Cyware Daily Threat Intelligence December 19, 2018

Top Breaches Reported In The Last 24 Hours

NASA faces data breach, Employee information possibly leaked
NASA has admitted to getting hacked earlier in early 2018. The hack was discovered on October 23, 2018. The personal information of current and former employees including sensitive information like Social Security Number could be possibly leaked in this breach. NASA reported that an intruder gained access to a server containing personal data of employees and the full scope of the breach is not known yet.

300,000 users' data stolen in Click2Gov breach
Vulnerabilities in Click2Gov payment system leads to exposure of 300,000 users' data in a major breach reported by Gemini Advisory. Sensitive information like credit card data has also been stolen for those who used the system to pay taxes and fines. It is estimated that the criminals earned at least $1.7 million by selling the leaked data on the Dark Web.

Email Data leaked at Britain's Welcome Trust
Britain's biggest charity has been hit by an email data breach which led to the compromise of its staffs' email accounts.
Email accounts of top fours people were compromised between 12 November 2017 to 13 August 2018 before the discovery of the attack in August 2018.

Top Malware Reported In The Last 24 Hours

Cryptojacking campaigns attributed to Rocke, 8220 Mining Group and Tormine
Researchers have identified multiple threat actor groups unlike a single threat actor initially believed to be responsible for recent illicit cryptomining campaigns which operated with similar TTPs. Similar TTPs used include malicious shell scripts masquerading as JPEG files that install cron jobs and download and execute miners. The campaigns also use variants of the open-source miner XMRig intended for botnet mining, with versions dependent on the victim's architecture.T he groups targeted flaws in Apache Struts2, Jenkins, and JBoss servers.

Opensource Quasar RAT used for network exploits
Quasar RAT and its modified variants identified by security researchers recently have been used for in multiple network exploits by several APTs. This open-source RAT uses a client-server architecture which helps an attacker to remotely access multiple clients. This high-level architecture allows creating client binaries and managing client connections. The associated target systems include Windows versions ranging from modern Windows 10 all the way back to Windows XP Service Pack 3.

Top Vulnerabilities Reported In The Last 24 Hours

XXE Injection flaw identified in S3 browser
Security researchers at Positive Research Center identified a medium-severity XXE injection vulnerability in the S3 browser. This XXE injection flaw is found to exist in the HTTP-based S3 protocol. As the server responses are transmitted in XML format, this flaw allows remote attackers to read user files and leverage NTLMv2 hash values.T he users are advised to update their browser to the latest patched version of 7.x or above as the flaw affects version 7.x and other earlier versions.

Researchers warn against using HolaVPN due to no encryption and IP leaks
Security researchers from Trend Micro reported about the security flaws in HolaVPN software which does not use encryption and leaks IP addresses, thus compromising user privacy and security. A user’s machine, once installed with the free HolaVPN, becomes one of Luminati’s exit nodes. If the user’s machine happens to be part of a corporate network, it being an exit node may provide unknown third parties possible entry to company systems. HolaVPN could enable attackers to circumvent corporate firewalls and allow them to explore the internal network of a company for nefarious purposes.

Top Scam Reported In The Last 24 Hours

Apple ID phishing campaign disguises itself as Purchase Confirmation from App Store
A sophisticated phishing campaign is targeting Apple users with emails giving them confirmation for the purchase of a $30 app. Attached with the emails is a PDF receipt with links to report if the purchase was unauthorized. The link takes users to a series of phishing page designed to mirror the legitimate Apple website. The page asks users to enter login credentials, shows the account as locked and then asks to enter personal information for unlocking the account. The victims can become a target of identity theft based crimes due to loss of all personal information to the scammers.





  • Share this blog:
To enhance your experience on our website, we use cookies to help us understand how you interact with our website. By continuing navigating through Cyware’s website and its products, you are accepting the placement and use of cookies. You can also choose to disable your web browser’s ability to accept cookies and how they are set. For more information, please see our Privacy Policy.