly found Mozi botnet is capable of targeting unpatched home routers and DVRs, among other IoT devices.

A new variant of NetWire RAT that uses a legacy Microsoft Excel 4.0 macro to avoid detection by security solutions, has also been spotted in the last 24 hours. The variant is used in a new malspam campaign that targets US taxpayers.

Meanwhile, the wireless router maker, Linksys, was forced to reset the passwords of all its customers due to a COVID-19-themed malware attack. It was found that some of its customers were redirected to a fake website that prompted them to download an app that provided the latest instructions and information about the disease.

Top Breaches Reported in the Last 24 Hours

Wappalyzer discloses breach
Wappalyzer, a website analyzer platform, has disclosed a security breach that affected nearly 16,000 users. The incident came to light after the firm found that a hacker had offered to sell  a Wappalyzer’s database containing critical details of users for $2,000. The breach had occurred on January 20, 2020, when an intruder gained access to one of the company’s databases that was left exposed online due to a misconfiguration.

Palm Beach county attacked
 Palm Beach county was struck with the REvil ransomware on March 21, 2020. Following the attack, the town’s computer systems were down for three weeks. Residents were unable to make their utility payments using online services and the town’s online plan-submission system was also knocked offline.

Linksys resets passwords
Wireless router provider, Linksys, has reset passwords for all its customers after a bunch of users fell victim to a COVID-19-themed malware. The malware was delivered via a fake website that prompted users to download and install an application that offered instructions and information about COVID-19.

Top Malware Reported in the Last 24 Hours

New Mozi botnet
Researchers have uncovered a new Mozi botnet that borrows its source code from Gafgyt, Mirai, and IoT Reaper botnets. The new botnet is capable of targeting home routers and DVRs that are either unpatched or have weak or default telnet passwords.

Fake Valorant key
Attackers are disguising malicious software that looks like a product licensing key for the beta version of ‘Valorant’ game with an aim to steal gamers’ credentials. However, in reality, the product license is a keylogger that could allow hackers to track the words and phrases typed by a user.

New NetWire RAT variant
Taxpayers are being targeted by a new variant of NetWire RAT in a recent malspam campaign. The purpose of the campaign is to steal credentials and tax information from users. This new variant of RAT is distributed via IRS-themed phishing emails that carry an attachment with a legacy Microsoft Excel 4.0 macro to evade detection.

Top Vulnerabilities Reported in the Last 24 Hours

SAP fixes 23 flaws
SAP has addressed 23 flaws as part of the April 2020 Patch Tuesday. The most severe of these is a missing XML validation vulnerability in SAP Commerce. Tracked as CVE-2020-6238, the flaw can be exploited remotely and does not require authentication.

Vulnerable WordPress plugin
A cross-site scripting (XSS) vulnerability in the OneTone WordPress plugin is being exploited by attackers to redirect users to malicious domains like ischeck[.]xyz. The flaw exists in OneTone’s “ ./wp-content/themes/onetone/includes/theme-functions.php” file. The plugin vulnerability allows attackers to inject only HTML code on certain places on the web page.

 Tags

sap systems
onetone wordpress plugin
netwire rat
mozi botnet
fake valorant key
palm beach county
linksys

Posted on: April 16, 2020

Get the Daily Threat Briefing delivered to your email!


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.


Join Thousands of Other Cyware Followers!