Cyware Daily Threat Intelligence, June 07, 2019

Share Blog Post

Threat actors sometimes dish out new malware in order to launch large scale attacks stealthily. The past 24 hours saw the emergence of three new malware named HAWKBALL backdoor, Andr/Xgen2-CY trojan, and GoldBrute botnet. While the HawkBall backdoor has been found impacting the government sector in Central Asia, the Andr/Xgen2-CY trojan has been unearthed in the firmware of four low-end Android smartphones. The impacted smartphones are Doogee BL7000, M-Horse Pure 1, Keecoo P11, and VKworld Mix Plus.

The newly discovered GoldBrute botnet has been detected to brute-force over 1.5 million RDP servers exposed to the Internet. GoldBrute was discovered using a C2 server whose IP address is located in New Jersey.

A major update on AMCA data breach was also reported in the past 24 hours. The billing service provider has disclosed that OPKO Health Inc. and its subsidiary BioReference Laboratories Inc have also been affected in the breach. The unauthorized party had accessed the BioReference medical test data of around 422,600 OPKO Health patients between August 1, 2018, and March 30, 2019.  

Top Breaches Reported in the Last 24 Hours

Hacker sells access to corporate internal networks
A threat actor who goes by an online name ‘Achilles’ has been found selling network access of four companies on multiple hacking forums. The victim companies are Symantec, Comodo Group, Hash Inc and UNICEF. According to researchers, the hacker has also tried to sell entry into the corporate network of a holiday travel company called Transat. For UNICEF, Achilles has offered access for a price between $2000-$5000.

Radisson’s security lapse
Radisson disclosed that it has inadvertently sent some emails to wrong members. The emails included information about its loyalty program members such as their first names, point balance, membership tiers, email addresses, and hotel stays in 2019. The issue was discovered by the hotel on May 23, 2019. 

OPKO Health Inc data breached
New reports about the data breach at OPKO Health Inc. has emerged again. This time, AMCA has disclosed that OPKO Health Inc and its subsidiary BioReference Laboratories Inc were also affected in the breach. The unauthorized party has accessed the BioReference medical test data of around 422,600 patients between August 1, 2018, and March 30, 2019. Apart from this, the data also contained payment information and PII of patients.

Tech Data security lapse
IT giant Tech Data had exposed its customer and billing data due to an unprotected database. The database included names, postal addresses and email addresses, job titles, invoicing data and receipts of customers. The database was secured as soon as Tech Data was notified of the matter.
Top Malware Reported in the Last 24 Hours

GoldBrute botnet
GoldBrute botnet is a newly discovered botnet that is using brute-force attacks to take control of Windows systems that are running remote desktop protocol exposed to the internet. Researchers claim that the C2 server that it uses to communicate with attackers has an IP address located in New Jersey, United States.

HAWKBALL backdoor
Attackers are leveraging two well-known Microsoft Office vulnerabilities, CVE-2017-11882 and CVE-2018-0802 to deliver the new HAWKBALL backdoor. The malware is being used against the government sector in Central Asia.  HAWKBALL is capable of surveying the host, creating a named pipe to execute native Windows commands, terminating processes, creating, deleting and uploading files, searching for files, and enumerating drives.

Andr/Xgen2-CY backdoor trojan
The German Federal Office for Information Security (BSI) has issued an alert notifying users that the firmware of four low-end Android smartphones were infected with a backdoor trojan named Andr/Xgen2-CY. Impacted models are Doogee BL7000, M-Horse Pure 1, Keecoo P11, and VKworld Mix Plus. The malware is capable of collecting a variety of system information from infected devices.

Top Vulnerabilities Reported in the Last 24 Hours

Windows’ second zero-day
An anonymous security researcher going by the name of SandboxEscaper has published the PoC of a second zero-day vulnerability in the Microsoft Windows operating system. The vulnerability can be leveraged to bypass a recently patched privilege escalation vulnerability. Two weeks ago, the same hacker had disclosed four zero-day exploits of Windows.

VMware’s security update
VMware has patched two high-severity vulnerabilities in its Tools and Workstation software. The flaws are identified as CVE-2019-5522 and CVE-2019-5525. The vulnerabilities are fixed in VMware Tools 10.3.10 and Workstation 15.1.0 respectively.

Top Scams Reported in the Last 24 Hours

New phishing email
A new phishing campaign that tricks users into revealing their credentials has been observed recently. The phishing email has a subject line of ‘New Account Verification!’ and pretends to be a ‘Server Notification’. If users click on the ‘Add Recovery Number Now’ link, then they are redirected to a hacked WordPress site that is hosting a fake Webmail login page. The page prompts the users to enter their usernames and passwords.

Impersonation attack
Scammers have been found impersonating three Latin American government’s electronic procurement systems in a new phishing campaign. They are leveraging the identity of these companies to invite a bid on public projects with the governments of Mexico, Peru or Uruguay. The purpose of the campaign is to steal account credentials from unsuspecting users and later sell them on underground markets. 

Telephone Scam 
Spain has extradited 94 Taiwanese suspects in telephone and online fraud scam charges. The culprits are reported to have earned a total of $17 million through these scams. The scam involved scammers masquerading as Chinese authorities and pressurizing victims to transfer money to their accounts.


goldbrute botnet
andrxgen2 cy
tech data
hawkball backdoor
opko health inc

Posted on: June 07, 2019

Get the Daily Threat Briefing delivered to your email!

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

Join Thousands of Other Cyware Followers!