Cyware Daily Threat Intelligence, January 17, 2020

Share Blog post

Failing to apply security patches on time can invite unwanted problems for organizations. In a new security alert sent to private industry partners, the FBI has disclosed that the networks of two US municipalities were breached last year by exploiting a previously known remote code execution vulnerability in Microsoft SharePoint servers. The attackers had abused the flaw to steal the Active Directory database, compromise administrative credentials and drop webshells for backdoor access to the compromised servers. 

Two new malware named NOTROBIN and JohneRAT were also uncovered in the last 24 hours. While NOTROBIN leverages the recently discovered NetScaler vulnerability for propagation, the new JohneRAT is distributed on to a victim’s machine via malicious Microsoft Office documents. Apart from these, security researchers have also discovered a new version of Trickbot trojan that uses Fodhelper UAC Bypass to evade detection while infecting Windows 10 users.  

Top Breaches Reported in the Last 24 Hours

Public regulation commission site hacked
The Public Regulation Commission website in New Mexico has been hacked by an outside source. Although it is unclear whether any confidential information has been leaked, the Department of Information Technology has informed DHS and Emergency Management about the incident. 

‘WeLeakInfo.com’ seized
The Federal Bureau of Investigation has seized the internet domain named ‘WeLeakInfo.com’. The website was online for the past three years and was selling access to over 12 billion records hacked from other websites. This data was obtained from over 10,000 data breaches. The breached records included names, email addresses, usernames, phone numbers, and phone numbers. 

Two US municipalities breached    
Nation-state hackers have breached the networks of two US municipalities last year. This was done by exploiting a previously known vulnerability (CVE-2019-0604) in Microsoft SharePoint servers. Once attackers gain a foothold on these networks, they can perform several malicious activities such as exfiltrating user information, escalation of administrative privileges and dropping webshells for backdoor persistent access.  

Tinder photos leaked
A large cache of more than 70,000 photos of female Tinder users has been found circulating on a cybercrime forum. It remains unclear how cybercriminals gained access to the platform and how they plan to use it.   

Top Malware Reported in the Last 24 Hours

Trickbot modified
The latest version of Trickbot has been upgraded with a new UAC bypass module to target Windows 10 systems. Once installed, the variant checks if the operating system is Windows 7 or Windows 10. If it is Windows 7, the trojan utilizes the CMSTPLUA UAC bypass otherwise Fodhelper UAC Bypass for Windows 10. Trojan utilizes this bypass to launch itself without a warning to the user.  

New NOTROBIN backdoor
A group of attackers has been found exploiting the recently discovered NetSclaer vulnerability to deploy a new backdoor named NOTROBIN. The vulnerability tracked as CVE-2019-19781 affects Citrix Application Delivery Controller (NetScaler ADC) and Citrix Gateway (NetScaler Gateway). Researchers believe that actors are compromising NetScaler devices to launch a massive campaign through NOTROBIN.  

JhoneRAT
Details about a new trojan named JhoneRAT has emerged recently. This new RAT is dropped to a victim’s machine via malicious Microsoft Office documents. The RAT is being currently used against Arabic-speaking countries. JhoneRAT uses three different cloud services to perform all its command and control activities. 

Top Vulnerabilities Reported in the Last 24 Hours

Protection against CryptoAPI vulnerability
Google and Tenable have published updates for their respective products to address the recently discovered CryptoAPI vulnerability. Tenable has issued plugins to address the vulnerability CVE-2020-0601. On the other hand, Google has released Chrome version 79.0.3945.130 to detect certificates that attempt to exploit the NSA discovered CryptoAPI Windows vulnerability. 

Buggy WP Database Reset plugin
Critical flaws discovered in the WordPress (WP) Database Reset plugin can allow attackers to gain escalated privileges of administrators. The flaws - detected as CVE-2020-7048 and CVE-2020-7047 - can also be abused to reset any table in the database. It is believed that the plugin is used by over 80,000 sites. The flaws have been rated as ‘Critical’ and ‘High’ on the CVSS score. WordPress administrators are advised to update the plugin to version 3.15 to defend against attacks abusing these flaws. 

PoC for Cisco’s DCNM flaws released
A researcher has publicly released proof-of-concept exploits for flaws in Cisco’s Data Center Network Manager (DCNM). These flaws, rated as ‘Critical’ and ‘High’ on CVSS scale, were addressed by Cisco early this month. A total of 12 vulnerabilities were found impacting the DCNM.  

Top Scams Reported in the Last 24 Hours

A scam site established to steal fund
Some fraudsters have set up a scam site with an intention to steal funds from users. The fake site pretends to be for a data protection fund created by the US Federal Trading Commission (FTC). Named ‘Official Personal Data Protection Fund’, the website promises to offer financial compensation to users whose personal data appeared in information leaks. For this, the victims are asked to make a small payment with a promise of getting a much larger amount in return. 

Synthetic identity fraud
Credit Union banks are increasingly falling victim to synthetic identity fraud. In this, the crooks create an entirely fake identity and apply for anything from auto loans to credit cards. The fraudsters pick a random social security number or buy one on the dark web to create a fake identity by linking it to a fake name, date of birth and in some cases social media accounts.

 Tags

trickbot
cryptoapi vulnerability
wp database reset plugin
jhonerat
notrobin backdoor

Posted on: January 17, 2020

Get the Daily Threat Briefing delivered to your email!



More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.



Join Thousands of Other Cyware Followers!