Go to listing page

Cyware Daily Threat Intelligence, April 25, 2019

Cyware Daily Threat Intelligence, April 25, 2019

Share Blog Post

GandCrab ransomware never leaves a chance to surprise security researchers. The ransomware, which is often seen in one or the other attacks every month, is now being used to infect Confluence Server. In order to do this, attackers are abusing a critical vulnerability that exists in Atlassian's Confluence collaboration software. The vulnerability is tracked as CVE-2019-3396 and exists in the software’s Widget Connector.

Two new malware were also discovered by security researchers in the past 24 hours. The malware are identified as SMBdoor and Beapy cryptominer. While SMBdoor has been created using DoublePulsar and DarkPulsar exploit kits, Beapy cryptominer relies on DoublePulsar and EternalBlue to spread across corporate networks.

Beapy cryptominer also uses Mimikatz hacking tool to steal credentials from the infected computers. Users from China are mainly affected by this malware. Meanwhile, SMBdoor has been created with an intention to help researchers in detecting and preventing threats in Windows systems.

Top Breaches Reported in the Last 24 Hours

Ryuk attacks the City of Stuart
Servers and computers in the City of Stuart in Florida have been infected with Ryuk ransomware on April 13, 2019. The incident has affected systems that dealt with payroll, utilities, and budgeting. Upon learning the incident, the city conducted investigations and has started working on restoring the affected systems. Email services and online operations of Police & Fire departments are still offline.

Human error impacts 228K passports
Approximately 228,000 Danish passports have been printed with wrong biometric data. It has been found that the users’ left-hand fingerprints have been mistakenly stored as right-hand fingerprints and vice versa. The error was discovered in 2017. Meanwhile, Kube Data, the company who encoded the biometric data on the passports, has claimed that the error does not pose any sort of threat. The company has further added that only the Danish National Police have access to the decryption that unlocks this information.

Top Malware Reported in the Last 24 Hours

SMBdoor malware
A security researcher has created a new malware named SMBdoor using two leaked NSA exploit kits - DoublePulsar and DarkPulsar. The malware is designed as a Windows kernel driver, which when installed, exploits undocumented APIs in the srvnet.sys process. The malware is primarily designed to help researchers in detecting and preventing threats in Windows systems.

GandCrab ransomware returns
Attackers are exploiting a critical vulnerability in Atlassian’s Confluence collaboration software to infect servers with the GandCrab ransomware. The vulnerability, tracked as CVE-2019-3396, exists in the software’s Widget Connector that allows users to embed content from YouTube, Twitter, and other websites into web pages. In order to stay safe from the attack, customers are advised to update their Confluence Server/Data Center to versions 6.6.12, 6.12.3, 6.13.3 and 6.14.2.

Beapy cryptominer
A new cryptocurrency mining malware named Beapy has been spotted infecting corporate networks. The malware relies on leaked NSA exploits - DoublePulsar and EternalBlue - to spread across the networks and enslave computers to run the mining code and generate cryptocurrency. Beapy also uses Mimikatz hacking tool to steal passwords from infected computers.

Top Vulnerabilities Reported in the Last 24 Hours

Vulnerable Qualcomm chipsets
At least 46 Qualcomm chipsets have been found to be affected by a security bug tracked as CVE-2018-11976. It exists in Qualcomm Secure Execution Environment (QSEE). The vulnerability can allow an attacker to steal encryption and private keys from QSEE. The flaw affects Snapdragon chipsets including 820, 835, 845 and 855 among others. A fix has been released by the firm to remediate the issue. Qualcomm has urged users to patch the firmware with the latest version.

Apple updates XProtect
Apple has silently added new signatures in XProtect security software that is used to detect real-time threats on Macs. It has added two new signatures that can detect adware bundles that contain Windows executables running on macOS. These two new signatures are called "PE", which detects Windows PE files, and "MACOS.d1e06b8", which is used to detect a specially crafted Windows executable that can run on Macs. The update is included in Apple’s Malware Removal Tool version 1.32.

Security flaw in Rockwell Automation products  
A security flaw, designated as CVE-2019-10955, has been detected in MicroLogix 1400 and CompactLogix 5370 Controllers. The flaw could allow a remote and unauthenticated attacker to redirect users to a malicious website. Although no security patch has been released for the issue, Rockwell Automation has urged its users to update to the latest available firmware version.

Top Scams Reported in the Last 24 Hours

Fake ad scam
French users availing Microsoft games and services are being shown ads that redirect them to unwanted popups. These include bogus surveys, polls and fake promotions. The ad campaign first came to light on April 23 when French users were redirected to an ad site called getheprzietoday[.]club. The ad site would suddenly show survey, poll or spin-the wheel scam. The fake survey claims to offer an iPhone or Samsung to the victims if they answer all the questions. In reality, this was a way to collect personal information from users. The stolen information could later be used for identity theft or spam. 

 Tags

beapy cryptominer
doublepulsar
gandcrab ransomware
qualcomm chipsets
smbdoor
darkpulsar

Posted on: April 25, 2019


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

The Virtual Cyber Fusion Suite