Cyware Daily Threat Intelligence, December 13, 2019

See All
Malware authors are constantly enhancing the capabilities of existing malware in order to launch more catastrophic attacks worldwide. New versions of two such malware - Trickbot and Echobot - have been uncovered in the past 24 hours. While the new variant of Trickbot trojan is being used to drop a new Anchor malware to PoS systems of financial, manufacturing, and retail companies, the new Echobot variant has added a total of 77 exploits to its arsenal. The exploits are for a wide range of products such as routers, IP cameras, VoIP phones, presentation systems, smart home hubs, software, data analytics platforms, and biometric scanners.

A mysterious phishing campaign targeting government departments and related business services has also been spotted in the past 24 hours. Until now, at least 22 organizations in countries the United States, Canada, China, Australia, and Sweden have fallen victim to the attack. The campaign leverages spoofed government agency websites to lure users into sharing their credentials.

Top Breaches Reported in the Last 24 Hours

Southwire Company attacked
Maze ransomware operators have claimed the responsibility of attack against leading wire and cable manufacturer Southwire Company. The operators have demanded a ransom of 850 BTC which is approximately $6 million to restore the company’s encrypted data. In addition, the ransom note also states that the company data has also been exfiltrated and will be published if the ransom is not paid.

Click2Gov data breach
Attackers have breached the Click2Gov portal for water bill payments of the City of Waco to steal credit card details of residents. The malicious hackers had siphoned off the sensitive data using malware between August 30 and October 14, 2019.

Top Malware Reported in the Last 24 Hours

Process hollowing technique
Researchers have documented a new cryptomining threat that used the process hollowing technique and an interesting dropper component to infect systems. Process hollowing was used to disguise the presence of cryptominer on infected systems and the dropper component contained the malicious secret. The threat was found to be active during November, targeting countries like Kuwait, Thailand, India, Bangladesh, the United Arab Emirates, Brazil, and Pakistan.

New Echobot variant
A new version of Echobot has been found to include 77 exploits. The exploits are for products ranging from routers, IP cameras, VoIP phones, presentation systems, smart home hubs, software, data analytics platforms, biometric scanners, network-attached storage systems, and thermal cameras.

Anchor malware
The notorious Trickbot has been found delivering a new malware called Anchor in a new campaign targeting financial, manufacturing and retail organizations. The ultimate target of the campaign is the companies’ PoS systems.

UNKN threats
The operators of REvil ransomware have created a new group called UNKN that is responsible for the attack on CyrusOne data center. The group claims to release the stolen files from the company publicly or sell them to competitors if a ransom amount is not paid.

Phishing campaign
A mysterious new phishing campaign is targeting government departments and related business services with an aim to steal the login credentials from victims. At least 22 organizations in countries the United States, Canada, China, Australia, and Sweden have fallen victim to the attack. Spoofed government agency sites are used to trick users into sharing their credentials.

VISA warns about PoS attacks
VISA Payment Fraud Disruption (PDF) has issued a security alert about an ongoing threat targeting PoS systems of North American fuel dispenser merchants. It was listed three such attacks that were observed during the summer of 2019. The first attack was carried out using phishing emails, while the second and third attacks used malicious tools and TTP related to the financially-motivated FIN8 threat actor group.

Top Vulnerabilities Reported in the Last 24 Hours

Vulnerable Siemens power plant 
Siemens industrial equipment commonly found in fossil-fuel and large-scale renewable power plants are riddled with over 50 security bugs. The most severe of these are the bugs that cause remote code execution. The affected product is SPPA-T3000. The vulnerabilities have been discovered in two specific components of the platform - the application server (seven bugs) and the migration server (10 bugs). The exploitation of these flaws can potentially stop electrical generation and cause malfunctions at power plants where vulnerable systems are installed.

Top Scams Reported in the Last 24 Hours

ICO fraud scam
The US Securities and Exchange Commission (SEC) has filed charges against the founder of Shopin for allegedly running an ICO scam to defraud investors out of $42 million. To lure investors, the company usually produced a business plan and in return, asked for an investment. The unsuspecting investors are given tokens for participating in the funding. However, these tokens are actually illegitimate and lead to exit scam.


See Our Products In Action




  • Share this blog:
Previous
Cyware Daily Threat Intelligence, December 16, 2019
Next
Cyware Daily Threat Intelligence, December 12, 2019
To enhance your experience on our website, we use cookies to help us understand how you interact with our website. By continuing navigating through Cyware’s website and its products, you are accepting the placement and use of cookies. You can also choose to disable your web browser’s ability to accept cookies and how they are set. For more information, please see our Privacy Policy.