Cyware Daily Threat Intelligence March 01, 2018

EITest HoeflerText scam
Hackers are using EITest to distribute the GandCrab ransomware as part of the HoeflerText Font Update scam. To stay safe, users are advised to immediately close the browser when they see a popup on a page stating that they need to download a Firefox or Chrome Font Pack.

CannibalRAT
The CannibalRAT has been discovered, written entirely in Python and wrapped in standalone executables. The main target of the campaign was the users of a Brazilian public sector management school called INESAP. The RAT is distributed in a py2exe format and the python bytecode is stored as a PE resource. Buffer overflow flaw
A buffer overflow vulnerability, tracked as CVE-2018-5452, has been discovered in Emerson ControlWave controller. The bug affects ControlWave Microcontrollers, version 05.78.00 and prior. An attacker can exploit this issue to cause a denial-of-service condition.

Ubuntu fixes regression issue
A new update, USN-3579-2, has been released by Ubuntu to resolve an issue caused by the previous update USN-3579-1--related to a LibreOffice issue. The vulnerability (CVE-2018-6871) calls in a document could be used to read arbitrary files. After the upgrade was applied, it was no longer possible for LibreOffice to open documents from certain locations outside of the user's home directory.

Philips ISP vulnerabilities
IntelliSpace Portal, all 8.0.x versions, and all 7.0.x versions were found to be affected by several vulnerabilities. Philips is creating a software update to mitigate these vulnerabilities in the affected products. SSL certificates to be revoked
SSL certificated of over 23,000 users will be revoked due to a clash between Trustico and DigiCert. As per reports, Trustico was holding the private keys which would mean that the certificates were compromised. It is believed that Trustico had automated the CSR (Certificate Signing Request) process, a step in the certificate issuance process, and was generating SSL certificates.

Capital One's data exposed
An unsecured AWS S3 bucket resulted in exposure of 50.4 GB of technical data about a Birst appliance that was set up to be used in Capital One’s IT environment. The exposed data included administrative access credentials, passwords, and private keys for use in Capital One systems.

Tim Hortons hit by malware
A malware hit Tim Hortons, forcing them to shutdown operations. The company has said that the malware hit fewer than 100 locations, attacking the Panasonic cash registers that the chain uses. The Great White North Franchisee Association (GWNFA) which represents Tim Hortons franchisees is threatening legal action against RBI for the loss of revenue.