Cyware Daily Threat Intelligence, March 05, 2020

Share Blog post

The unique IDN Homograph attack has taken a new shape in the cybersecurity world. Lately, security researchers have discovered that malicious actors are exploiting a zero-day vulnerability in Verisign and several SaaS services to register ‘dot com’ and ‘dot net’ homograph domain names. The ultimate purpose of the attackers is to use these fake domains to launch phishing attacks. 

Talking more on domain hijacking, it has been found that over 600 subdomains of Microsoft are vulnerable to a variety of cyberattacks. These domains can also be abused to conduct scams and deliver malware with an attempt to steal credentials and other sensitive details from users.

The past 24 hours also saw Cisco releasing security patches for more than a dozen vulnerabilities found across its various products. The impacted products include Intelligent Proximity application, Jabber, Webex Meetings, Webex Teams, and Meeting App. 

Top Breaches Reported in the Last 24 Hours

Boots suspends payments
Boots has halted payments - using loyalty points - following a password-stuffing attack. The firm has further disclosed that none of its systems have been compromised in the attack and that all credit card information is safe. Boots is currently working on enhancing the security of its payment service.  

J.Crew discloses a breach
J.Crew is notifying a group of customers about a data breach that may have resulted in the compromise of their login credentials and payment card details. As part of precautionary measures, J.Crew has asked its customers to reset their passwords.

Coastal Bend College attacked
A cybersecurity incident at Coastal Bend College has disrupted the school’s Facebook page, phone lines, websites, and other systems. Following the incident, the college has hired a leading cybersecurity firm to understand the extent of the attack.

EMCOR Group targeted
EMCOR Group has suffered an attack due to Ryuk ransomware. The incident took place on February 15 and had affected its IT systems. The company is working on restoring its services.   

Top Malware Reported in the Last 24 Hours

Malicious Ledger Live
A new Chrome extension Ledger Live that steals Ledge wallet recovery seeds was discovered recently. The extension is still available on the official Chrome Web Store and has more than 120 installs. Currently, the extension is heavily promoted via Google search ads. 

Mailto ransomware
The recently discovered Mailto (NetWalker) ransomware has expanded its attack surface and is now targeting enterprise networks. The operators of the malware are distributing Mailto through the Windows Explorer process to evade detection. Once it is successfully launched, the malware gains persistence on the compromised device by adding a registry RUN entry. Later, it deletes system shadow copies to prevent the victims from restoring their data after encryption.

Bisonal RAT evolves
Researchers have spotted a new version of Bisonal trojan being used in a new cyberespionage campaign targeting Russian-speaking countries. The first stage of the attack chain is usually a spear-phishing email that contains a malicious document.  

IDN homograph attack   
A zero-day vulnerability discovered in Verisign and several SaaS services has allowed potential attackers to register .com and .net homograph domain names. The attackers have done with an intention to conduct phishing attacks against organizations. Some of the impacted SaaS services include Google, Amazon, and DigitalOcean. 
  
Top Vulnerabilities Reported in the Last 24 Hours

Netgear patches bugs
Netgear has patched several vulnerabilities that impact its Nighthawk routers. The patched vulnerabilities include two ‘High’ severity vulnerabilities, tracked as PSV-2019-0076 and PSV-2018-0352. Both the vulnerabilities affect  Nighthawk X4S Smart Wi-Fi Router (R7800).

Vulnerable subdomains
Researchers have warned that there are more than 600 legitimate Microsoft subdomains that can be hijacked and abused for phishing, malware delivery, and scams. The impacted subdomains included identityhelp[.]microsoft.com, mybrowser[.]microsoft.com, webeditor[.]visualstudio.com, data[.]teams.microsoft.com and sxt[.]cdn.skype.com.  

Cisco issues patches
Cisco has released patches to address more than a dozen vulnerabilities across its various products. Two of these vulnerabilities - tracked as CVE-2020-3127 and CVE-2020-3128 - exist in Webex Player and can be exploited remotely. The other impacted products are Intelligent Proximity application, Jabber, Webex Meetings, Webex Teams, and Meeting App.

 Tags

netgear
mailto ransomware
cisco webex player
zero day vulnerability
malicious ledger live
bisonal rat

Posted on: March 05, 2020

Get the Daily Threat Briefing delivered to your email!



More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.



Join Thousands of Other Cyware Followers!