Cyware Daily Threat Intelligence, July 23, 2020

Share Blog Post

Emerging sophisticated cyberattack tactics have become a major cause of headaches for cyber defenders. Lately, a new attack method named ‘Shadow’ has come to the notice of researchers. The attack method leverages vulnerable desktop PDF viewer applications such as Adobe Acrobat Pro, Adobe Acrobat Reader, Perfect PDF, and Foxit Reader. It can be used to modify the content of digitally signed PDF documents.

In the past 24 hours, researchers also discovered a multi-modular cryptojacking botnet called Prometei. The botnet uses several techniques such as living-off-the land binaries, SMB exploits, and stolen credentials to spread across compromised networks.

Top Breaches Reported in the Last 24 Hours

Leaky college recruitment database
An unsecured Amazon S3 bucket belonging to CaptainU had leaked nearly 1 million records containing sensitive academic information of high school students. Included in the bucket were GPA scores, ACT, SAT and PSAT scores, student IDs, email addresses, home addresses, and phone numbers.

Disabled Delawareans’ data exposed
A data breach at the Delaware Department of Health and Social Service had resulted in the compromise of the private data of 350 users who received the Delaware Division of Developmental Disabilities Services support. Data compromised in the breach included full names, birth dates, primary diagnosis, and county residence.

University of York breached
The University of York has launched an investigation following a data theft incident that affected the personal details of its staff and students. The source of the breach is a cloud computing provider, Blackbaud, used by the university which fell victim to a ransomware attack in May 2020.

Top Malware Reported in the Last 24 Hours

Skimmers in PNG files
Threat actors are now injecting skimmer code into real PNG files, on compromised sites and in booby-trapped Magento repositories on GitHub, to steal payment card details of users. One such code was found injected into a googletagmanager.png on a compromised Magento 2.x site.

Prometei botnet
A new multi-modular cryptojacking botnet, dubbed Prometei, has been found using multiple methods to spread across compromised networks. The primary purpose of the botnet is to mine Monero cryptocurrency from as many systems as possible. It uses living-off-the land binaries, SMB exploits, and stolen credentials to hop from computer to computer across the infected network. So far, the botnet has affected users in the United States, Brazil, Pakistan, China, Mexico, and Chile.

RDAT tool revised
The notorious OilRig APT group has returned with a revised version of the RDAT backdoor. The malware uses steganography to hide commands and data within bitmap images attached to emails. Researchers noted the malware’s usage in a recent series of attacks against a telecom company in the Middle East.

Top Vulnerabilities Reported in the Last 24 Hours

New Shadow attack
A group of academics has found that 15 out of 28 desktop PDF viewer applications are vulnerable to a new ‘Shadow’ attack. It can let malicious actors modify the content of digitally signed PDF documents. The vulnerable applications include Adobe Acrobat Pro, Adobe Acrobat Reader, Perfect PDF, Foxit Reader, and PDFelement, among others.

Vulnerable WordPress Plugins
Several security vulnerabilities found in CMS Made Simple and LimeSurvey WordPress plugins have been fixed by the respective vendors. While CMS Made Simple 2.2.13 has been updated to 2.2.14 after fixing five security flaws, the three vulnerabilities in LimeSurvey 3.21.1 have been fixed in the latest version 3.21.2.


shadow attack
prometei botnet
rdat tool
university of york
amazon s3 bucket

Posted on: July 23, 2020

Get the Daily Threat Briefing delivered to your email!

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

Join Thousands of Other Cyware Followers!