Cyware Daily Threat Intelligence, December 19, 2019

Share Blog post

The past 24 hours saw the comeback of two notorious malware - Smominru botnet and Emotet trojan. The Smominru botnet was found exploiting vulnerabilities in Windows systems to deploy various cryptocurrency mining apps. On the other hand, Emotet trojan operators impersonated German federal authorities to send spam emails to German users.

The newly discovered Zeppelin ransomware was also discovered in a new attack campaign that abused ScreenConnect MSP remote management software. After compromising systems, attackers first exfiltrate data, steal back up information, and later install the ransomware as a final payload.

In a new data leak instance, the automotive giant Honda has admitted to having exposed the records of nearly 26,000 North American customers. This is the second time the firm has experienced a data leak in 2019 due to an unsecured Elasticsearch database.

Top Breaches Reported in the Last 24 Hours

Cool Ideas suffers DDoS attack
Cool Ideas has suffered another major DDoS attack, affecting the connectivity of its customers across South Africa. The outage was reported on December 18, 2019. The ISP has informed its customers via its announcement page. In addition, it is also working on mitigating such attacks.

IMGE exposed Boeing staff’s data
Washington DC-based IMGE has accidentally exposed the names, phone numbers, home addresses, and email addresses of over 6000 Boeing staff as a result of human error. The publicly accessible information includes data of employees, from senior executives to program managers to government-relation personnel.

Honda exposes 26,000 customers’ details
Honda has suffered another data breach due to an unsecured Elasticsearch database. The incident has exposed records of around 26,000 unique customers. The incident comes just months after the first data leak - which exposed 40GB of data - due to another unguarded Elasticsearch instance.

Municipalities' systems knocked offline
Systems of smaller municipalities in Florida and California were knocked offline in a series of ransomware attacks. The victims are Galt, California municipal systems, and the St. Lucie County, Florida Sheriff’s Department.

Andrew Agencies admits ransomware attack
Manitoba-based insurance and financial services company Andrew Agencies has admitted to falling victim to Maze ransomware attack. The incident had affected around 245 computers, including their IP addresses, computer names, and data size, of the firm. The ransomware has encrypted a total of 63 terabytes of data.

Top Malware Reported in the Last 24 Hours

Smominru botnet returns
Operators of Smominru botnet are currently using an image of a pop singer to hide malware payloads as part of their latest infection process. The group is primarily focusing on infecting Windows systems to deploy various cryptocurrency-mining apps to generate profits. Smominru’s internet scanning modules identify vulnerable hosts to gain a foothold on infected computers.

Emotet trojan returns
An active malspam campaign that leverages multiple German federal authorities has been uncovered distributing Emotet banking trojan. Spam emails with malicious attachments or links are sent on behalf of these federal agencies to trick users. BSI, Germany’s federal cybersecurity agency has asked users to check the sender’s name thoroughly before opening the attachment.

Spelevo observed in a new malvertising attack
The Spelevo exploit kit has been observed in a new malvertising attack that distributes two malicious payloads - Ursnif and Qbot. Unsuspected victims are tricked into installing a video codec to play a movie. However, this is a trap and instead, Spelevo EK is executed.

Zeppelin ransomware re-emerges
Threat actors are utilizing the ScreenConnect MSP remote management software to compromise a network, steal data and install Zeppelin ransomware on compromised computers. The malware is the latest variant of VegaLocker ransomware.

Top Vulnerabilities Reported in the Last 24 Hours

Microsoft addresses SharePoint Server vulnerability
Microsoft has released out-of-band security updates to address a vulnerability in SharePoint Server. The vulnerability in question is CVE-2019-1491 and can be exploited to obtain sensitive information. Microsoft SharePoint Enterprise Server 2016, Microsoft SharePoint Foundation 2010 SP2 and 2013 SP1, and Microsoft SharePoint Server 2019 are impacted by the flaw.

Vulnerable smartwatches
At least 47 million kids smart tracker watches are affected by multiple vulnerabilities. The flaws can be exploited to retrieve or change the real-time GPS position of millions of kids, spy on kids, or to steal audio recordings.

 Tags

spelevo exploit kit
emotet trojan
smominru botnet
ddos attack

Posted on: December 19, 2019

Get the Daily Threat Briefing delivered to your email!


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.


Join Thousands of Other Cyware Followers!