Cyware Daily Threat Intelligence, June 11, 2020

Share Blog post

COVID-19-related relief package schemes initiated by different governments have turned out to be a ripe opportunity for cybercriminals. Lately, business owners using Microsoft Office 365 in the U.K were targeted in a phishing email scam designed to steal their personal information. These emails impersonated legitimate authorities and claimed to offer financial relief to small businesses.

Furthermore, security experts also came across 12 malicious contact-tracing apps that are used to spread a variety of malware. These apps were distributed via websites, other mobile apps, and third-party stores, among other sources.

A new ransomware, dubbed Thanos, was also tracked in the past 24 hours. It uses the unique RIPlace technique to bypass anti-ransomware protections. The malware includes a ftp_file_exfil() function that automatically performs file exfiltration to a remote FTP site while it encrypts a targeted system.

Top Breaches Reported in the Last 24 Hours

A1 Telekom disclosed a hack
Austria’s largest internet service provider, A1 Telekom, admitted falling victim to a cyberattack in November 2019. The hack was believed to be the work of the China-based Gallium threat actor group. It took six months for the firm to restore its infected systems and servers.

Flawed app reveals data
A glitch in the Babylon Health app allowed users to gain access to other users’ video consultations with doctors. The flaw was addressed on June 9 after the telehealth company was informed by a user.

Top Malware Reported in the Last 24 Hours

New Thanos ransomware
A new ransomware, named Thanos, has been found utilizing the RIPlace technique to evade detection. Previously known as Quimera, the ransomware is now sold as a Ransomware-as-a-Service (RaaS) on Russian hacker forums since February 2020. It includes a ftp_file_exfil() function that automatically performs file exfiltration to a remote FTP site as it encrypts a computer.

XMRig installed
Microsoft has revealed a series of attacks against Kubeflow, a toolkit for running Machine Learning (ML) operations on Kubernetes clusters. The attacks, which are active since April this year, are being carried out to install an XMRig miner on vulnerable Kubernetes clusters. The attackers are taking advantage of publicly exposed Kubeflow management panel to launch these attacks.

TrickBot returns
A phishing email campaign asking recipients to vote anonymously on Black Lives Matter has been found spreading the TrickBot trojan. The subject line of the email states, “Leave a review confidentially about 'Black Lives Matter’. It prompts the recipients to fill out and return an attached document named ‘e-vote_form_3438.doc.’

Fake contact-tracing apps
Researchers have traced 12 malicious contact-tracing apps that contain a wide range of malware, including Anubis and SpyNote. These apps are likely being distributed via other mobile apps, third-party stores, and websites, among other sources. Researchers learned that these apps are targeting citizens across multiple countries.
 
Top Vulnerabilities Reported in the Last 24 Hours

Details of an RCE flaw released
Cisco’s Talos threat intelligence and research group has released details about a recently patched code execution vulnerability in Firefox. The flaw, tracked as CVE-2020-12405, features a CVSS score of 8.8 and can be exploited when the user navigates to a malicious page. It was fixed with the release of Firefox 77.

SAP patches flaw
SAP has addressed a total of 19 vulnerabilities as part of its June 2020 Patch Tuesday. Out of these, two are rated ‘Critical’. These flaws are identified as CVE-2020-1938 and CVE-2020-6265 and have a CVSS score of 9.8.

VMware issues patches
VMware has patched a high-severity information disclosure vulnerability affecting its Workstation, Fusion, and vSphere virtualization products. The flaw is tracked as CVE-2020-3960 and could allow attackers with non-admin access to a machine to read privileged information from memory.

SMBleed patched
Microsoft’s June 2020 Security Updates includes a fix for a Server Message Block (SMB) protocol bug that could allow attackers to leak kernel memory remotely without authentication. Called SMBleed and tracked as CVE-2020-1206, the flaw is linked to SMBGhost which was addressed in March 2020.
 
Top Scams Reported in the Last 24 Hours

Microsoft Office 365 users targeted
Business owners with Microsoft Office 365 accounts are being targeted in a phishing email campaign that appears to come from the U.K government. These emails claim to offer financial relief announced by the government to small businesses. Attached in the emails is a link to a COVID-19-Relief-Payment.PDF document, which if clicked, redirects the users to a benign Dropbox Transfer landing page. The purpose of the scam is to steal personal details of individuals.

 Tags

smbleed
xmrig cryptocurrency miner
a1 telekom
thanos ransomware
microsoft office 365 accounts

Posted on: June 11, 2020

Get the Daily Threat Briefing delivered to your email!


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.


Join Thousands of Other Cyware Followers!