Cyware Daily Threat Intelligence, February 27, 2020

Share Blog post

The cyberspace saw a mixture of new vulnerabilities and sophisticated cyberespionage campaigns in the past 24 hours. In a major revelation, researchers have proposed that WiFi-capable devices running on Broadcom and Cypress Wi-Fi chips are vulnerable to a new KrØØk vulnerability. The flaw that is related to KRACK vulnerability discovered in 2017, affects over a billion computers, phones, and other devices.

Talking about cyber espionage campaigns, threat actors are actively scanning the internet for Microsoft Exchange Servers that are vulnerable to a remote code execution flaw discovered this year. The flaw, if exploited, can allow attackers to execute code remotely with SYSTEM privileges on an exploited server and fully compromise it.

In another incident, a massive spear-phishing campaign, possibly connected to an Iranian APT group, was found using a new malware called ForeLord. The campaign targeted organizations in Turkey, Jordan, Iraq, Georgia, and Azerbaijan.

Top Breaches Reported in the Last 24 Hours

Clearview’s data breach
A facial recognition startup Clearview has disclosed a data breach that occurred due to unauthorized access. The data accessed includes the customer list, the number of accounts each customer has and the number of searchers. However, the firm has confirmed that no system or network was compromised in the incident.

Bretagne Télécom hacked
Cloud service provider Bretagne Télécom has been hacked by threat actors of DoppelPaymer ransomware by exploiting Citrix applications vulnerable to CVE-2019-19781. After infiltrating one of Bretagne Télécom’s servers, DopplePaymer operators were able to encrypt 148 machines running application servers running on Windows 7, Windows 8 and Windows 10.

BST attacked
New York-accounting firm BST revealed that it had fallen victim to a ransomware attack in December 2019. The firm was infected with Maze ransomware, which potentially compromised patient data from Community Care Physicians. The compromised personal health information included names, dates of birth, billing codes, insurance description and medical record numbers of patients.
 
Top Malware Reported in the Last 24 Hours

A new version of Cerberus
A new version of the Cerberus Android trojan that is capable of stealing one-time codes generated by the Google Authenticator app has been found recently. This will enable the malware to bypass 2FA-protected accounts.

ForeLord malware
A never-seen-before credential-stealing malware, dubbed ForeLord, has been uncovered in a recent spear-phishing email campaign steered by an Iranian APT group. The campaign was active between mid-2019 and mid-January 2020 and targeted organizations in Turkey, Jordan, Iraq, Georgia, and Azerbaijan.

Sodinokibi’s operators scale up their tactics
The operators of Sodinokibi ransomware have chalked out a new plan to put more pressure on victims to pay the ransom. One of the tactics involves auto-emailing stock exchanges, such as NASDAQ, about a company’s attack to hurt the value of their stock. Besides, the operators have also finished working on a blog that will be used while exposing victims’ stolen data.

Card skimmer use fake CDNs
Threat actors have been spotted camouflaging payment card data skimmers as fake content delivery network domains to evade detection by security solutions. Some of the fake CDN domains used for the purpose are cdn-mediafiles[.]org and cdn-sources[.]org.

Top Vulnerabilities Reported in the Last 24 Hours

KrØØk vulnerability
Over a billion computers, phones, and other devices are vulnerable to a KrØØk vulnerability as it can allow attackers to snoop on victims’ encrypted Wi-Fi traffic. The flaw tracked as CVE-2019-15126 is related to 2017’s KRACK technique used for spying on Wi-Fi networks. The bug stems from the use of an all-zero encryption key in chips made by Broadcom and Cypress.

RCE flaw actively exploited
Attackers are actively scanning the Internet for Microsoft Exchange Servers vulnerable to the CVE-2020-0688 remote code execution vulnerability. The flaw is present in the Exchange Control Panel (ECP) component and arises due to Exchange’s inability to create cryptographic keys when being installed. Once exploited, it allows authenticated attackers to execute code remotely with SYSTEM privileges on an exploited server and fully compromise it.

Flaws in Trifo’s vacuum cleaner
Six security issues discovered in Trifo’s internet-connected vacuum cleaner could be abused by remote attackers to launch an array of attacks. The most severe vulnerability of all exists in Trifo’s Android app called Trifo Home and can allow attackers to access any video stream from any Trifo device across the world. So far, the flaws have not been patched by the firm.

Vulnerable iBaby Monitor M6S
The iBaby Monitor M6S connected baby camera has been found to be riddled with three vulnerabilities that can give attackers full access to personal information and sensitive video footage. The most severe flaw stems from an issue with the baby monitor’s implementation of the MQTT communication protocol.

 Tags

forelord malware
ibaby monitor m6s
sodinokibi ransomware
microsoft exchange servers
krk vulnerability
bretagne telecom

Posted on: February 27, 2020

Get the Daily Threat Briefing delivered to your email!


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.


Join Thousands of Other Cyware Followers!