Cyware Daily Threat Intelligence, July 22, 2020

Share Blog post

The Emotet trojan made a comeback after a five-month hiatus and new details have emerged in the last 24 hours. It has been found that the trojan is now pushing QakBot payloads at a high rate to victims’ systems. Although the purpose of the QakBot remains unclear, it is believed that the trojan particularly delivers ProLock ransomware to the targeted systems.

A mysterious ‘Meow’ attack that wipes out data completely from unsecured Elasticsearch and MongoDB databases has also come to notice in the last 24 hours. The purpose of the attack is still unknown. However, if this continues, several companies can suffer massive data loss.

Top Breaches Reported in the Last 24 Hours

GGPoker hit by DDoS attack
A popular Asian poker site, GGPoker, stated that many of its systems were affected in a DDoS attack that lasted for around two hours. The incident took place as the firm did not shield the server with DDoS protection after it was migrated to a new cloud data center to improve performance.

Twilio confirms breach
Twilio confirmed that one or more miscreants had gained access to its unsecured AWS S3 bucket and modified a copy of the JavaScript SDK used by its customers. However, the firm claimed that intruders had inserted non-malicious code into TaskRouter v1.20 SDK.

New Meow attack
Dozens of unsecured Elasticsearch and MongoDB databases have been targeted in an automated Meow attack that destroys data without leaving an explanation of even a ransom note. The purpose of attackers is unknown. However, if this continues, several companies can suffer a massive wipeout of data.

Telecom Argentina regains access
Telecom Argentina has regained access to its systems that were affected in a ransomware attack. The attackers behind the attack - which took place over the weekend - had demanded a ransom of $7.5 million in Monero to unlock the encrypted files.

Top Malware Reported in the Last 24 Hours

MATA framework
Kaspersky is alerting SOC teams about a new malware framework that is linked to the notorious North Korean Lazarus hacking group. Dubbed ‘MATA’, the framework is used to aid attacks designed to steal customer databases and distribute malware. MATA has been around since April 2018 and deployed against several e-commerce firms, software developers, and ISPs across Poland, Germany, Turkey, Korea, Ireland, and India.

Emotet delivering QakBot
Researchers tracking Emotet trojan have found that the malware is now pushing QakBot banking trojan at an unusually high rate, instead of the previously distributedTrickbot trojan. It is unclear what QakBot drops on infected systems but it is reported that the trojan may infect some of its victims with the ProLock ransomware.

Top Vulnerabilities Reported in the Last 24 Hours

Citrix Workspace app flaw
A vulnerability discovered in the Citrix Workspace app could be abused to gain full remote compromise of the host machine. The flaw, tracked as CVE-2020-8207, can be exploited through a named pipe. The issue has been patched in the latest version 2006.1 or 1912 LTSR CU1.

 Tags

ggpoker
unsecured elasticsearch
telecom argentina
twilio
mata framework
citrix workspace app

Posted on: July 22, 2020

Get the Daily Threat Briefing delivered to your email!


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.


Join Thousands of Other Cyware Followers!