Cyware Daily Threat Intelligence, July 30, 2020

Share Blog post

The ever-evolving Mirai botnet has added a new exploit to its arsenal. In the past 24 hours, security researchers discovered a new variant of the botnet that includes a recently discovered TMUI RCE flaw affecting F5 BIG-IP customers. The new variant is tracked as Trojan.SH.MIRAI.BOI.

A new backdoor malware capable of delivering malicious payloads to misconfigured cloud-based docker instances has also been spotted in the last 24 hours. Named Doki, it is operated by Ngrok threat actor group.

Apart from this, a massive cyberespionage campaign, called Operation North Star, has also come to the notice of researchers. The campaign, which was operated by the Hidden Cobra hacker group, targeted the US defense and aerospace sectors with fake job offers.

Top Breaches Reported in the Last 24 Hours

Ledger discloses a breach
Cryptowallet Ledger disclosed that it had suffered a hack on July 14, 2020. As a result of the hack, the hackers had gained access to 9500 phone numbers, 1 million email addresses, and 9500 postal addresses.

Operation North Star
A new attack campaign, called ‘Operation North Star’, and associated with North Korean Hidden Cobra hackers was active between March and May 2020. The campaign targeted the US defense and aerospace sectors with fake job offers.

Unsecured databases
A new report has revealed that there are more than nine thousand unsecured databases across 20 countries that can be easily compromised by hackers. These unprotected databases contain over 10 billion records.

Vermont Tax department breached
A flaw in Vermont Department of Taxes online filing site affected the tax details of several users who had filed tax returns between February 2017 and July 2020. The exposed data included the social security number of buyers. The agency immediately disabled the functionality as soon as it became aware.

Top Malware Reported in the Last 24 Hours

Doki malware
The Ngrok threat actor group is targeting misconfigured cloud-based docker instances running on Linux distribution with a malware, dubbed Doki. The backdoor, which has secretly been existing for more than six months, is designed to execute malicious code.

Update on TrickBot’s Anchor backdoor
TrickBot’s Anchor backdoor has been ported to infect Linux devices and compromise high-value targets using covert channels. The malware framework was first discovered in 2019 and was deployed on Point-of-Sale (PoS) and financial systems.

FBI warns about Netwalker
The FBI has issued a security alert about Netwalker ransomware operators targeting the US and foreign government agencies. The agency has advised the organizations not to pay the ransom and follow a list of recommended mitigation measures.

New variant of Mirai
A new variant of Mirai botnet, named Trojan.SH.MIRAI.BOI, includes an exploit for a flaw (CVE-2020-5902) that affects a F5 BIG-IP enterprise network management tool. The security bug is related to a remote code execution issue in the Traffic Management User Interface (TMUI) of BIG-IP. Other exploits abused by the variant include CVE-2020-1956, CVE-2020-7115, CVE-2020-5902, CVE-2020-10713, and CVE-2020-7209.

Top Vulnerabilities Reported in the Last 24 Hours

CCleaner classified as PUA
In a new threat entry, Microsoft has classified the popular CCleaner Windows optimization and Registry cleaner program as a Potentially Unwanted Application (PUA). The extent of the threat from the CCleaner is not mentioned but Microsoft has suggested users not to use it.

BootHole vulnerability
A serious BootHole vulnerability can put billions of Windows and Linux devices at risk of compromise. Tracked as CVE-2020-10713, the flaw scores 8.2 on the CVSS scale. The vulnerability is a buffer overflow related to the way GRUB2 parses its grub.cfg configuration file. Attackers can exploit the flaw to install stealthy and persistent malware. Companies affected by the BootHole flaw have started releasing advisories.

Cisco fixes flaws
Cisco has released security updates to address several vulnerabilities found in its Data Center Network Manager (DCNM) and multiple SD-WAN software products. Three of these are critical vulnerabilities stemming from authentication bypass, buffer overflow, and authorization bypass issues.

A Zoom bug
A lack of rate-limiting for repeated password attempts allowed potential attackers to crack the numeric passcode used to secure Zoom private meetings. The flaw existed in the Zoom web client and was fixed by the company in April.

 Tags

doki
operation north star
trojanshmiraiboi
hidden cobra hacker group

Posted on: July 30, 2020

Get the Daily Threat Briefing delivered to your email!


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.


Join Thousands of Other Cyware Followers!