Cyware Daily Threat Intelligence, January 24, 2020

Share Blog post

In a world besieged by malware, analysts have uncovered a new trend which indicates the end of Phorpiex botnet’s business. It is believed that someone has hijacked the backend infrastructure of the botnet and is uninstalling the malicious code from infected hosts while asking users to install an antivirus and update their computers.

Two targeted phishing campaigns against multiple government agencies were also observed in the past 24 hours. The affected government agencies were from the US, the Persian Gulf, and Middle East countries. The purpose of these campaigns was to infect these organizations with malware.

Talking about vulnerabilities, a collection of six security issues called ‘MDhex’ was discovered in GE Healthcare devices. The flaw could allow attackers to disable the devices, harvest personal health information, change alarm settings, and alter device functionality.

Top Breaches Reported in the Last 24 Hours

Amazon Web Services breached
Amazon Web Services had briefly published exchanges with customers and system credentials including passwords, AWS key pairs, and private keys to a public GitHub repository. The exposed repository also contained potentially sensitive information like bank statements, correspondence with AWS customers, and identity documents including a driver's license.

Buchbinder’s data breach affects 3 million
German car rental company Buchbinder has exposed the personal information of over 3.1 million customers due to an unsecured database. The exposed data includes customers’ names, emails, phone numbers, addresses, dates of birth, license numbers and payment information. Upon discovery, the firm was quick at securing the leaky database.

Top Malware Reported in the Last 24 Hours

CARROTBALL malware
A new malware named CARROTBALL has been found targeting a US government agency and two non-US foreign nationals professionally affiliated with North Korea. The malware is distributed via six malicious Word document lures being sent as attachments from four unique Russian email addresses.

Targeted phishing campaign
A targeted phishing campaign against government entities in the Persian Gulf and Middle East countries was detected earlier this month. The campaign was delivered via a legitimate email marketing provider. The payloads were stored on Google Drive and command and control communications delivered from Twitter. The lure is based on the death of Qasem Suleimani and the subsequent tensions throughout the middle east region.

Fake AmeriCommerce shopping cart
Cybercriminals have created a fake AmeriCommerce shopping cart that has a malicious script injected to the ‘Add to cart’ button. Once the visitor clicks on the button, they are sent to a fake shopping cart on www.pay.shoppingcommerce[.]pw that looks almost identical to a typical AmeriCommerce shopping cart page. The purpose of the cybercriminals is to steal personal and financial details of customers.

Phorpiex botnet hijacked
Malware analysts suggest that someone has hijacked the Phorpiex botnet with an aim to sabotage the operation on infected systems. The mysterious entity has reportedly hijacked the backend infrastructure of the botnet and is uninstalling the spam-bot malware from infected hosts. The victims, on the other hand, are shown a popup that tells them to install an antivirus and update their computers.

Warning issued about Emotet 
American federal authorities have issued a warning about the increase in the number of targeted cyberattacks that utilize Emotet trojan. The malware primarily spreads via malicious email attachments and attempts to proliferate within a network by brute-forcing user credentials. The warning comes a week after researchers announced that Emotet was back and causing trouble with a new campaign.

Top Vulnerabilities Reported in the Last 24 Hours

Vulnerable GE medical equipment
A collection of six vulnerabilities affecting GE Healthcare devices can endanger the services of hospitals. Dubbed ‘MDhex’, the bugs allow attackers to disable the devices, harvest personal health information, change alarm settings, and alter device functionality. The flaws are present in the GE CARESCAPE product line. Affected products include certain versions of the CARESCAPE Central Information Center (CIC), Apex Telemetry Server/Tower, Central Station (CSCS), Telemetry Server, and B450 patient monitor.

Top Scams Reported in the Last 24 Hours

Browlock campaign
A new ongoing browser locker campaign called browlock has been striking repeatedly on high-profile webpages such as the Microsoft Edge Start page. The campaign focuses on targeting a large part of the audience that uses the default Windows browser and start page. The purpose is to exploit the target individuals through tech support scams. The scam initiates with victims being shown a warning 404 message on their browser screen. The victims are asked to contact scammers - disguising as technical support staff - to resolve the issue. For this, the victims are required to share the remote access of their computers.

 Tags

carrotball malware
phorpiex botnet
fake americommerce
buchbinder

Posted on: January 24, 2020

Get the Daily Threat Briefing delivered to your email!



More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.



Join Thousands of Other Cyware Followers!