Cyware Daily Threat Intelligence, January 20, 2020

Launching a cyber attack by exploiting known vulnerabilities has always been a go-to approach for malicious actors. Hence, it is very necessary for organizations to immediately patch the vulnerabilities or look out for mitigation measures to stay safe from attacks. Lately, Microsoft and Citrix have released fixes for a zero-day vulnerability and a NetScaler vulnerability respectively affecting their products. While Microsoft’s zero-day vulnerability that impacts the Internet Explorer comes with only workarounds and mitigations until a patch is released, Citrix has issued permanent security patches for the flaw affecting Citrix Application Delivery Controller (ADC) versions 11.1 and 12.0. 

Talking about data breaches, an operator of a DDoS booter service has shared a massive list of Telnet credentials on a popular hacking forum. The stolen credentials belong to more than 515,000 servers, home routers, and IoT devices. Cybercriminals can purchase these credentials to hijack more smart devices and launch DDoS attacks or perform other malicious activities. 

Top Breaches Reported in the Last 24 Hours

Telnet credentials leaked
An operator of a DDoS booter service has shared a massive list of Telnet credentials for more than 515,000 servers, home routers and IoT devices on a popular hacking forum. The list includes each device’s IP address along with a username and password for the Telnet service. The hacker had managed to create the list by scanning the internet for devices that were exposed to Telnet port. 

IWG’s data leak
Detailed information about the job performance of more than 900 employees of Regus owner IWG was accidentally published online on the task management website Trello. The spreadsheet which also contains the names and work addresses of hundreds of Regus sales managers was made accessible to anyone using a simple Google search.

Mitsubishi suffers cyber attack
Mitsubishi has recently disclosed that it has fallen victim to a massive cyberattack. The attack has affected the information related to government agencies and business partners. The compromised data includes email exchanges with the Defense Ministry and Nuclear Regulation Authority as well as documents related to projects with firms including utilities, railways, automakers and other firms. 

Synagogue attacked 
Temple Har Shalom in New Jersey had its network breached following an attack due to Sodinokibi ransomware. The temple’s files were encrypted and a ransom note was left behind after the attack. The encryption has affected all server-based files and electronic data. 

Greek government websites hacked
Turkish hackers claimed to have hijacked the official websites of the Greek parliament for more than 90 minutes. The hackers had also targeted the websites of foreign affairs, economy ministries as well as the country’s stock exchange.   
 
Top Malware Reported in the Last 24 Hours

Dustman, the new variant of ZeroCleare
A close analysis between Dustman and ZeroCleare has revealed that the former is likely a variant of the latter. Both the malware share similar code and files being used in the attack. This includes its code base and the use of the Turla driver as well as an EldoS RawDisk driver to wipe the disk infected machines and the same EldoS software license key.

Decryptor for Paradise ransomware
The decryption key for the Paradise ransomware has been unleashed recently. The ransomware, which was first spotted in 2017, deletes shadow files before initiating the encryption process on a victim’s computer. The ransomware does not affect the computers that have keyboard language set to Russian, Kazakh, Belarus, or Ukrainian.  

Top Vulnerabilities Reported in the Last 24 Hours

Microsoft discloses a zero-day flaw
Microsoft has published a security advisory for a zero-day vulnerability discovered in Internet Explorer. The vulnerability is currently being exploited in one of the targeted attacks conducted by the DarkHotel threat actor group. Tracked as CVE-2020-0674, the flaw is a remote code execution vulnerability. It exists in the way the JScript handles objects in memory in Internet Explorer. 

Citrix rolls out patches
Citrix has issued security patches for the actively exploited NetScaler vulnerability, tracked as CVE-2019-19781. The patches are for Citrix Application Delivery Controller (ADC) versions 11.1 and 12.0. The fixes also apply to Citrix ADC and Citrix Gateway Virtual Appliances (VPX) hosted on any of ESX, Hyper-V, KVM, XenServer, Azure, AWS, GCP or on a Citrix ADC Service Delivery Appliance (SDX). 

LastPass faces outage
LastPass is currently facing a major outage as users are reporting being unable to log into their accounts and autofill passwords. The problem appears to impact only users with LastPass accounts dating to 2014 or prior. It is believed that the root cause of this outage might be in a software component.

Top Scams Reported in the Last 24 Hours

Tax scam
As the 2019-tax return file nears, recipients have started receiving phishing emails that alert them about fake W-2 forms. The phishing campaign is targeting some ADP users who are asked to click on a malicious link to view their W-2 forms. The malicious link is designed to look like an ADP login page. These domains are registered on the same day as the attack. From these malicious websites, attackers can steal the ADP usernames and passwords of unsuspecting victims who fall into the trap. With an employee’s credentials in hand, an attacker can expose bank account numbers or change their direct deposit information and redirect payments to attacker-controlled accounts. 


 Tags

dustman wiper
zerocleare
mitsubishi electric corporation
paradise ransomware
telnet credentials

Posted on: January 20, 2020



More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.