Cyware Daily Threat Intelligence, December 16, 2019

Share Blog post

In the fast-paced world of cybersecurity, cybercriminals are always on the run, launching massive and sophisticated cyberattacks using new variants of existing malware. One such case that has come to notice in the past 24 hours is the use of the Glupteba backdoor. The malware which first appeared in 2014, has now been evolved to include several evasion tricks and data-stealing capabilities. This new variant leverages living-off-the-land technique and creates a specific command line triggers to bypass security solutions. Among the new capabilities, the new Glupteba version can exfiltrate sensitive data, mine cryptocurrencies and steal browser information.  

The past 24 hours also saw Google halting the rollout of its Chrome 79 - which came with fixes for 51 flaws -  on Android. The decision has been taken after developers uncovered a major bug that is responsible for data loss for a few apps. The bug occurred during the update process from Chrome 78 to Chrome 79. 

In other development, TP-Link has patched a zero-day vulnerability in its Archer C5 (v4) routers that run firmware version 3.16.0 0.9.1 v600c.0 Build 180124 Rel.28919n. The flaw could be exploited to take control of the router’s configuration via Telnet on the LAN. 

Top Breaches Reported in the Last 24 Hours

Private browsing history exposed
A database belonging to South African ICT company Conor Solutions has exposed the private browsing data and PII of more than 1 million users. The leaky database contained over 890GB of data such as Index name, IP address, full URL of visited websites and volume of data transferred per session. 

Iran investigates an attack
Iran is investigating a foreign spying malware attack on government servers in the third cyberattack which occurred during the weekend. It has been uncovered that the attack was carried out by the APT27 threat actor group which aimed at stealing sensitive government information.  

Details related to New Orleans attack revealed
Based on files uploaded to the VirusTotal scanning service, it has been found that the ransomware attack on the City of New Orleans was likely done by the Ryuk ransomware threat actors. This came to limelight when researchers noticed memory dumps of executables uploaded from a USA IP address to the VirusTotal scanning service. The memory dump contained numerous references to the City of New Orleans including domain names, domain controllers, internal IP addresses, user names, file shares, and references to the Ryuk ransomware. 

Top Malware Reported in the Last 24 Hours

Glupteba evolves
Glupteba has undergone major changes since it first appeared in 2014. The current version of the backdoor comes with new capabilities that include data exfiltration, cryptocurrency mining, and browser information theft. The backdoor also includes several new tricks to evade detection. This includes packing, using specific command line triggers, leveraging living-off-the-land technique and creating copies of itself. 

sLoad trojan
A multi-stage downloader trojan dubbed sLoad has been found leveraging Background Intelligent Transfer Service (BITS) to steal data from compromised systems. BITS is a component of Windows operating systems used to facilitate file transfers between systems using idle network bandwidth.  

Top Vulnerabilities Reported in the Last 24 Hours

Npm patches two bugs
Two serious vulnerabilities discovered in the Npm CLI has been patched recently. One of these flaws allowed an attack known as binary planting. The flaw affects Npm CLI versions prior to 6.13.3. The second vulnerability exists in bin-links, which is an Npm package that manages links from the bin field to the file in ./node_modules/.bin/. To exploit these vulnerabilities, an attacker would have to persuade a user to install a cleverly crafted bin entry file. 

Vulnerable TP-Link Archer C5 router
A firmware vulnerability has been discovered in TP-Link Archer C5 (v4) routers. The flaw can allow a remote attacker to take control of the router’s configuration via Telnet on the LAN and connect to an FTP server through LAN or WAN. TP-Link has issued patches to address the issue.

Google halts the rollout
Google has halted the rollout of Chrome 79 on Android after mobile app developers reported a major bug that was deleting user data and resetting mobile apps. The bug occurred during the update process from Chrome 78 to Chrome 79. 

Schneider Electric patches flaws
Schneider Electric has patched vulnerabilities affecting Modicon M580, M340, Quantum, and Premium controllers. These products are affected by DoS vulnerabilities and are caused by improper check for unusual or exceptional conditions.   

 Tags

npm
sload trojan
tp link archer c5 router
schneider electric
glupteba malware

Posted on: December 16, 2019

Get the Daily Threat Briefing delivered to your email!


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.


Join Thousands of Other Cyware Followers!