Go to listing page

Cyware Daily Threat Intelligence, December 12, 2019

Cyware Daily Threat Intelligence, December 12, 2019

Share Blog Post

Another day, another new list of security updates. Apple and Google have addressed almost 50 security flaws each as part of December 2019 Patch Tuesday. While Apple’s security updates address 50 vulnerabilities in macOS Catalina, iOS, iPadOS, Safari, and other software products, Google has released a stable version of Chrome 79 with a total of 51 security fixes.

A comeback of a massive cyberespionage campaign called Waterbear was also noticed in the past 24 hours. The campaign, which is believed to be backed by BlackTech threat actor group, has been evolved to include new obfuscation techniques. It uses two different APIs, namely ‘ZwOpenProcess’ and ‘GetExtendedTcpTable’ to hide its specific processes during the attack.

A new variant of Buran ransomware called Zeppelin has also been identified targeting IT and healthcare companies located in the U.S. and Europe. While encrypting target files, Zeppelin does not append an extension and the file name is also kept the same.

Top Breaches Reported in the Last 24 Hours

Over one billion credentials leaked
An unsecured Elasticsearch database discovered on December 4, has exposed 2.7 billion email addresses and plain text passwords on the internet. Researchers deduce that much of the information available in the leaky database includes breached credentials from multiple internet companies from the region, including NetEase, Tencent, Sohu, and Sina. The leaked email addresses mainly come from Chinese domains like qq.com, 139.com. 126.com, gfan.com, and game.sohu.com.

An unprotected AWS bucket
Over 750,000 birth certificate applications are publicly available due to an unprotected AWS bucket. The exposed records include name, date of birth, current home address, email address, phone number, names of family members, and historical information. The applications date back to late-2017 and the bucket was updated daily.

Florida’s PRIDE attacked
A ransomware attack has affected the communication systems of Prison Rehabilitative Industries and Diversified Enterprises Inc (PRIDE). This includes the NPO’s website, payroll records, email, customer and vendor lists, and several other backend operations.

Top Malware Reported in the Last 24 Hours

A new malware called Krampus-3PC has infected more than 100 publisher websites to target iPhone users. The users visiting any of the impacted sites are redirected to a fraudulent popup masquerading as a grocery store reward ad. Along the way, the malware proceeds to harvest users’ sessions and cookie information, thus giving attackers the ability to log into the victim’s various online accounts.

Zeppelin ransomware
Zeppelin is a new variant of VegaLocker/Buran ransomware. The ransomware has been spotted infecting the U.S and European IT and healthcare companies via targeted attacks. It is not known how the ransomware is being distributed, but it is likely through Remote Desktop servers that are publicly exposed to the internet.

Waterbear campaign
Waterbear campaign, which has been around for several years, is back with new evasion techniques. The campaign is associated with the cyberespionage group BlackTech, which mainly targets technology companies and government agencies in East Asia. In the recent Waterbear campaign, researchers have uncovered that the bad actors are using API hooking techniques to avoid being detected by a specific security product. The campaign uses two different APIs, namely ‘ZwOpenProcess’ and ‘GetExtendedTcpTable’ to hide its specific processes.

Top Vulnerabilities Reported in the Last 24 Hours

Hole in Wemo Smart Plug
Multiple vulnerabilities discovered in Wemo Insight Smart Plug have been fixed by Belkin. The vulnerabilities could be exploited to monitor a user’s activities, sniff out all their private data, turn the light on or off, and take control of the device.

Chrome 79 patches flaws
Google has released a stable version of Chrome 79 with a total of 51 security fixes. 37 of these vulnerabilities were reported by external researchers. Two flaws are rated with ‘Critical’ severity. They are a use-after-free bug in the Bluetooth component (CVE-2019-13725) and a heap buffer overflow issue in password manager (CVE-2019-13726).

SAP releases updates
SAP has issued five new Security Notes as part of its December 2019 Security Patch Day. The flaws patched in this issue are rated Medium priority and feature CVSS score ranging between 6.7 and 4.3.

Apple patches 50 bugs
Security updates released by Apple addresses 50 vulnerabilities in macOS Catalina, iOS, iPadOS, Safari, and other software products. A component called tcpdump has received the highest number of patches (for a total of 32 flaws). Other components that received fixes include ATS, Bluetooth, CallKit, CFNetwork Proxies, CUPS, FaceTime, libexpat, and Security.

Top Scams Reported in the Last 24 Hours

Brokerage scam
A Lithuanian man and an unknown co-conspirator have allegedly emptied the brokerage accounts of victims, stealing hundreds of thousands of dollars. The crime spanned for eight years starting in 2011. The culprits have been accused of tricking day traders and their financial advisors into liquidating securities, wiring cash from brokerages and establishing new,  fraudulent accounts under the victims’ names. They had managed to pull off the scam as they had access to a huge number of email addresses and passwords that have been leaked on the underground forums.


wemo smart plug
waterbear campaign
macos catalina
zeppelin ransomware

Posted on: December 12, 2019

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.