Cyware Daily Threat Intelligence, August 14, 2020

Share Blog Post

Cyberthreats are constantly evolving as malicious actors expand their attack bases with new and existing malware. In the last 24 hours, the National Security Agency (NSA) and Federal Bureau of Investigation (FBI) issued a joint statement about a new malware named Drovorub. Linked with the Fancy Bear threat actor group, the malware includes multi-component systems such as an implant, a kernel module rootkit, a file transfer tool, a port-forwarding module, and a C2 server.

A new variant of the Bisonal backdoor, associated with the CactusPete hacker group, was also found targeting financial and military organizations in Eastern Europe. The variant includes XOR encoding apart from data-stealing capabilities.

Moreover, the XCSSET malware family targeted Xcode projects with a purpose to perform Universal Cross-site Scripting (UXSS) attacks on Safari and other browsers. For this, the malware leveraged zero-day exploits in the behavior of Data Vaults and the development version of Safari.

Top Breaches Reported in the Last 24 Hours

Unsecured data bucket
Around seven gigabytes of unencrypted files were exposed to the internet on a publicly accessible AWS S3 bucket. The leaked files, which were available to the public for at least a period of 18 months, included over 300 million unique email addresses and voice recordings of several sales pitches.

Data leaked
Hundreds of thousands of user records associated with different Utah-based gun exchange sites have been leaked for free on a cybercrime forum. The affected sites include muleyfreak.com, deepjunglekratom.com, and utahgunexchange.com. The leaked data includes login names, hashed passwords, and email addresses.

Canon’s stolen data leaked
Maze ransomware gang has started publishing files stolen from Canon USA on its data leak website following a failed ransom negotiation. The attackers had hacked the firm on August 5, 2020, and demanded a ransom to prevent the leak of confidential data. However, the digital camera manufacturer decided not to pay the ransom and restored the systems via backup files.

Top Malware Reported in the Last 24 Hours

Drovorub malware
In a joint advisory, the FBI and NSA have warned that the Fancy Bear threat actor group is using a new strain of Linux malware named Drovorub. The malware comes with an implant, a kernel module rootkit, a file transfer tool, a port-forwarding module, and its own C2 servers. The authorities have urged the US organizations to update the Linux systems to a kernel version 3.7 or later to prevent attacks.

Bisonal backdoor upgraded
CactusPete hacker group is targeting banks and military organizations in Eastern Europe with an upgraded version of Bisonal backdoor. The new variant includes XOR encoding and support for proxy servers, among other features.

XCSSET malware
The XCSSET malware family has been found targeting Xcode projects with a purpose to perform Universal Cross-site Scripting (UXSS) attacks on Safari and other browsers. Once on a vulnerable system, the malware uses exploits to abuse Safari and other installed browsers and steal user data. It pilfers information from the users’ Evernote, Notes, Skype, Telegram, QQ, and WeChat apps. Additionally, it takes screenshots of users’ systems; uploads files to the attackers’ C2 server, encrypts them, and shows a ransom note.

Top Vulnerabilities Reported in the Last 24 Hours

Flawed TinyMCE
A high-severity cross-site scripting flaw has been identified in an open-source text editor TinyMCE. Tracked as CVE-2020-12648, the flaw allows attackers to bypass security controls via specially crafted HTML tags. The flaw exists in versions prior to 5.2.0 of the TinyMCE and is fixed in versions 4.9.11 to 5.4.1.

 Tags

cactuspete hacker group
drovorub malware
maze ransomware gang
bisonal backdoor
xcsset malware

Posted on: August 14, 2020

Get the Daily Threat Briefing delivered to your email!


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.


Join Thousands of Other Cyware Followers!