Go to listing page

Cyware Daily Threat Intelligence, July 23, 2019

Cyware Daily Threat Intelligence, July 23, 2019

Share Blog Post

Unauthorized access to a payment system at AMCA has affected around a dozen of medical firms than previously reported. Till last week, it was found that the data breach had impacted eight firms in the US. However, the latest report highlights that there are many more healthcare firms that had been impacted by the data breach. The list of affected firms that have come forward now includes America Esoteric Laboratories, Austin Pathology Associates, South Texas Dermatopathology, and Seacoast Pathology among others.

A decryption key for LooCipher ransomware has also been released in the past 24 hours. The malware is installed through malicious Word documents. Once encrypted, the ransomware will encrypt victims’ files and appends them with the .lcphr extension. 

More than one million ProFTPD servers are vulnerable to a newly discovered file copy vulnerability which can allow remote attackers to execute malicious code on vulnerable machines. The vulnerability resides in ProFTPD’s mod_copy module and affects all versions up to 1.3.5b. 

Top Breaches Reported in the Last 24 Hours

Updates on AMCA data breach
Many more healthcare companies in the United States are a victim to the AMCA data breach. The new report highlights that American Esoteric Laboratories, Austin Pathology, South Texas Dermatopathology and Pathology Solutions among others have been impacted by the breach. The breach had occurred since as early as August 2018. However, it was discovered on March 2019. 

QuickBit leaks records
An unprotected MongoDB database had exposed around 300,000 customer records belonging to a Swedish cryptocurrency exchange QuickBit. The leak came to light after the Shodan noted the existence of the leaky database. The records contained full names, email addresses, gender and birth dates. The leaky database was pulled offline on July 3, 2019.

Lancaster University hacked
A phishing attack at Lancaster University has affected the personal data of some students. The records included names, addresses, phone numbers and emails of students who had applied to join the university in 2019 and 2020. The attack was carried out by the attackers through a phishing email that appeared as an invoice. 

Top Malware Reported in the Last 24 Hours

Malvertising campaign
An ongoing malvertising campaign that leverages the XSS vulnerability in the ‘Coming Soon Page & Maintenance Mode’ plugin has allowed attackers to inject malicious JavaScipt code on WordPress sites. The flaw affects the WordPress sites running the plugin’s versions prior to 1.7.8. The purpose of the campaign is to display unwanted popup ads and redirect visitors to malicious sites. 

MobiDash malware
MobiDash malware is using fake FaceApp installation to compromise devices and deploy malicious advertising software. Kaspersky has found that the adware has affected around 500 unique users in just 48 hours since it was first detected on July 7, 2019. 

Decryptor for LooCipher ransomware
Emsisoft has released a decryptor for LooCipher ransomware. The malware is installed through malicious Word documents. Once encrypted, the ransomware will encrypt victims’ files and appends them with the .lcphr extension. 

Top Vulnerabilities Reported in the Last 24 Hours

Vulnerable Exim and Jira servers targeted
Hackers are exploiting vulnerable Jira and Exim servers to infect victims’ machines with a new variant of Watchbog trojan. The vulnerabilities have been tracked as CVE-2019-11581 (template injection) and CVE-2019-10149 (remote code execution) in Jira and Exim servers respectively. 

File copy vulnerability
A file copy vulnerability in ProFTPD servers can allow a remote attacker to execute malicious code on vulnerable machines. The vulnerability has been detected as CVE-2019-12815 and affects all the versions up to 1.3.5b. The vulnerability resides in ProFTPD’s mod_copy module. More than 1 Million Servers are running vulnerable versions, as observed from Shodan. 

Critical RCE flaw
A critical remote code execution flaw has been uncovered in the GlobalProtect portal and GlobalProtect Gateway interface security products from Palo Alto Networks. The flaw, CVE-2019-1579, can allow attackers to execute arbitrary code. Thus, users are advised to update these products with the latest versions. 

PoC for BlueKeep vulnerability published
A security researcher has published a detailed guide on how to execute the malware on Windows computers which are still vulnerable to the BlueKeep vulnerability. The documents are open to the public on GitHub. The latest report had revealed that as many as 805,000 Windows computers are still vulnerable to vulnerability.

Vulnerable Comodo Antivirus
Five types of flaws have been discovered in Comodo Antivirus. Two of these flaws are a denial-of-service flaw and privilege escalation flaw. The other vulnerabilities can be exploited to cause application components and kernel to crash.    

Apple releases watchOS 5.3
Apple reactivated the Walkie-Talkie feature in the latest software updates for the iPhone and Apple Watch, 12 days after it was turned off for security reasons. Walkie-Talkie had been unavailable since July 10. The new update fixes the major bug in the Walkie-Talkie app that allowed it to spy on people. 

Top Scams Reported in the Last 24 Hours

Hydro-Québec scam
Hydro-Québec is warning its customers about new scams that are utilizing the company’s name. The scammers are conducting these scams through email, text or telephone. The primary objective of these scams is to obtain the recipients’ personal and financial information. The information is used later for identity theft and steals their money. Scamsters are also offering fake Hydro-Québec jobs, asking clients to open a file that can gain full access to users’ personal information. 


file copy vulnerability
mobidash malware
rce flaw
bluekeep vulnerability
comodo antivirus

Posted on: July 23, 2019

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.