Cyware Daily Threat Intelligence, July 04, 2019

See All
The attribution to cyber attacks has always been an Achilles heel for security researchers. However, in a sudden turn of events, the perpetrators behind one of the major bank hacks have been identified. A hacker group known as Silence has been found to be responsible for the attacks against three private banks in Bangladesh. These banks are Dutch Bangla Bank Limited, NCC Bank and Prime Bank.

Several new malware strains and vulnerabilities emerged in the last 24 hours. A new variant of BianLian banking trojan that includes two new modules was discovered. The modules are designed to record the screens of infected Android devices along with creating an SSH server. Researchers spotted a new Lua-based backdoor malware dubbed ‘Godlua’ which is capable of targeting both Linux and Windows users while securing its communication channels via DNS over HTTPS (DoH).

Major security vulnerabilities were also reported. This includes the discovery of critical vulnerabilities in three different virtual reality applications that allowed attackers to take control of victims’ computers. Likewise, nine flaws were detected in Lenovo servers that could compromise systems.


Top Breaches Reported in the Last 24 Hours

Silence hackers behind Bangladeshi banks hack
Last month, three private banks in Bangladesh, Dutch Bangla Bank Limited, NCC Bank and Prime Bank suffered major cyber attacks incurring financial losses. It has now come to light that a hacker group known as Silence were behind the attacks. The group has been operating since at least 2016 with banks as targets.

Alive Hospice data breach
Alive Hospice suffered a data breach compromising patients’ personal information after an unauthorized third-party gained illegal access to an employee’s email account between May 4 and May 6, 2019. The compromised email account contained patients’ personal information including names, email addresses, contact information, dates of birth, usernames, and passwords, Social Security numbers, driver’s license, and payment card numbers. It also included medical history information, treatment and prescription information, physician information, medical record numbers, Medicaid/Medicare numbers, and health insurance information.


Top Malware Reported in the Last 24 Hours

BianLian banking trojan
Researchers spotted a new variant of BianLian banking trojan that includes two new modules designed to record the screens of infected Android devices along with creating an SSH server. The updated BianLian variant is distributed in the form of a heavily obfuscated APK that relies on generating a variety of random functions in order to hide the real functionalities of the trojan. The trojan also drops a malicious payload on the infected Android devices which enables it to check if Google Play Protect is active through the Google SafetyNet API.

Godlua malware 
A new Lua-based backdoor malware dubbed ‘Godlua’ was also identified by security researchers. Godlua is capable of targeting both Linux and Windows users while securing its communication channels via DNS over HTTPS (DoH). Two versions of the malware were detected. The first version of Godlua malware is obtained by traversing Godlua download servers and targets the Linux systems. The second version targets Windows systems and is reported to actively receive updates on a regular basis. 

Sodinokibi exploits Windows bug
Sodinokibi ransomware now escalates its privileges on an infected system by exploiting a vulnerability in the Win32k component present on Windows 7 through 10 and Server editions. It exploits the CVE-2018-8453 vulnerability which Microsoft patched in October 2018. The ransomware discriminates between targets and terminates on computers with keyboard layouts specific to countries such as Russia, Ukraine, Belarus, Tajikistan, Armenia, Azerbaijan, Georgia, Kazakhstan, Kyrgyzstan, Turkmenistan, Moldova, Uzbekistan, and Syria.


Top Vulnerabilities Reported in the Last 24 Hours

Security vulnerabilities in Lenovo servers
A total of nine security vulnerabilities were detected in Lenovo servers that could highly impact systems. The vulnerabilities include use-after-free issues, command injection flaw, improper authentication, and other security issues. Out of the nine flaws, two were tagged as high-risk flaws. Lenovo has fixed six of the vulnerabilities.

Chinese attackers exploit Equation Editor flaw
Chinese threat actors updated a Rich Text Format(RTF) weaponizer to exploit a specific Microsoft Equation Editor flaw (CVE-2018-0798) in order to drop malicious payloads. This weaponizer was earlier used to exploit two remote code execution(RCE) flaws, CVE-2017-11882 and CVE-2018-0802, in Equation Editor. The threat actor groups using this tool include Conimes, KeyBoy, Emissary Panda, Rancor, and Temp.Trident. 

Vulnerabilities in Virtual Reality applications
Researchers have detected several critical vulnerabilities in three different virtual reality applications that could allow attackers to take control of victims’ computers. The three impacted virtual reality applications include VRChat, Steak VR, and High Fidelity.  Successful exploitation could allow the attackers to access users’ webcams, microphones, or manipulate what they see within their VR headset. Attackers could also create a VR malware that infects anyone entering the chat room.

Security flaw in iMessage
A security flaw was detected in iMessage, an instant messaging application by Apple, that could brick iPhones. The flaw was discovered by security researcher Natalie Silvanovich of Google Project Zero. According to Silvanovich, a method in an iMessage component threw an exception when it encountered a malformed message containing a text key. This eventually would brick the iPhones. 


Top Scams Reported in the Last 24 Hours

eBay scam
Researchers observed a new eBay scam, wherein scammers are collecting the details of items published by the sellers and are offering eBay-related “viral promotion” services. The scam message includes links to their advert in an image. Users clicking on the link are redirected to the scammers’ advertising URL, earning the scammer a click-through fee.


See Our Products In Action




  • Share this blog:
Previous
Cyware Daily Threat Intelligence, July 05, 2019
Next
Cyware Daily Threat Intelligence, July 03, 2019
To enhance your experience on our website, we use cookies to help us understand how you interact with our website. By continuing navigating through Cyware’s website and its products, you are accepting the placement and use of cookies. You can also choose to disable your web browser’s ability to accept cookies and how they are set. For more information, please see our Privacy Policy.