Cyware Daily Threat Intelligence, February 11, 2020

The cyber risk landscape is rapidly evolving as threat actor groups continue to launch sophisticated cyberespionage campaigns with a myriad of malicious intentions. In a recent security notification, the FBI has warned the US private sector about an ongoing attack campaign that is similar to the massive supply chain attack that occurred in 2018. Threat actors are now using the same Kwampirs remote access trojan (RAT) to infect organizations in the Industrial Control System (ICS) sector. Going by the code analysis, the FBI claims that the malware shares similarities with Shamoon data-wiping malware developed by the APT33 hacker group.

Talking more on malware variants, it has been found that the recently discovered Ragnar Locker ransomware is now using remote management software (RMM) to propagate across systems. The ransomware, when installed, performs a few checks before it starts encrypting files.

Apart from malware attacks, a major data leak was also reported in the past 24 hours. The incident had affected the personal identification information of 1.26 million Danish citizens. This occurred due to a software error in Denmark’s government tax portal.

Top Breaches Reported in the Last 24 Hours

1.26 million Danish citizens affected
A software error in Denmark’s government tax portal had accidentally exposed the personal identification numbers of 1.26 million Danish citizens. The information was exposed for five years (between February 2, 2015, and January 24, 2020). The leaked data included CPR numbers of Danish users. The CPR consists of ten digits, where the first six are a citizen’s birth date.

Leaky JailCore repository
A misconfigured Amazon S3 bucket belonging to JailCore had leaked 36,077 records of inmates. The records included full names, mugshots, inmate IDs, booking numbers, activity logs, and a host of personal health information of prisoners. The bucket was sealed on January 16, 2020.

Altsbit suffers an attack
Italian cryptocurrency trading firm Altsbit disclosed that it had suffered a security breach on February 5, 2020. The incident had led to the theft of its customers’ funds. At the time of writing, it is not clear who is behind the attack, hacking group @LulzSec has claimed the responsibility for the hack.

Misconfigured Docker registries
A slew of misconfigured Docker container registries containing the source code for 15,887 unique versions of applications, were found to be exposed to potential attacks. These applications belonged to research institutes, retailers, news media organizations and technology companies. The incident had occurred as the registries lacked proper authentication controls.

Top Malware Reported in the Last 24 Hours

Kwampirs RAT
The FBI has released a security alert about an ongoing hacking campaign that targets companies in the ICS sector. Threat actors behind the campaign are infecting companies with an evolved version of Kwampirs RAT. The federal agency has shared IOCs and YARA rules as indications for the Kwampirs RAT infection.

Ragnar Locker ransomware
The recently discovered Ragnar Locker ransomware has been found using Remote Management software (RMM) such as ConnectWise and Kaseya software to propagate across systems. Once executed, the ransomware encrypts the files with specific extensions. For each encrypted file, a preconfigured extension like .ragnar_22015ABC is appended to the file’s name.

Top Vulnerabilities Reported in the Last 24 Hours

Dell publishes an update
Dell has published a security update to patch a Support Assist Client software flaw which enables potential local attackers to execute arbitrary code with Administrator privileges on vulnerable computers. The flaw is tracked as CVE-2020-5316 and comes with a high severity CVSS base score of 7.8. The vulnerability affects all versions prior to Dell SupportAssist for business PCs version 2.1.3 and Dell SupportAssist for home PCs version 3.4.

Top Scams Reported in the Last 24 Hours

PayPal phishing scam
A new phishing email scam, that targets PayPal users, has been uncovered recently. The purpose of the scam is to steal personal data including social security numbers from victims. The scam starts with a phishing email that pretends to be from the online payment company’s notifications center. The email warns the recipients that their account has been restricted because it was logged into from a new browser or device. In order to complete the authentication process, victims are prompted to click on an attached link that redirects them to a phishing page, which asks for a complete rundown of personal data.

Benton county targeted
Benton County lately became the victim of a social engineering phishing scam. A fraudster pretending to be a building contractor working with the government had tricked the employees of the County Auditor’s Office to transfer a sum of $740,000 in November. Just over $23,000 of the transferred amount was withdrawn before SunTrust Bank identified it as a fraudulent account and froze it.


 Tags

paypal phishing scam
jailcore
kwampirs rat
ragnar locker ransomware

Posted on: February 11, 2020



More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.