Cyware Daily Threat Intelligence, June 23, 2020

Share Blog Post

Ransomware has become the number one security risk to businesses and users. The past 24 hours witnessed several attacks from Nefilim, CLOP, and Hackbit ransomware. While the Nefilim ransomware was found leveraging vulnerable Citrix servers to launch attacks against organizations in New Zealand, the CLOP ransomware invaded a financial firm, IndiaBulls Group, stealing several documents related to its Pharmaceuticals and Housing Finance Limited subsidiaries.

Meanwhile, Hackbit ransomware has been found targeting mid-level executives across Austria, Switzerland, and Germany. The malware is distributed via malicious Excel attachments delivered via the popular email provider GMX.

Top Breaches Reported in the Last 24 Hours

Twitter discloses a security breach
Twitter has disclosed a security incident that incorrectly stored the billing information for its advertisers in the browser’s cache. The bug would have also allowed other users on the computer to view this data. The information incorrectly stored in the browser cache includes email addresses, phone numbers, last four digits of credit cards and billing addresses.

80,000 printers exposed online
In a new study, researchers have found that around 80,000 printers are exposed online via the IPP port on a daily basis. This indicates that attackers can collect printers’ names, locations, models, and even organization names just scanning the IPP port.

Indiabulls Group hit
Indiabulls Group has been hit by CLOP ransomware. To claim their attack, the attackers have posted screenshots of files stolen from the firm. The leaked documents include a voucher, a letter, and four spreadsheets related to the Indiabulls Pharmaceuticals and Indiabulls Housing Finance Limited subsidiaries.

Top Malware Reported in the Last 24 Hours

Hackbit ransomware
A ransomware strain, dubbed Hackbit, has been found targeting mid-level executives across Austria, Switzerland, and Germany. The malware is distributed via malicious Excel attachments delivered via the popular email provider GMX. The attachments purport to be related to false billing and tax repayment.

New variants of botnets
Security researchers have detected new variants of XORDDoS and Kaiji botnets targeting exposed Docker servers. For this, the attackers are actively scanning Docker servers that are exposed through port 2375. These new variants are capable of launching DDoS attacks on compromised devices.

Ryuk ransomware deployed
Activity logs on a server used by TrickBot show that the Cobalt Strike actors are conducting reconnaissance by deploying Ryuk ransomware on compromised networks. This allows them to take complete control of the network and get access to as many hosts as possible.

Cobalt Strike campaign
Researchers have observed a malware campaign that uses military-themed malicious Microsoft Office documents to spread Cobalt Strike beacons containing full-fledged RAT capabilities. The campaign targets military and government organizations in South Asia.

Nefilim ransomware
New Zealand CERT has issued a warning that Nefilim ransomware operators are targeting poorly-secured Citrix servers to launch attacks against organizations. Once an attacker gains a foothold through the remote access system, they then use tools such as Mimikatz, PsExec and Cobalt Strike to elevate privileges.

Top Vulnerabilities Reported in the Last 24 Hours

Vulnerable Buffalo router
A firmware vulnerability found in a Buffalo router (v2.46) can allow attackers to take control of the device. Hackers can also take advantage of the vulnerability to infiltrate data from businesses’ networks.

XSS flaw in OSIsoft PI System
A cross-site scripting (XSS) flaw in OSIsoft PI System can be exploited for phishing, privilege escalation, and other purposes. The flaw, tracked as CVE-2020-12021, resides in the PI Web API 2019 component of PI System.

Mitsubishi patches flaws
Mitsubishi Electric and its subsidiary ICONICS have released patches for five vulnerabilities that could allow attackers to execute arbitrary code and launch denial of service (DoS) attacks. These flaws can be exploited by sending specially crafted packets to the targeted system. One vulnerability can allow attackers to execute arbitrary SQL commands.

Top Scams Reported in the Last 24 Hours

Bitcoin giveaway scams
Scammers have managed to make over $2 million in bitcoin over the past two months by impersonating Elon Musk and his company Tesla. In order to make it convincing, the threat actors incorporated a custom element into the Bitcoin vanity addresses and asked people to send a small sum in return of a big amount. Most of these scams are conducted by mimicking the YouTube channels associated with SpaceX and Tesla.


clop ransomware
hackbit ransomware
kaiji botnet
indiabulls group
nefilim ransomware

Posted on: June 23, 2020

Get the Daily Threat Briefing delivered to your email!

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

Join Thousands of Other Cyware Followers!