Go to listing page

Cyware Daily Threat Intelligence, June 06, 2019

Cyware Daily Threat Intelligence, June 06, 2019

Share Blog Post

The cybersecurity world is full of surprises when it comes to attack techniques. Recently security researchers have developed a new and sophisticated attack method that can mimic users’ keystroke characteristics to steal sensitive information. Termed as Malboard, the attack can be carried out in the background without being detected by antivirus software. The researchers used keyboards developed by Microsoft, Lenovo, and Dell to demonstrate the attack technique. 

A new variant of Vega ransomware called Buran was also discovered in the past 24 hours. The ransomware is distributed via RIG exploit kit. During the encryption process, it skips those files that have certain extensions such as .cmd, .com, .cpl, .dll, .msc, .msp, .pif, .scr, .sys, .log, .exe, and .buran. It uses a random extension that is unique to a victim’s ID to append the encrypted files.

The past 24 hours also saw major security updates from Google and Cisco. While Cisco has released a series of security patches to fix issues in various products, Google has fixed 42 vulnerabilities in Chrome by announcing version 75.0.3770.80 for Windows, Mac, and Linux.

Top Breaches Reported in the Last 24 Hours

Ellwood City Medical Center attacked
Ellwood City Medical Center officials have disclosed that they were a target of a cyber attack recently. The investigations are in its initial stage. However, the firm has claimed to have not found evidence of any data loss. Although the firm has contained the virus, it is yet to determine the entry point of the same.

UK universities attacked
New research from BBC’s Radio 4 has revealed that two-thirds of UK universities have been hacked over the past four years. The hackers stole sensitive data belonging to students and staff. In addition to this, the hackers got access to some valuable researches. A majority of attacks on these institutions were performed through Domain Name System attack.

FAI attacked
The Football Association of Ireland (FAI) has confirmed that its servers at Abbotstown, Dublin, were breached. This has affected its email services. However, a part of the affected email services have been restored and the association has assured that customers who bought tickets for the Ireland national team’s matches are not affected. Also, no payment details have been breached in the incident. 

Top Malware Reported in the Last 24 Hours

Fake Cryptohopper pushes malware
Cybercriminals have been found pushing a variant of Vidar trojan and two variants of Qulab trojan onto the victims’ systems. The attack is triggered when users visit the fake Cryptohopper trading platform. When the fake platform is opened by a user, it automatically downloads a Setup.exe executable onto the system. This executable uses the CryptoHopper logo in the process.

Malboard attack
Researchers have devised a new attack method which can be used by attackers to mimic users’ identity through their keystrokes. Dubbed as Malboard, the attack has been demonstrated using behavioral data of users. Keyboards developed by Microsoft, Lenovo and Dell were used in their research. Malboard attacks can effectively be launched in two scenarios: through remote attacks or by inside attackers.

Buran ransomware
A new variant of Vega ransomware named Buran has been found to distributed via RIG exploit kit. Once executed, the malware variant copies itself to %APPDATA%\microsoft\windows\ctfmon.exe and launches itself from this point. The ransomware does not encrypt files that have .cmd, .com, .cpl, .dll, .msc, .msp, .pif, .scr, .sys, .log, .exe and .buran extensions. It appends the encrypted files using random extensions that are unique to a victim’s ID.

Top Vulnerabilities Reported in the Last 24 Hours

Cisco releases security updates
Cisco has released security updates for multiple vulnerabilities across its products. Vulnerabilities include remote code execution, information disclosure flaw, server-side request forgery, cross-site scripting vulnerability, and authentication bypass vulnerability. The flaws mainly affect Cisco’s Industrial Network Director, Unified CM IM&P service, TelePresence VCS, Expressway Series and IOS XR software.

RCE bug in Exim
Exim, a mail transfer agent, has been found to be impacted by a critical RCE flaw, tracked as CVE-2019-10149. The flaw affects email servers that run Exim versions from 4.87 to 4.91. The bug could let an attacker run malicious commands on the Exim server as root. The vulnerability has been patched in Exim v4.92. 

Chrome version 75.0.3770.80 released
Google has released Chrome version 75.0.3770.80 for Windows, Mac and Linux. The version includes fixes for 42 security issues with high, medium and low CVSS scores. The vulnerabilities could allow attackers to take control of an affected system.

Buggy phishing kits
Researchers have found security holes in the installation stage of some phishing kits that would allow an attacker to infiltrate and upload additional files. The bug can also allow attackers to take control over the operations of the kit. The kits included bugs due to weak construction or outdated open-source code and web application vulnerabilities. The common thread between each kit is the usage of class.uploader.php, ajax_upload_file.php, and ajax_remove_file.php. 

Top Scams Reported in the Last 24 Hours

Genetic testing scams
The US Office of Inspector General (OIG) has issued a notice to inform users about genetic testing fraud schemes. The alert informs users that the scammers leveraged provision of free genetic testing kits to obtain medical information for the purposes of fraudulent billing and identity theft. Thus, users are advised not to accept mailed genetic testing kits unless prescribed by physicians. They should also closely scrutinize any request for Medicare information tied to the free genetic testing. OIG has also asked health care providers to be well-aware and notify its patients about the scheme.    

iPhone scam
A report from Quartz has revealed that a New-York City based-cybercriminal ring allegedly stole more than $19 million worth of iPhones as cell phone subscribers. The culprits reportedly used false IDs and fake debit cards to pose as real consumers at mobile phone stores. They then asked the staff to upgrade their existing phone model - with existing mobile accounts - to new phones, for which the payment would be done for over the next few months. The fraudsters carried out their operations in 34 states. 


vidar trojan
iphone scam
malboard attack
qulab trojan
buggy phishing kits
ellwood city medical center

Posted on: June 06, 2019

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.