Cyware Daily Threat Intelligence, February 03, 2020

Share Blog post

Potential vulnerabilities in software can introduce numerous cybersecurity risks for organizations and individuals. It has come to notice that cybercriminals are actively scanning the internet for systems running vulnerable ‘Linear eMerge E3’, a product of Nortek Security & Control (NSC). The software is affected by ten vulnerabilities and can allow attackers to hijack smart doors or building access control systems and launch DDoS attacks.

A new variant of ShadowPad backdoor has also been uncovered by security researchers. The variant was used by the Winnti threat actor group to target two Hong Kong universities. Apart from this, a bundle of installers disguised as software cracks and key generators has also been spotted installing password-stealing trojans or RATs. These malicious installers are being used to download a variety of trojans such as Dreambot, Glupteba, and Racoon Stealer.

Top Breaches Reported in the Last 24 Hours

Confederation College hit
Confederation College has shut down its IT services following a malware incident. There is no evidence if any personal information has been stolen. However, the college has urged its staff and students who stored personal passwords on the computer system to change the same. The college plans to notify the affected individuals if it learns that personal information has been affected in the incident.

Magecart threat expands
A new analysis has revealed a new swathe of websites that have been infected by Magecart attackers. Based on the domain name of the skimmer’s gate ‘opendoorcdn[.]com’ and URLScan, it has been uncovered that 9 more sites were attacked along with sites set for Olympic ticket 2020. Some of the sites were found to be infected since October and November last year.

Top Malware Reported in the Last 24 Hours

Warzone RAT
Warzone is a Remote Access Tool written in the C++ language. It uses a UAC bypass module to evade detection on Windows 10 systems. It can be distributed by malicious software or via spam email. The malware capabilities include password grabber, keylogger and privilege escalation.

New ShadowPad variant
Researchers have uncovered a new campaign of the Winnti group targeting two Hong Kong universities. The campaign makes use of a new variant of ShadowPad backdoor malware that includes a new launcher and numerous modules. Once installed on the system, the new ShadowPad variant starts a hidden and suspended Microsoft Windows Media Player process and injects itself into that process.

New phishing campaign
A new phishing campaign that pretends to be from the Spamhaus Project is warning recipients that their email address has been added to a spam block list. The subject line of the email reads as ‘Urgent Take Action’ and includes a Google Drive link and a password for a file that allegedly instructed on how to remove the email address from the Spamhaus Block List.

Fake installers stealing passwords
A bundle of installers pretending to be software cracks and key generators has been uncovered installing password-stealing trojans or RATs. Some of the password-stealing trojans used for this purpose include Dreambot, Glupteba, and Racoon Stealer. These adware bundles are distributed via torrent sites and fake YouTube videos.

Top Vulnerabilities Reported in the Last 24 Hours

Vulnerable  Linear eMerge E3
Hackers are actively searching the internet for vulnerable Nortek Security & Control (NSC) Linear eMerge E3 devices to hijack smart doors or building access control systems and launch DDoS attacks. About ten vulnerabilities have been detected impacting NSC Linear eMerge E3 devices. Six of them have a CVSS score of 9.8. NSC has not yet provided patches for these flaws. More than 2,300 building access systems are vulnerable to these attacks. System administrators managing networks with NSC Linear eMerge E3 devices are advised to take the systems of the internet or limit the access to these devices using a firewall or VPN.

Top Scams Reported in the Last 24 Hours

New extortion scam
A new extortion scam has been spotted that leverages the stolen user account info from the high-profile Ashley Madison data breach. Back in August 2015, threat actors had posted a 9.75 GB file containing details of 32 million Ashley Madison accounts on the dark web. The data dump included names, passwords, addresses, and phone numbers. Scammers are taking advantage of this available data and threatening to share victims’ embarrassing data on Ashley Maddison with friends on social media and via email.

Exit scam
The Apollon dark market is seemingly pulling an exit scam on its users. It has been found that although the accounts of every vendor on the platform are locked, it still allows users to order from them. This has caused a vendor to lose $11,000 worth of cryptocurrency because of the exit scam.

Tech support scam deactivated
A sophisticated browser locker campaign that ran on high-profile pages, like Microsoft Edge’s home or popular tech sites, was deactivated last week. The threat actors behind it were using a compromised ad content supplier to redirect victims to a site that is difficult to close.

 Tags

shadowpad malware
apollon dark market
exit scam
fake installers
dreambot

Posted on: February 03, 2020

Get the Daily Threat Briefing delivered to your email!


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.


Join Thousands of Other Cyware Followers!