Go to listing page

Cyware Daily Threat Intelligence, June 03, 2019

Cyware Daily Threat Intelligence, June 03, 2019

Share Blog Post

The creators of the prolific GandCrab ransomware have made a major announcement regarding its closure. In an official thread on a hacking forum, they announced that they are planning to shut down GandCrab ransomware within a month. The hacking forum used for the announcement is the same one where the creators advertised GandCrab as ransomware-as-a-service (RaaS). GandCrab came into existence in January 2018 and is one of the most active ransomware deployed by attackers.

The creators have also boasted about the amount they earned through the ransomware. In the message, the group mentions that it has earned over $2 billion in ransom payments, with the operators making roughly $2.5 million per week and $150 million per year.

A couple of scams were also observed in the past 24 hours. In a major incident, a series of SIM swapping attacks were observed targeting US-based cryptocurrency users in an attempt to steal their funds. On the other hand, a new phishing scam was discovered that prompted users to take action on a list of undelivered emails. The ultimate goal of the scammers in the scam was to steal Outlook login credentials from users.

Top Breaches Reported in the Last 24 Hours

Broome County suffers a breach
Broome County in New York has suffered a data breach after hackers gained unauthorized access to employee email accounts and payroll accounts. The incident occurred between November 20, 2018, and January 2, 2019. After a thorough review, the County has found that the compromised data included names, dates of birth, contact details, Social Security numbers, financial information, and credit card information of individuals. The County is working on implementing additional safeguards and security measures to enhance the privacy and security of its patient information.

Lewes Board of Public Works hacked
Lewes Board of Public Works has notified its customers about a potential hacking attempt that might have resulted in the compromise of their information. Lewes Board of Public Works became aware of the data breach on May 28, 2019. The Department of Homeland Security (DHS) has revealed that hackers may have exploited a vulnerability in the software to copy customer information.

Eurofins Scientific ransomware infection
Eurofins Scientific recently admitted that it has fallen victim to a ransomware attack in the weekend. This had affected some of its systems. However, there is no evidence of any unauthorized transfer or misuse of data. Many of the firm’s systems and servers were taken offline by its IT teams to contain the activity of malware.

Top Malware Reported in the Last 24 Hours

GandCrab RaaS to shut down
The creators of GandCrab ransomware have announced their retirement as they plan to shut down the RaaS operation within a month. The announcement was made in an official thread on a well-known hacking forum where the GandCrab Raas has advertised its service since its inception. In the message, the creators boasted that they earned over $2 billion in ransom payments, with the operators making roughly $2.5 million per week and $150 million per year.

A new variant of Hidden Bee
Researchers have unearthed a new variant of Hidden Bee cryptominer that installs itself as a Windows service. The attack process begins by infecting applications like svchost.exe, msdtc.exe, dllhost.exe, and WmiPrvSE.exe with malicious payloads. The malware is deployed after the deployment of a variety of customized formats such as data packages, executable, and filesystems.

Sodinokibi ransomware
A new malspam campaign that pretends to be foreclosure notifications has been found distributing Sodinokibi ransomware. The attack is carried out against German users and is initiated through an email that has a subject line ‘Ankündigung der Zwangsvollstreckung’. It includes a Word attachment, which if opened, results in the download of the ransomware.  

Microsoft Azure distributes malware
Popular cloud platform Microsoft Azure has been found to be favorite among cybercriminals to store malicious content. Instances of malicious samples were discovered by two security researchers @JayTHL and @malwrhunterteam. The researchers reported these samples to Microsoft on May 12. However, according to security firm AppRiver, the samples are still said to be active on Azure.
Top Vulnerabilities Reported in the Last 24 Hours

Apple patches a modem bug
Apple has patched a 20-year-old modem configuration bug that existed in Apple operating systems. The flaw could allow an attacker to get persistent, remote access to any Mac system. The vulnerability exists in a universal translator named CCLEngine that Apple created for modems. The CCLEngine helps interpret and orchestrate data links between two computers.

FPGA flaw
The versatility of FPGA can open a gateway for cyber attacks on cloud services and IoT devices. As the programmable chips can be partially used by different users, it can allow attackers to launch side-channel attacks. The flaw can affect IoT devices that use FPGA for smart heating control or lighting systems.

SUPRA smart TV flaw
SUPRA smart TV is vulnerable to CVE-2019-12477 vulnerability. The flaw resides in the ‘openLiveURL’ function of the SUPRA smart cloud TV due to lack of authentication or session management. The vulnerability could allow a local attacker to inject a remote file in the broadcast and display fake videos without any authentication.
Top Scams Reported in the Last 24 Hours

RDC scam
Scammers recently targeted an unemployed individual with an email sent from a job-hunting site. The email included a set of instructions for an interview with the firm. During the course of the interview over Google Hangouts, the scammer asked the victim for a deposit that was necessary to purchase equipment from one of the company’s preferred vendors. However, after a close look, it was found that the issued check was from a high school and not from the concerned firm.    

SIM swapping attack
Several US-based cryptocurrency users have been targeted in a series of SIM swapping attacks over a past few weeks. While a majority of victims have been reported using T-Mobile, there are some who were using AT&T. The purpose of these attacks is to reset passwords or receive 2FA verification codes of SIMs used by customers and access their protected accounts. Many customers have reported losing funds in cryptocurrency due to the attack.

New phishing campaign
Researchers have found a new phishing campaign that pretends to be a list of undelivered emails being held on Outlook Web Mail service. The phishing email goes with a subject line that reads, “ Notifications | undelivered emails to your inbox” and prompts users to either delete, resend or deny the emails. It comes attached with a link that redirects users to a fake ‘Outlook Web App’ login page. The purpose of the scam is to steal Outlook login credentials.


microsoft azure
eurofins scientific
sodinokibi ransomware
gandcrab raas
sim swapping attack

Posted on: June 03, 2019

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.