Cyware Daily Threat Intelligence April 27, 2018

C# Ransomware
A new in-development ransomware, dubbed C# Ransomware has been discovered that encrypts files on victims' computers and renames the files using a template. The malware compiles the executables as C# program using CSharpCodeProvider class at runtime and launches it directly into memory.

Necurs Botnet evolves again
The newest version of Necurs Botnet is using an internet shortcut or '.URL' file in order to bypass the detection by antivirus software. These internet shortcuts have content in the INI file format which allows the malware to change the folder icon by tricking the victim into thinking that it's a different file type. This new variant of Necurs is capable of spam distribution and information theft.

GandCrab Ransomware 2.1
Security researchers have observed there has been a surge in phishing emails which deliver the latest GandCrab Ransomware 2.1. These emails come with an attachment which in the form of DOC<NUMBERS>.zip. This attachment, when executed, directs the victim to a site that can be accessed only through the TOR browser. Configuration flaw in SAP
Users have been advised to review the software configuration settings of Netweaver-based SAP products that could expose all SAP implementations to exploitation by attackers. The vulnerability can allow the hackers to gain unauthorized access to the systems remotely and extract data or shut down the systems.  

Apple issues security updates
Apple has issued security patches to fix multiple vulnerabilities in the Safari browser, macOS and iOS. The iOS users need to install iOS 11.3.1 to address CVE-2018-4206 and CVE-2018-4200 vulnerabilities which triggered memory corruption error. On the other hand, Safari and Mac flaws are addressed in Safari 11.1 and macOS 10.13.4 version.   

Drupal code execution flaw
A critical bug is being exploited in the Drupal content management system to deliver malicious code on website servers. The flaw is being used against individual sites to attack high-value targets. Hence, the websites that are running Drupal 7.x need to be immediately updated to Drupal 7.59 to stay safe from this issue. Dawson County suffers a data breach
The exchange server, phone and internet service of Dawson County has been badly hit by a recent cyber attack incident. Though the point of entry and amount of data being compromised is yet to be determined, it is believed that the attack originated in the UK. Telephone services were disrupted for a short period. However, both 911 & other emergency services remained unaffected.

Vector's data exposed
A glitch in electricity network provider Vector's outage app has resulted in the leak of sensitive information of up to 35,000 customers. The information stolen includes the names, phone numbers and email addresses of customers. The technical glitch has been abused by using an HTTP proxy server to evade security measures.