Cyware Daily Threat Intelligence, August 24, 2020

Share Blog Post

Misconfigured Remote Desktop Protocol (RDP) ports are gradually becoming a popular intrusion vector for most ransomware attackers. A new report from Group-IB revealed that Iranian threat actors leveraged unsecured RDP endpoints to launch Dharma ransomware against companies in Russia, Japan, China, and India. After compromising the networks, the actors dropped a ransom note that asked for a ransom between 1 to 5 BTC.

A new incident of wiping out an unprotected Elasticsearch database by Meow bot also came to light in the last 24 hours. The database in question belonged to RailYatri and included about 37 million user records.

New activities related to the Grandoreiro banking trojan were also noticed in the last 24 hours. The attackers used the trojan to infect Spanish users through emails disguised as the country’s tax agency, Agencia Tributaria.

Top Breaches Reported in the Last 24 Hours

New details about Dharma’s attacks
New details about financially-motivated attacks carried out by Iranian threat actors in June have emerged recently. The attackers used Dharma ransomware and a mix of publicly accessible tools to target companies in Russia, Japan, China, and India. They abused the internet-facing Remote Desktop Protocol (RDP) endpoints with weak credentials to gain a foothold into a company’s network. After compromising the networks, the actors dropped a ransom note, asking for a ransom between 1 to 5 BTC.

RailYatri’s database destroyed
India’s most popular travel booking site, RailYatri, has become the latest victim of Meow bot after it left an unprotected Elasticsearch database exposed to the internet. The wiped out database contained about 37 million records linked to around 700,000 unique users. The exposed data included full names, age, gender, email addresses, phone numbers, booking details, and the last four digits of payment cards of individuals.

Top Malware Reported in the Last 24 Hours

Grandoreiro trojan campaign
Operators of Grandoreiro banking trojan are using spoofed emails to trick Spanish users into downloading the trojan in a new campaign. The emails appear to be from the Spanish tax agency, Agencia Tributaria, and include a link that points to a ZIP archive that claims to contain a digital tax receipt. Once the recipients click on the link, they are redirected to a file that hosts malicious payloads.

Top Vulnerabilities Reported in the Last 24 Hours

A bug in Google Drive
An unpatched flaw in Google Drive can be exploited by threat actors to distribute weaponized files disguised as legitimate documents or images. It resides in the ‘manage versions’ functionality offered by Google Drive that allows users to upload and manage different versions of a file. The issue is believed to open doors to highly effective spear-phishing campaigns.

Exploiting SQL vulnerability
Hackers exploited an SQL vulnerability to steal 8.3 million records from Freepik and Flaticon websites. The data stolen includes email addresses and passwords hashes. For some users, the compromised data only includes email or social media token used for login on both sites. 


grandoreiro banking trojan
elasticsearch database
remote desktop protocol rdp ports
sql vulnerability

Posted on: August 24, 2020

Get the Daily Threat Briefing delivered to your email!

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

Join Thousands of Other Cyware Followers!