Cyware Daily Threat Intelligence, August 27, 2020

Share Blog post

Globally, the threat landscape is constantly evolving as threat actors show no signs of slowing down. In the last 24 hours, researchers have discovered the extent of malicious activities of two notorious APT groups - UltraRank and TA2719. While the UltraRank digital skimming group has, so far, stolen payment card data from hundreds of websites using JavaSript sniffer malware, the newly discovered TA2719 gang is using a variety of lures to target users in Europe and the United States.

A new variant of Qbot trojan that uses hijacked email threads to spread its campaign has also been uncovered in the last 24 hours. It is being used in a campaign targeting government, military, and manufacturing sectors in the U.S. and Europe.

Top Breaches Reported in the Last 24 Hours

Data#3 suffers an attack
Australian IT vendor Data#3 informed the Australian Securities Exchange that it was targeted in a cyberattack. Though the extent of the attack is yet to be confirmed, the firm took proactive measures to contact 28 of its impacted customers.

New attacks from threat actors
Researchers have unraveled new attack campaigns from two threat actor groups - UltraRank and TA2719. While UltraRank is responsible for stealing payment card details from hundreds of websites, the newly discovered TA2719 APT group has been found using different lures to target users in Europe and the U.S.

Top Malware Reported in the Last 24 Hours

A new variant of Qbot
A new version of Qbot trojan, dropped by the latest Emotet campaign, has been found targeting the government, military, and manufacturing sectors in the U.S. and Europe. One of the interesting tricks used in the campaign involves activating a special email collector module on an infected machine. The module, in turn, extracts all email threads from the victim’s Outlook client and uploads them to a hardcoded remote server. These stolen emails are then utilized for future malspam campaigns.

SunCrypt ransomware
After LockBit and Ragnar Locker, SunCrypt has become the latest ransomware family to join the Maze cartel meant for sharing information and techniques with each other. Discovered first in October 2019, the ransomware is installed via a heavily obfuscated PowerShell script. After encrypting files, the ransomware adds a hexadecimal hash to the end of each file.

Ad fraud botnet
More than 65,000 devices have been infected with an ad fraud botnet that is distributed by over 5,000 malicious apps through Google Play Store. These spoofed apps use the lure of free items to trick users into downloading them. Among the free gifts used as lures are boots, sneakers, event tickets, coupons, and expensive dental treatments.

Top Vulnerabilities Reported in the Last 24 Hours

Cisco patches high-severity bugs
Cisco Systems addressed nine high-severity bugs impacting a range of its networking gear, including its switches and fiber storage solutions. Eight of these are high-severity flaws and are tracked as CVE-2020-3397, CVE-2020-3398, CVE-2020-3338, CVE-2020-3415, CVE-2020-3517, CVE-2020-3454, CVE-2020-3506, and CVE-2020-3507.

 Tags

ta2719
suncrypt ransomware
ultrarank skimming group
qbot trojan
data3

Posted on: August 27, 2020

Get the Daily Threat Briefing delivered to your email!


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.


Join Thousands of Other Cyware Followers!