Go to listing page

Cyware Daily Threat Intelligence, January 13, 2020

Cyware Daily Threat Intelligence, January 13, 2020

Share Blog Post

The threats posed by ransomware are not only dangerous, but they are also oddly baffling. Lately, the operators of two infamous ransomware - Maze and Sodinokibi - have publicly released the name of victim organizations that refused to cooperate with their ransom demands. Additionally, the threat actors have also published a portion of stolen data belonging to some of the affected firms. 

While Maze ransomware’s list of affected organizations includes Southwire, RBC, THEONE, Vernay, Bakerwotring, BILTON, Grecco Auto, Groupe Igrec, Mitch Co International, and Einhell, Sodinokibi has started its ‘Name and Shame’ technique by releasing approximately 337MB of data stolen from Artech Information Systems. The stolen data is available on a Russian hacker and malware forum.   

In another incident, a critical ‘Cable Haunt’ flaw affecting at least 200 million Broadcom-based cable modems was uncovered by security experts. The flaw which resides in the hardware and software component of the spectrum analyzer can allow attackers to launch MITM attacks, or even zombify devices to use them in botnet attacks.  

Top Breaches Reported in the Last 24 Hours

A new Magecart attack
A new Magecart attack has compromised a website collecting donations for the victims of Australia’s bushfires. Crooks planted a malicious script named ATMZOW on the website that was designed to steal the payment information of the donors. The stolen data was then sent to a domain amberlo[.]com under the control of the attackers.  

Megvii exposes data
Facial recognition data from millions of public surveillance cameras have been left exposed since the summer of 2019. The leaked data belongs to AI startup Megvii. It is unclear how many people have been affected by the security lapse.

Amazon shares customers’ data
Amazon has inadvertently shared some customers’ email addresses and phone numbers with a third-party. The incident occurred due to human error. At present, it is unclear how many customers are affected by the incident.  

Top Malware Reported in the Last 24 Hours

An Android malware strain dubbed as Trojan-Dropper.AndroidOS.Shopper.a has been found disguised itself as a system app to disable the Google Play Protect service, generate fake reviews, install malicious apps, show ads and more. Once it infects a victim’s Android device, the malware downloads and decrypts the payload to perform various malicious activities such as collecting device info and harvesting users’ personal information. 

New MZRevenge ransomware
Security researchers have uncovered new ransomware named MZRevenge. It is written in the Delphi language and uses the AES-256-CBC algorithm to encrypt a victim’s file. The encrypted files are renamed to end with the suffix .MZ173801. Victims affected by the ransomware are prompted to pay a $300 ransom to recover their data.  

Ransomware operators publish more stolen data
Maze ransomware operators have listed out a number of victim companies that have denied to pay the ransom. The affected companies include Southwire, RBC, THEONE, Vernay, Groupe, Europe Handling SAS, Auteuil Tour Eiffel, BST & Co and more. The ransomware group has claimed to have exfiltrated 3GB of data from some of these firms. In another incident, the operators of Sodinokibi ransomware have also published around 337MB of stolen data belonging to Artech Information Systems.   

Top Vulnerabilities Reported in the Last 24 Hours

Cable Haunt flaw
At least 200 million Broadcom-based cable modems are affected by the new Cable Haunt flaw. The flaw can allow attackers to compromise a modem and gain full control over the inbound and outbound traffic. The attackers can also eavesdrop on browsing activity, re-route traffic to malicious domains, or even zombify devices to use them in botnet attacks.

PoC for Citrix bug released
Proof-of-concept for the critical Citrix bug has been published on GitHub, making future attacks trivial for most attackers. The vulnerability tracked as CVE-2019-19781 affects Citrix’s NetScaler ADC and NetScaler Gateway servers. It is estimated more than 80,000 organizations are running vulnerable Citrix instances. 

Top Scams Reported in the Last 24 Hours

School district loses $2.3 million
A school district in Manor, Texas has lost $2.3 million within two months in a phishing scam. The amount was paid to scammers in three separate transactions between November and December. The Federal Bureau of Investigation (FBI) is currently investigating the matter.  

SIM swap attack
Scammers are heavily making use of the Remote Desktop Protocol to conduct SIM swapping attacks. The technique involves convincing an employee in a telecom company’s customer support center to run or install RDP software. Once the RDP software is activated, the scammers again convince the employee to provide credentials to RDP service to remotely control the machine and reach into the company’s software to SIM swap individuals.

ANZ customers warned
Eight million Australians who bank with ANZ have been told to be on guard against a cunning email phishing scam that aims to harvest their data. The email reads, “You Have One Important Security Message In Your Internet Banking Account” and asks targets to ‘log on’ to view the message by hitting the link. 


trojan dropperandroidosshoppera
sim swap attack
mzrevenge ransomware
citrix bug
cable haunt flaw

Posted on: January 13, 2020

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.