Cyware Daily Threat Intelligence, July 17, 2020

Share Blog Post

Financially-motivated ransomware attackers have now expanded their activities to target Operational Technology (OT) networks. The ransomware families involved in this campaign are SNAKE, LockerGoga, Maze, MegaCortex, Nefilim, DoppelPaymer, and CLOP.

Meanwhile, a new and sophisticated Android banking trojan, dubbed BlackRock, has been found targeting 337 different apps. The malware is capable of stealing credentials and sensitive information from installed apps.

A mishap of Iran-based Charming Kitten threat actor group also came to light in the last 24 hours. The gang had left one of its servers exposed to the Internet for three consecutive days before it was taken offline. The files found on the server contained videos on how to exfiltrate data from various online accounts.

Top Breaches Reported in the Last 24 Hours

Unsecured Elasticsearch database
A misconfigured Elasticsearch database associated with ‘’ has exposed over 260,000 actors’ data online. The database contained 1 GB of data, amounting to 9.5 million records. These records include full names, residential and email addresses, phone numbers, dates of birth, and vehicle information of users.

Charming Kitten makes a mistake
Iran-linked Charming Kitten hacker group had accidentally exposed one of its servers due to a basic misconfiguration issue. The files found on the server contained videos on how to exfiltrate data from various online accounts. It also contained videos of successful attacks on a member of the U.S. Navy and officer in the Hellenic Navy.

Orange confirms an attack
The French telecommunication giant, Orange, has confirmed an attack from Nefilim ransomware that exposed the data of their enterprise customers. The ransomware operators breached the company through their Orange Business Solutions division.

UFO VPN hacked
The Hong Kong-based UFO VPN had exposed more than 20 million users’ logs due to an unprotected Elasticsearch database. It contained 849 GB data such as plaintext passwords, IP addresses, session tokens, and information of devices.

Top Malware Reported in the Last 24 Hours

BlackRock Android trojan
A new Android banking trojan, dubbed BlackRock, is capable of stealing credentials and credit card information from 337 apps. This includes social, communication, networking, and dating apps. The malware derives its source code from Xerxes banking malware.

Black Box attack
A new type of jackpotting attack has been spotted by ATM maker Diebold Nixford. The attack is executed by injecting malware through a ‘black box’.

New Thanos variant
A new variant of the Thanos ransomware, which is written in C# language, is being widely advertised on the underground market. It uses several anti-analysis techniques to evade detection.

Ransomware families target OT
Seven ransomware families have expanded their activities to target processes associated with Operational Technology (OT) software. The ransomware families which target over 1000 processes are SNAKE, DoppelPaymer, LockerGoga, Maze, MegaCortex, and Nefilim. On the other hand, CLOP targets 1,425 processes.

Top Vulnerabilities Reported in the Last 24 Hours

Zoom addresses a flaw
Zoom has fixed a security flaw that exists in the ‘Vanity URL’ feature. The vulnerability can allow attackers to pose as a company employee and invite customers or partners to meetings to steal their sensitive information.


charming kitten
jackpotting attack
clop ransomware
thanos ransomware
blackrock android malware
maze ransomware
megacortex ransomware

Posted on: July 17, 2020

Get the Daily Threat Briefing delivered to your email!

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

Join Thousands of Other Cyware Followers!