Cyware Daily Threat Intelligence December 13, 2018

Hackers hit the French Foreign ministry's website. The attackers stole personal information which was registered during the Ariane platform registration. Foreign Ministry stated that they took immediate steps to prevent such events from happening again. Experts stated that the poor standard of security concerning the website is to be blamed for this incident.

Hackers stole over $2 million from India’s Nariman Point branch of State Bank of Mauritius in October. The hackers transferred $.4 Mn to a bank in Paris, nearly $.6 Mn to a bank in London and the remaining amount in two banks in New York. However, the bank discovered it was hacked and attempted to block the fraudulent transactions. The hackers, however, had already transferred $2 million by then. 

Scammers stole $1 million from Save the Children Federation charity. The hackers gained entry into an employee's email account and used fake invoices to steal the funds. Fortunately, the charity managed to recoup all but $112,000 of the losses through insurance claims.

A new variant of the disk-wiping malware Shamoon, aka Disttrack was recently discovered. This new variant was uploaded to VirusTotal, but researchers haven’t linked it to a specific attack yet. The new Shamoon variant affects 32- and 64-bit systems running Windows. Unlike the original Shamoon variant, the new version does not require credentials to propagate. 

A new Mac scareware dubbed MAC.OSX.AMCleaner was recently discovered. The malware is primarily delivered by email to trick victims into installing fake cleaning software. The malware uses a malicious installer signed with a valid Apple-issued certificate that allows it to bypass macOS protections such as Gatekeeper and helps trick the victim into thinking it is safe to run the software.

A new macOS malware named OSX.LamePyre, which can run a backdoor and take screenshots, was recently discovered. The malware hides as the Discord messaging app for gamers. LamePyre does not include functionality that would allow it to pass as a legitimate Discord messenger. However, in most cases, LamePyre likely already runs the backdoor before users become aware of it.

A dozen flaws affecting SAP products were discovered and have been addressed. A total of 12 Patch Day Security Notes were included in the latest release. The patch also addresses a critical Cross-Site Scripting (XSS) vulnerability. Another high priority bug addressed is the missing Authorization check in SAP Customizing Tools. This bug allows an attacker to remotely manage certain types of RFC connections.

Three cross-site request forgery (CSRF) flaws were discovered in Samsung's mobile site, which, if exploited, can let attackers hijack an account. The vulnerabilities existed due to the way Samsung[.]com account page handled password-reset security questions. The flaws are now being fixed after a Ukrainian bug bounty hunter reported the issue to Samsung this month.

7 security bugs affecting WordPress 5.0 were discovered and patched. The patches address the security vulnerabilities (some of which allow site takeover), and a privacy leak issue. A cross-site scripting vulnerability that allowed WordPress users to edit new comments from higher-privileged users was addressed.