Go to listing page

Cyware Daily Threat Intelligence, December 03, 2020

Cyware Daily Threat Intelligence, December 03, 2020

Share Blog Post

The terror of TrickBot continues to haunt organizations. In a new revelation, it has been found that the developers have added a new module in the trojan that aims to infect UEFI firmware. The module also includes code to read, write, and erase firmware so it can be used for greater persistence on compromised systems.

There has also been a significant development in the domain of botnet families. Adding to the list, researchers have unearthed a new botnet called Xanthe that targets Linux-based systems with an aim to mine Monero cryptocurrency.

Phishing scams that targeted FINRA and HMRC have also grabbed the attention in the last 24 hours, with scammers aiming to steal personal details of users.

Top Breaches Reported in the Last 24 Hours

OGUsers hijacked
OGUsers, a forum to buy, sell, and trade access to compromised social media accounts, has been hacked for the third time this year. The attackers hacked the site and defaced it with a message stating that the forum’s user database has been compromised. The attackers, further, have mentioned that affected victims can get their private messages and profiles removed by paying between $50 and $100.

NTreatment exposes data
NTreatment inadvertently exposed thousands of medical records online after they failed to add password protection to a cloud server. The misconfigured server included medical records, doctors’ notes, insurance claims, lab test results from third-party providers, and other sensitive patient information in the U.S.

Six pharma companies targeted
North Korean hackers have targeted at least six pharmaceutical companies in the U.S., the U.K, and South Korea working on COVID-19 vaccines. The targeted firms include Johnson & Johnson, Novavax Inc., Genexine Inc., Shin Poong Pharmaceutical Co., and Celltrion Inc. Additionally, North Korean hackers had also tried infiltrating the U.K-based AstraZeneca PLC.

E-Land attacked
Clop ransomware has claimed to have stolen 2 million credit cards from E-Land Retail over the period of one year. The ransomware gang revealed that they had breached the firm over a year ago and have been quietly stealing credit cards using POS malware installed on the network.

Top Malware Reported in the Last 24 Hours

New variant of TrickBot
A new variant of TrickBot has been found including a module that probes for UEFI vulnerabilities. With access to UEFI firmware, a threat actor could establish persistence on compromised machines. For now, the target includes only Intel platforms (Skylake, Kaby Lake, Coffee Lake, and Comet Lake). The module also includes code to read, write, and erase firmware so it can be used for significant damage.

Xanthe botnet
A new botnet strain called Xanthe targets Linux-based systems with an aim to mine Monero cryptocurrencies. The threat actors use various methods, such as harvesting client-side certificates, to spread across the network. The main payload of the botnet is a variant of the XMRig Monero miner.

Top Vulnerabilities Reported in the Last 24 Hours

Xerox fixes two flaws
Xerox has issued fixes for two vulnerabilities impacting its market-leading DocuShare enterprise document management platform. The bugs, if exploited, could expose DocuShare users to an attack resulting in the loss of sensitive data. The flaws are related to unauthenticated external XML entity injection and server-side request forgery attacks.

Vulnerable Google Play Core Library
Many apps using vulnerable versions of the Google Play Core Library are at risk of remote code execution in legitimate apps. Tracked as CVE-2019-8913, the vulnerability is assigned a CVSS score of 8.8 and has been fixed in Google Play Core Library version 1.7.2. Meanwhile, the vulnerable library is used by many popular apps, including Aloha, XRecorder, Hamal, Edge, OkCupid and Bumble

Top Scams Reported in the Last 24 Hours

Philabundance loses $1 million in scam
Philabundance has been scammed out of nearly $1 million following a BEC attack. It was carried out through a phishing email that appeared to be from a legitimate supplier.

FINRA impersonated
Users are being warned about an ongoing phishing scam that impersonates FINRA. The fraudulent email includes the domain ‘@invest-finra.org’ that was registered on November 5. Since the domain is connected with FINRA, member brokerage firms are advised to immediately delete all emails received from this domain. Moreover, FINRA asks firms to verify the legitimacy of any suspicious email before responding to it.

HMRC phishing scam
Threat actors are exploiting the legitimate SendGrid mailing service to send HMRC phishing emails that bypass spam filters. The phishing webpages linked to in the email imitates the HMRC and Gov.UK domains and comprise forms collecting sensitive information.


e land retail
hmrc site
generalitat of catalonia

Posted on: December 03, 2020

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.