Go to listing page

Cyware Daily Threat Intelligence, January 10, 2020

Cyware Daily Threat Intelligence, January 10, 2020

Share Blog Post

Phishing attacks rely on best defense mechanisms to target as many individuals as possible. While email spoofing continues to be the No.1 obfuscation technique to trick users, a new evasion technique that relies on gyroscope and accelerometer built into smartphones has been found to be used by attackers. These sensors can be misused only if they are activated on mobile browsers.

The past 24 also saw security researchers tracking an active Monero-mining activity on compromised machines. For this, threat actors are leveraging vulnerable Exim, Confluence, and WebLogic servers. Upon exploitation, malicious implants are deployed on the affected systems.

In another incident, Trickbot operators have been found using a new backdoor malware named PowerTrick to target financial institutions. The malware comes with several anti-debugging techniques to avoid being detected by security controls.

Top Breaches Reported in the Last 24 Hours

56.25 million US residents data leaked
An unprotected database containing the personal details of 56.25 million US residents has been exposed online on a server having an IP address associated with Alibaba’s web hosting wing in Hangzhou, China. The leaky database appears to belong to the Florida-based CheckPeople.com website and includes names, home addresses, phone numbers, and ages.

Front Rush exposes over 700,000 files
Front Rush, a technology company has exposed a server containing over 700,000 files to the open internet. The exposed files include college athletes’ medical records, performance reports, driver licenses, and other personal information. Students’ SAT scores, dates of birth, and physical evaluations are also among the exposed files.

Magecart group attacks
Multiple European websites for the Perricone MD anti-aging skin-care brand have been compromised in new Magecart attacks. The purpose was to steal customer payment card info when making a purchase. It is believed to be the work of Magecart Group 9 and 3.

Top Malware Reported in the Last 24 Hours

Around 1,700 malicious apps removed
Google has removed nearly 1,700 applications infected with the Joker Android malware from its Play Store. It is reported that these apps were originally designed by Joker’s creators to perform SMS fraud (for older versions) and toll fraud (for newer versions). To be able to automate the malicious billing process without needing any user interaction, the malware authors took advantage of injected clicks, custom HTML parsers, and SMS receivers.

PowerTrick backdoor
Trickbot operators have developed a new PowerTrick backdoor that is capable of executing malicious commands and it returns the results in the Base64 format. The malware was observed in recent attacks aimed at high-value targets such as financial institutions. PowerTrick includes several anti-analysis techniques to bypass restrictions and security controls.

Pre-installed malicious app
Low-end smartphones sold to the Americas with low-income via a government-subsidized program have been found with a pre-installed malicious app. The affected smartphone model is Unimax U686CL and is affected by Adups malware. The malware was found in one of the phone’s components, an app named Wireless Update.

Mobile Sensor-based obfuscation
Security experts have come across a new phishing attack that abuses the sensors activated on mobile web browsers. The phishing attack in question starts with a text message that appears to come from a high-profile authority within a financial organization. The message uses a typical social engineering technique to trick victims into clicking on a lookalike URL. Visiting the URL presented the victim with a blank white page.

Top Vulnerabilities Reported in the Last 24 Hours

A flaw in PayPal
A researcher has reported a critical flaw in PayPal that could allow threat actors to obtain user email addresses and passwords. The issue is related to the payment forum placing cross-site request forgery (CSRF) tokens and the user session ID in a JavaScript file. In order to retrieve the credentials, an attacker would need to convince the targeted user to visit a malicious website before logging into their account. PayPal has fixed the issue by releasing a patch on December 11, 2019.

Vulnerable servers still exploited
New cyberattacks are leveraging vulnerable Exim, Confluence, and WebLogic servers with an attempt to implant Monero-mining malware. One such campaign has been observed in early June 2019 and is found to be still active along with their infrastructure.

Cisco patches multiple flaws
Cisco has released 14 security advisories for several vulnerabilities affecting its multiple products. Two of these flaws are rated ‘High’ on CVSS score and are command injection vulnerability and cross-site request forgery. The affected products are Cisco’s Webex, IOS XE software, Identity Services Engine, and more.


front rush
unimax u686cl
powertrick backdoor

Posted on: January 10, 2020

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.