Cyware Daily Threat Intelligence January 22, 2019

Share Blog post

Top Breaches Reported in the Last 24 Hours

Misconfigured ElasticSearch database
An unprotected ElasticSearch database has exposed information of over 180 million records on wins and bets. This also includes personal information, deposits and withdrawals of customers. The breach included data from sites such as kahunacasino[.]com, azur-casino[.]com, easybet[.]com, and viproomcasino[.]net.

A technical glitch in ATLAS game 
The online servers of the newly launched ATLAS games suffered some technical glitch multiple times after players hacked an admin account. The hack has impacted the multiplayer servers of ATLAS, a new MMO (Massively Multiplayer Online) game. The first hack occurred on January 17, 2018.

WPML defaced
The website of a very popular WordPress plugin, WPML, was hacked and defaced by an ex-employee. After hacking the website, the attacker sent out a mass-mail to all the customers revealing the existence of unpatched security holes. WPML claims that the hacker got email addresses and customers' names from the website's database. However, the attacker did not get access to financial information.

Top Malware Reported in the Last 24 Hours

DarkHydrus delivers a RogueRobin variant
A new malicious campaign that is used to deliver a new variant od RogueRobin trojan has been spotted by security researchers. The infamous DarkHydrus threat actor group is behind the distribution of the new variant. The campaign leverages Google Drive as an alternative channel to send malicious instructions. A macro-enabled Excel document with .xlsm file extension is used to spread the malware.

Phobos ransomware
A new strain of ransomware dubbed as Phobos has been spotted targeting business worldwide since mid-December. The ransomware shares similarity with Dharma ransomware. It exploits weak RDP ports for propagation. 

Rumba ransomware
Rumba is a new variant of STOP ransomware. It is distributed via adware bundles and software cracks. It operates same as DJVU ransomware. Once installed, the malware appends the encrypted files with .rumba extension.  Some of the software cracks that are installing this ransomware include Windows activation cracks such as KMSPico, Cubase, Photoshop, antivirus software, and cracks for other popular software.

Top Scams Reported in the Last 24 hours

Fake domains target foreign nationals
Security researchers have detected suspicious domains - gov-canada-eta[.]com and canada-etavisa[.]info - targeting foreign nationals. The domains spoof the Government of Canada Electronic Travel Authorization (eTA) application site in order to lure users into revealing their personal information. Once the users click on the 'Apply for Canada eTA' button, they are redirected to a replica page of Canada eTA application. The users are then urged to fill out the application and disclose their personally identifiable information (PII) data such as full name, place of residence, phone number, date of birth, passport number, amongst others.


 Tags

rumba ransomware
darkhydrus threat actor group
phobos ransomware
roguerobin variant
malicious campaign

Posted on: January 22, 2019

Get the Daily Threat Briefing delivered to your email!


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.


Join Thousands of Other Cyware Followers!