Cyware Daily Threat Intelligence, August 13, 2020

Share Blog post

Undoubtedly, the current pandemic state has given birth to new genres of phishing attacks. One of the most popular baits used among the scammers is the COVID-19 relief package announced by governments to help small businesses and individuals. Lately, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) revealed a scam where fraudsters were spoofing the Small Business Administration (SBA) COVID-19 loan relief webpage with an intent to steal credentials from users. The scam was executed via phishing emails.

Talking more about threats observed in the last 24 hours, researchers unfolded a new cyberespionage campaign, named ‘Operation PowerFall’, that occurred in May 2020. The campaign, targeted against a South Korean company, was conducted by exploiting flaws in Internet Explorer (IE) and Windows GDI Print. Furthermore, the operators of Dharma ransomware were found offering a new Toolbelt toolkit to help attackers easily compromise a targeted network.

Top Breaches Reported in the Last 24 Hours

Pace Center for Girls breached
The data breach at Blackbaud has affected the Pace Center for Girls, resulting in the compromise of information belonging to its donors and fundraisers. The breached data includes donors’ names, physical addresses, phone numbers, birthdates, and other profile information. The good thing is, no credit card information or Social Security Numbers were affected in the incident.

Israel Defense Ministry attacked
A cyberattack believed to be steered by a North Korea-linked hacking group was thwarted by Israel’s Defense Ministry. Though the Ministry claimed that there was no disruption to its computer systems, researchers said that the hackers may have stolen a large amount of classified data.

NCC Group breached
British infosec firm NCC Group revealed that its internal training materials were leaked on GitHub after folders purporting to help people pass the CREST pentest certification exams appeared in repositories. Upon discovery, the faulty repositories were removed from GitHub.

Unsecured database
A database containing information of around 3.1 million patients was leaked on the internet due to a misconfiguration issue. The database belonged to Adit, a Houston-based patient management software company. After being exposed for around 10 days, the data on it was deleted by a so-called ‘meow bot’.

Top Malware Reported in the Last 24 Hours

Mekotio trojan
A new variant of Mekotio banking trojan has been found targeting users in Mexico, Brazil, Chile, Spain, Peru, and Portugal. The most notable feature of this variant is that it uses an SQL database as a C2 server. The trojan is primarily distributed through spam emails and is capable of collecting a variety of system information, such as firewall configuration, operating system information, and the status of antivirus installed. Some variants of the trojan can also hijack cryptocurrency by replacing a Bitcoin wallet address in the clipboard.

Operation PowerFall
Researchers have revealed details of a new cyberespionage campaign that occurred in May 2020. Dubbed ‘Operation PowerFall’, the campaign targeted a South Korean company by exploiting a remote code execution flaw in Internet Explorer (IE) and a privilege escalation flaw in Windows GDI Print.

Dharma’s new toolkit
Dharma operators are offering a new ready-made toolkit, known as Toolbelt, to easen up the work of  hackers. The toolkit is a PowerShell script which, when run, allows the attackers to download and execute a variety of tools from a Remote Desktop shared ‘\\tsclient\e' folder.

Top Vulnerabilities Reported in the Last 24 Hours

Vulnerable Amazon Alexa fixed
Several security issues in Amazon’s Alexa subdomains could be exploited by hackers seeking users’ personal data and voice recordings. The flaws, which included Cross-Origin Resource Sharing (CORS) misconfiguration and Cross-Site Scripting (XSS), were patched by Amazon after it was made aware.

Incomplete LSASS patch
Microsoft has failed to properly address a privilege escalation vulnerability in the Local Security Authority Subsystem Service (LSASS), as per the discovery by Google Project Zero researchers. Tracked as CVE-2020-1509, the vulnerability can be triggered through specially crafted authentication requests. The patch for the flaw, which is classified as ‘Important’, was released in August’s 2020 Patch Tuesday.

Top Scams Reported in the Last 24 Hours

Spoofed SBA websites
The Cybersecurity and Infrastructure Security Agency (CISA) has warned users about a phishing scam where scammers were spoofing Small Business Administration (SBA) COVID-19 loan relief webpage through malicious redirects to steal credentials. The scam was carried out through emails that had the subject line ‘SBA Application - Reviewed and Proceed’.

FINRA website spoofed
The U.S. Financial Industry Regulatory Authority (FINRA) is alerting its members about a scam that impersonates its site. The imposter website, ‘www[.]finnra[.]org, includes a registration form that is used to collect sensitive information, which could later be used in targeted phishing attacks against FINRA members.

Stealing Microsoft Outlook credentials
A phishing campaign abused both the Google App Engine and the Azure App Service to steal victims’ Microsoft Outlook credentials. The campaign leveraged a shortened link that was distributed via a phishing email.

 Tags

toolbelt
operation downfall
mekotio banking trojan
pace center for girls
internet explorer ie browser
cybersecurity and infrastructure security agency cisa
local security authority subsystem service lsass

Posted on: August 13, 2020

Get the Daily Threat Briefing delivered to your email!


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.


Join Thousands of Other Cyware Followers!