Cyware Daily Threat Intelligence June 15, 2018

DBGer ransomware
Security researchers have spotted a new version of Satan ransomware dubber DBGer ransomware. It works by dropping Mimikatz, an open-source password-dumping utility, inside a compromised network. Once infected, the ransomware encrypts the data on computers and appends the files with .dbger extension.

Docker's malicious images blocked
The Docker team has removed 17 malicious images that were used to install reverse shells and cryptocurrency miners on users' servers between May 2017 and May 2018. All images were uploaded on the Docker Hub portal using the pseudonym of 'docker123321' account. Researchers found that some of the images were installed for more than one million times.

MysteryBot emerges
A new strain malware named as 'MysteryBot' has been found deleting all SMSes from Android phones. It comes packed with a Banking Trojan, a keylogger & a mobile ransomware and is capable of copying all SMS messages, deleting all contacts and changing default SMS apps. Experts believe that this MysteryBot is similar to LokiBot Android banking Trojan. Lazy FP state restore
Researchers have spotted one of the eight second-generation Spectre flaws in Intel Core processors. Dubbed as 'Lazy FP', the vulnerability targets CPUs that use lazy floating point unit(FPU) switching. Intel says that the 'Lazy FP state restore' is similar variant 3a. Succesful exploitation would allow attackers to obtain information about the activity of other applications, including encryption operations.

AirWatch Agent patched
VMware, a cloud computing and platform virtualization software, has rolled out a security update to patch a remote code execution flaw in its AirWatch Agent. In addition to this, it has also released a fix to patch the CVE-2017-5641 vulnerability that was found in the VMware vCenter Server. VMware vCenter Server 6.0 and 6.5 are impacted but version 5.5 or other VMware products are not. Users are advised to apply the 6.5c and 6.0U3b patches to fix the issue. Clarifai hacked
A lawsuit filed by a former employee has alleged that the artificial Intelligence startup Clarifai had failed to report about a hack while it was working on Pentagon's Maven project. The report noted that the company's computer systems were compromised by Russian operatives, potentially exposing technology used by the US military to an adversary. The firm learned of the breach last November but failed to take proper action.

CRA data breach
According to government documents, personal information of over 80k individuals held by the Canada Revenue Agency (CRA) may have been accessed without authorization over the last 21 months. The fact came into notice when the documents were presented in the House of Commons that outlined privacy breaches across all government departments and agencies.

HealthEquity data breach
The personal data of around 23,000 individuals may have been compromised in a data breach that occurred at HealthEquity on April 11, 2018. The leaked data includes employee names, employer names, employee and employer HealthEquity IDs. The breach occurred after an employee's email was accessed by an unauthorized person.  Fraud brokers scam
It has been found that scammers are now targeting homebuyers by posing as legitimate brokers and tricking them into transferring heavy amounts to an account controlled by them. The scam is conducted via phishing emails that are purported to be coming from building corporates. Experts have termed this incident as Enterprise Email Compromise and found that most of the fraudsters are from Nigeria. They barge into the enterprise emails in order to steal financial data and siphon off a large sum.

Adidas phishing campaign
A new phishing scam by Adidas has been discovered to target victims with a $50 per month subscription under the promise of free shoes. To perform the scam, threat actors send a message suggesting Adidas is giving away around 2,500 pairs of shoes as a part of the company's 69th anniversary and a homographic link that appears a legitimate Adidas website. The attack campaign is fairly structured and primarily targets users in Norway, Sweden, United States, the Netherlands, Belgium, and India.