Cyware Daily Threat Intelligence, January 07, 2020

Share Blog post

Launching cyber attacks by exploiting known vulnerabilities has always been a go-to approach for malicious actors. Security experts have come across two such incidents that involve the abuse of vulnerabilities found in an enterprise VPN product from Pulse Secure and Android phones. The vulnerabilities in question are an arbitrary read file vulnerability and a Binder vulnerability respectively. Threat actors are exploiting these security flaws in the wild to take control of devices. 

A new version of ‘Predator The Thief’ stealer malware has also been reported in the past 24 hours. The latest version tracked as 3.3.4, is distributed via multiple phishing documents designed to look like invoices. It includes several anti-debug techniques to evade detection from security solutions.

In a new ‘police browser locker’ scam, scammers have been found targeting users by overlaying their web browser’s full-screen mode with a fake Windows 10 desktop. This fake image alerts the victim that their computer has been locked and can only be restored after paying a fine via credit card.

Top Breaches Reported in the Last 24 Hours

eHealth hit by ransomware
Some of the eHealth services have been affected following a ransomware attack. However, it is maintained no patient data is affected in the incident. eHealth staff is examining 110 servers that may have been attacked. They are working to assess and repair the damage and restore the information.

Blue Bear software discloses about Magecart attack
Blue Bear Software, an administration and e-commerce platform for K-12 schools and other educational institutions, has warned its customers that it has suffered a Magecart attack. The attack has affected the parents who used the platforms to pay student fees, books, and school supplies. The attack was conducted on websites using Blue Bear between October 1 and November 13, 2019.

Top Malware Reported in the Last 24 Hours

Predator The Thief v3.3.4
The stealer ‘Predator The Thief’ has been upgraded to version 3.3.4 with minor changes. The malware is distributed via multiple phishing documents designed to look like invoices. It includes several anti-debug techniques to make it difficult for detection. It is also able to collect information in a file-less manner and delete itself immediately after sending information to C2. This makes it more difficult for analysts to analyze its damage to the victim system. It also has added new features to execute its additional modules and second stage malware in different ways.

Top Vulnerabilities Reported in the Last 24 Hours

Vulnerable VPN product exploited in the wild
A widely known arbitrary file read flaw, tracked as CVE-2019-11510, has been found to be exploited in the wild. The vulnerability which affects an enterprise VPN product from Pulse Secure is being used to deliver a piece of ransomware. The first attempt to exploit the vulnerability was spotted on August 21 and 22. Pulse Secure has released a patch for CVE-2019-11510 in April 2019. Therefore, users are urged to apply the patches to mitigate attacks.

Binder vulnerability also exploited
The Sidewinder APT group has been actively abusing a Binder vulnerability in at least three apps found in the Google Play Store. The three affected apps are Camero, FileCrypt, and callCam. The vulnerability affects several Android devices, including Pixel 1 and 2 phones, enabling an attacker to gain root access. The flaw is tracked as CVE-2019-2215.

Top Scams Reported in the Last 24 Hours

Browser Lock scam
Scammers are targeting victims using a new tactic that takes advantage of the web browser’s full-screen mode to show a fake Windows 10 desktop. Termed as police browser lockers, the fake desktop screen states the victim that their computer has been locked on the pretext of illegal activity. The scam asks the victims to pay a fine via a credit card in order to unlock the computer. These types of scams are easy to detect as they utilize fake and suspicious URLs and allow users to use other apps on their computer even if the browser is locked.

New year free gift scam
Scammers are leveraging ‘New Year 2020’ phishing emails to trick users into sharing their payment card details. The phishing email claims to offer the recipient a ‘MacBook Pro laptop’ for free. In order to claim the offer, the target victim is asked to pay a shipping fee of $1 through a fake payment page included in the email.

 Tags

pulse secure
ehealth
blue bear software
browser lock scam

Posted on: January 07, 2020

Get the Daily Threat Briefing delivered to your email!


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.


Join Thousands of Other Cyware Followers!