Go to listing page

Cyware Daily Threat Intelligence, July 11, 2019

Cyware Daily Threat Intelligence, July 11, 2019

Share Blog Post

The Magecart group has struck again. This time, the threat actors have been found to use a unique approach to infect more than 17,000 web domains to steal payment card details. In another major cyber incident, as many as 25 million Android phones have been hit with a malware named ‘Agent Smith’. The malware is distributed via boobytrapped Android apps uploaded on the third-party 9Apps store.

Two major data leaks exposing millions of people’s records had come to light in the past 24 hours. While one incident involved the leak of nearly 188 million records belonging to Pipl and LexisNexis, the other data leak had resulted in the exposure of 7 million student records from K12. Both the incidents had occurred due to misconfigured MongoDB databases.     

Top Breaches Reported in the Last 24 Hours

Pipl and LexisNexis leak data
An unsecured MongoDB database had exposed nearly 188 million records of Pipl and LexisNexis. The records included a good amount of users’ information such as their first & last names, email addresses, dates of birth, phone numbers, political affiliations, skills, physical addresses, gender, automobiles and employment details. Upon discovery, the owners had shut down the access to the database on July 3, 2019. 

7 million student records exposed
K12 had leaked nearly 7 million student records following an unprotected MongoDB database. The records were available online for more than one week before the database was secured. The data exposed in the leak included personal email addresses, full names, gender, age, school names, birthdates of students.  

Magecart compromises more than 17,000 websites
In the latest cyber espionage campaign, Magecart threat actor group has compromised over 17,000 websites through unsecured Amazon S3 buckets. These websites have been injected with skimming script that captures payment data.    

160,000 resumes stolen
Two Zhilian staff members have been held for stealing as many as 160,000 personal resumes from the recruitment firm. The staff had sold the stolen records to a person named Zheng at a price of around 70 US cents/resume.

Top Malware Reported in the Last 24 Hours

‘Agent Smith’ malware
As many as 25 million Android phones have been infected with a malware named ‘Agent Smith’. Most of the victims are from India followed with other countries in South Asia. The malware conceals itself as malicious apps that are distributed via the third-party 9Apps store.  

eCh0raix ransomware
eCh0raix is a new ransomware strain that encrypts documents on consumers and enterprise QNAP Network Attached Storage Device.  The ransomware uses the AES algorithm to encrypt targeted file extensions on the NAS and later appends them with .encrypt extension. 

FinSpy evolves
A new version of FinSpy spyware comes with additional surveillance capabilities. The malware variant is capable of eavesdropping on calls and messages sent via secured messaging services like Signal, Telegram, Threema, WhatsApp, Facebook Messenger, Viber and more. Apart from this, the malware can now hide signs of jailbreak on Apple phones (using iOS 11 and older versions). In Android, the malware can allow attackers to gain root privileges.

New Miori variant
The researchers have identified a new variant of Miori, which differs in the process of communicating with the command-and-control (C&C) server. The variant was found to be using XOR to encrypt part of its configuration data and a list of telnet/SSH credentials, like the other variants. Apart from this, the Miori variant also infects a malicious script into a vulnerable host.  

CTRL-ALT-LED technique
Academics have come up with a new technique named CTRL-ALT-LED that can allow threat actors to pilfer sensitive data from a secure air-gapped system. The technique leverages the Caps Lock, Num Lock, and Scroll Lock LEDs on a keyboard.
Top Vulnerabilities Reported in the Last 24 Hours

Jira Server and Data Center patched
Atlassian has patched a critical vulnerability affecting Jira Server and Data Center versions before 4.4.0. The vulnerability is tracked as CVE-2019-11581 and exists in the Contact Administrators and the SendBulkMail actions. The flaw can be exploited when Jira is configured with an SMTP server and the Contact Administrators Form is enabled. 

Apple fixes bugs
Apple has disabled the Apple Watch Walkie Talkie app due to an unspecified vulnerability. The bug could allow an unauthorized user to listen to another customer’s iPhone without consent. In another incident, the firm has released a silent update for Mac users. The update removes a vulnerable component in Zoom which allowed websites to automatically add a user to a video call without their permission.

Mozilla fixes 21 bugs
Mozilla has addressed 21 major vulnerabilities with the release of Firefox 68. Among the vulnerabilities patched, Mozilla resolved two critical memory safety bugs that existed in earlier versions. Other flaws include use-after-free, out-of-bounds read, parsing, and sanitization errors.

Vulnerable Drupal sites
A two-year-old vulnerability in Drupal sites is being used by threat actors to infect the site with web-based ransomware. If a website owner falls victim to such an attack, the website gets locked, and a message is displayed on the site that tells to transfer Bitcoins to unlock the site.

Top Scams Reported in the Last 24 Hours

Synthetic identity theft
Synthetic identity theft is becoming popular in the United States. The traditional data-stealing tactic is prevalent in the country as identification in the U.S. relies heavily on static PII including Social Security Numbers (SSNs). These PII and SSNs are easily collected by threat actors from the data exposed in different data breaches. A report has revealed that the volume of PII exposed between 2017 and 2018 had increased by 178%, with more than 446 million records exposed.  


ech0raix ransomware
synthetic identity theft
miori iot botnet
magecart group

Posted on: July 11, 2019

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.