Go to listing page

Cyware Daily Threat Intelligence, July 25, 2019

Cyware Daily Threat Intelligence, July 25, 2019

Share Blog Post

Unprotected databases leave millions of users’ data at risk. Lately, a publicly accessible database belonging to a cryptocurrency exchange platform YouHodler, has leaked over 86 million records. These records include full names, email addresses, phone numbers, home addresses, birthdates, credit card numbers and complete bank details of users. For some, even the crypto wallet addresses were exposed online.  

The past 24 hours also saw the return of the infamous Sodinokibi ransomware through a malspam campaign. The phishing emails appeared to come from German BSI and demanded a ransom between $2500 and $5000. 

A new variant of Watchbog trojan was found scanning Windows machines for BlueKeep vulnerability in a new cyberespionage campaign. It is the same malware variant that is targeting vulnerable Jira and Exim servers.  

Top Breaches Reported in the Last 24 Hours

A host of companies attacked
German blue-chip companies BASF, Siemens, Henkel, along with multinational companies such as Roche, Marriott, Lion Air, Sumitomo, and Shin-Etsu have suffered cyberattacks. It is found that the attack was carried out by a state-backed Chinese group using the Winnti malware.

YouHodler leaks 86 million records 
A database held by a cryptocurrency platform YouHodler has leaked over 86 million records. These include users’ full names, email addresses, phone numbers, home addresses, birthdates, credit card numbers, CVV numbers and full bank details For some, crypto wallet addresses were also leaked due to the misconfigured database.  

Password reset for Sky customers 
The customers of Sky Broadband have received an email from the company that advices them to reset their passwords as a security measure. The mail even contains a link for the users to accomplish the aforementioned action. It is speculated that the company suffered a credential stuffing attack.

Personal info of journalists leaked
Nearly three dozen journalists across major publications have been targeted by a threat group that maintains a Deep Web database. The information was present on a site called the Doxbin. It contained the names, addresses, phone number and often known IP addresses, Social Security numbers, dates of birth, and other sensitive information on hundreds of people.

Top Malware Reported in the Last 24 Hours

Phobos ransomware
Phobos ransomware, which had appeared at the beginning of 2019, is based on the previously known Dharma ransomware. It is distributed via hacked remote desktop connections. The ransomware encrypts a variety of files including executables. The encrypted files have an email of the attacker added. 

Return of Sodinokibi ransomware
BSI, the German national cybersecurity authority, has issued a warning regarding a malspam campaign that distributes the Sodinokibi ransomware. The mails are sent from the meldung@bis-bund[.]org email address and go with the subject line of “Warnmeldung kompromittierter Benutzerdaten.” Once launched, the ransomware encrypts the victims’ files with unique extensions and later demands a ransom amount ranging between $2500-$5000.

Monokle Android trojan
Monokle remote access trojan has been enhanced to include a range of intrusive capabilities. These include keylogging, capturing photos and videos, retrieving browser & messenger history and tracking the location of the user. The malware also has the ability to install trusted certificates which allows it to gain root access to the device. Currently, it is targeting Android devices but researchers have found some samples of the malware targeting iOS devices. 

WeTransfer used in a malspam campaign
Hackers are abusing the popular file-sharing service called WeTransfer to evade the defensive email gateways in a new malspam campaign. The attack begins with hackers abusing the services to add a sender email address and a recipient email address into the WeTransfer interface. Later, a file such as ‘an invoice to be reviewed’ is added as an attachment, to trick users. 

Karagany malware evolves
Karagany malware is a modular RAT which is linked to a threat actor group called IRON LIBERTY. The threat actor group is known for targeting the energy vertical, including energy companies and organizations financing the energy firms in the US and Europe. Karagany’s main purpose is to provide access to a victim's network, upload/download files, and later execute additional plugin modules.  

Top Vulnerabilities Reported in the Last 24 Hours

Vulnerable Android versions
A vulnerability has been discovered in the Android versions between 7.0 and 9.0. Hackers can exploit the flaw to hijack vulnerable devices through devious video malware. The vulnerability is tracked as CVE-2019-2107 and can allow attackers to execute arbitrary code remotely on Android devices. A proof of concept has also been developed by a researcher for the attack vector. 

BlueKeep vulnerability exploited
A new variant of Watchbog malware has been found scanning for Windows computers that are vulnerable to BlueKeep vulnerability. Once it completes a successful scan, the malware variant immediately starts probing all the IP addresses to connect with its C2 server and receive further commands. BlueKeep, also known as CVE-2019-0708 is a Windows-based kernel vulnerability, affecting RDP services in Windows XP, 7, Server 2003 and Server 2008.

Updates released for Ubuntu OS
Canonical has released new Linux kernel security updates for Ubuntu 19.04 and Ubuntu 18.04 LTS operating system series. The new security updates address a series of vulnerabilities that include a race condition and an integer overflow. Both the issues can allow a local attacker to crash the system by causing a denial of service or possibly execute arbitrary code. 

Vulnerable FR Configurator2
Several vulnerabilities have been detected in the FR Configurator2 inverter engineering software of Mitsubishi Electric. By exploiting them, hackers can perform information disclosure, arbitrary code execution, privilege escalation, and denial-of-service (DoS) attacks. FR Configurator2 is a tool that is used worldwide, especially in the critical manufacturing sector.

U-Boot loader vulnerabilities
A total of 13 vulnerabilities in the open-source universal boot loader Das U-Boot has been publicly disclosed. These can be exploited by hackers who reside on the same network, to execute code on U-Boot powered devices. A temporary patch has been released, although it is not fully tested.  

Top Scams Reported in the Last 24 Hours

Fake invoice scam
Fake invoice scams are targeting South African companies. These scams deceive a business or a customer into sending them a payment to a false bank account. If the payment is made using the South African SAMOS clearing system, it is irrevocable. Victims cannot reverse a payment once it has been settled, even if they realize, they have been conned. Fraudsters use social engineering techniques or other hacking tools to gain access to a person’s email account. 


sodinokibi ransomware
karagany malware
bluekeep vulnerability
invoice scam
watchbog malware

Posted on: July 25, 2019

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.