Cyware Daily Threat Intelligence, July 02, 2019

Share Blog Post

Misconfigured databases exposing sensitive data continues to be a top concern for businesses worldwide. Lately, an unprotected Elasticsearch database belonging to Chinese firm Orvibo has exposed over two billion records of customers from various regions of the world. The leaky database includes email addresses, passwords, account reset codes, precise geolocations, IP addresses, usernames, and user IDs of customers. 

The past 24 hours also saw a ransomware attack on a court agency in Georgia. This has affected all ‘’ sites and servers belonging to the Administrative Office of the Courts (AOC) have been taken offline. 

Security researchers have also uncovered at least three malware distribution campaigns that were conducted using a lesser-known Heaven’s gate technique. The attack method was used to distribute the HawkEye Reborn keylogger, the Remcos remote access trojan (RAT), and various cryptocurrency mining trojans without being detected by antivirus.

Google has released security patches to address 33 vulnerabilities as a part of the Android Security Patch for July 2019. The patches address the security flaws in Android system, framework, library, and media framework. 

Top Breaches Reported in the Last 24 Hours

Unprotected Elasticsearch database
An unprotected Elasticsearch database belonging to a China-based smart home solutions provider Orvibo has exposed over two billion user records. The exposed records include usernames, email addresses, passwords and locations of customers from China, Japan, Thailand, the US, the UK, Mexico, France, Australia, and Brazil. 

Georgia court system hit with ransomware
A Georgia’s court agency has suffered a ransomware attack, causing all ‘’ sites to shut down. The network was taken offline to contain the attack. The targeted agency keeps court documents and provides computer applications to local courts. It is believed that not all the court systems’ digital information systems were affected in the attack.

uOttawa’s ‘The Fulcrum’ hacked
A hacker hacked into the independent student newspaper ‘The Fulcrum’ of uOttawa and deleted the entire content from the website. The website has been serving the university since 1942, although it became online in 2006. Despite the hack, the Fulcrum has managed to restore its website using backup data.  

Top Malware Reported in the Last 24 Hours

182 malicious apps
A total of 182 malicious apps were found to have been used to distribute two adware named AndroidOS_HiddenAd.HRXAA and AndroidOS_HiddenAd.GCLA. Around 111 apps were available for download on the Google Play Store, with the rest being found on third-party stores like 9Apps and PP Assistant. The adware samples were used to hide the icons of malicious apps while showing full-screen ads and evading detection by security solutions.

‘Heaven’s Gate’ technique
Cisco Talos researchers have spotted at least three malware distribution campaigns that leveraged the ‘Heaven’s Gate’ technique to run malicious code on victims’ machines. The three campaigns were used to distribute the HawkEye Reborn keylogger, the Remcos remote access trojan (RAT), and various cryptocurrency mining trojans without being detected by antivirus. 

New Ratsnif trojan
OceanLotus threat actor group has been found using a new variant Ratsnif trojan that includes a variety of network sniffing features. The features are Packet sniffing, ARP sniffing, DNS spoofing, HTTP redirection, and Mac spoofing. The new variant which is the fourth in the row was developed in the second half of 2018. The packet sniffing feature of Ratsnif trojan focuses on extracting login credentials and other sensitive data via protocol parsing. 

Top Vulnerabilities Reported in the Last 24 Hours

Vulnerable SICK controller
A critical vulnerability in MSC800 modular system controller from Germany-based sensor maker SICK can let attackers to remotely configure the controller’s settings.  The flaw is tracked as CVE-2019-10979 and is related to the existence of hardcoded credentials in the firmware prior to 4.0. Users are recommended to minimize network exposure of the devices to mitigate the issue. 

Google patches 33 security issues
Google has released Android Security Patch for July 2019 to address security vulnerabilities. These security flaws affected the Android system, framework, library, media framework as well as Qualcomm components. The patch has been rolled out for all supported Pixel devices, including the Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, and Pixel 3a XL.  

Vulnerable Squirrel software
Microsoft’s collaboration platform Teams has a vulnerability that can allow any user to insert malicious code into the application, allowing them to gain escalated privileges. The issue affects the desktop versions of WhatsApp, UiPath, and GitHub. All these applications use the open source project Squirrel, which is used to oversee the installation and updating of routines. 


elasticsearch database
hawkeye reborn keylogger
heavens gate
remcos remote access trojan
oceanlotus threat actor group

Posted on: July 02, 2019

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

Join Thousands of Other Cyware Followers!