Cyware Daily Threat Intelligence, March 06, 2020

Share Blog post

Leaving vulnerable software or hardware unpatched or unattended can invite unwanted problems. Two cases that cite this issue has come to notice in the last 24 hours. The first vulnerability is found in Intel chipsets that have been released in the last five years. The flaw resides in Intel’s subsystems and can be exploited to escalate privilege, disclose information or cause dos attacks. 

The second case is related to a 17-year-old remote code execution vulnerability that affects the PPP Daemon software - which is part of almost all Linux-based operating systems. The US-CERT has issued a security advisory to users to immediately patch the vulnerability to prevent attackers from executing arbitrary code on affected systems. 

A malspam campaign that is being used to distribute the infamous Trickbot trojan has also been uncovered in the last 24 hours. The attackers are leveraging the deadly COVID-19 threat to infect users in Italy. 

Top Breaches Reported in the Last 24 Hours

Misconfigured S3 bucket
A misconfigured S3 bucket belonging to Orsegups Participações has leaked more than 25 GB files, including invoices and tax collection documents. Apart from these, the leaked files also include hundreds of thousands of payment slips and social security documents of Orsegups' own employees. 

Over 200 million records exposed
More than 200 million records belonging to US citizens have been exposed due to an unprotected database. The owner of the database is unknown. However, it is found that the database was hosted on Google Cloud. The exposed data included a mix of personal and demographic details of residents.  

T-Mobile attacked again
Wireless carrier T-Mobile has suffered a security breach again that exposed the personal information of some of its customers and employees as well. The incident occurred after attackers targeted its email vendor. The exposed customer data includes names and addresses, phone numbers, account numbers, rate plans and features, and billing information. 

Virgin Media breach
A database belonging to Virgin Media had exposed the personal information of about 900,000 customers. The breached data was available online from April 2019 until the database was fixed on February 28, 2020. 

Evraz suffers an attack
Evraz’s IT systems in North America were shut down following a cyberattack. While the firm is still working on restoring the affected infrastructures, it has confirmed that no confidential data was compromised in the attack.     
 
Top Malware Reported in the Last 24 Hours

Mokes and Buerak malware
A new research has revealed that threat actors are using fake security certificates to distribute a Mokes backdoor and a Buerak trojan. The earliest infection incidents date back to January 2020 and are carried out through compromised websites. 

TrickBot trojan
A new spam campaign is underway that makes use of the deadly COVID-19 threat to distribute TrickBot trojan. The campaign is being used to target people in Italy. The malware is propagated via emails that pretend to be from a doctor at the WHO. The subject line of these emails is "Coronavirus: Informazioni importanti su precauzioni" 

MalBus attack
Four popular Korean-language apps related to bus timetables & stop locations were used to conduct MalBus attack that compromised military and political data. These applications were available for the last five years on the Google Play Store before they were removed.  
  
Top Vulnerabilities Reported in the Last 24 Hours

Vulnerability in Intel chipsets
Most Intel chipsets released in the past five years are affected by a vulnerability that can be exploited to obtain encryption data. The vulnerability tracked as CVE-2019-0090 exists in the Converged Security and Management Engine (CSME) boot ROM of most chipsets, and system of chips (SoCs). Intel has released an updated advisory last month to mitigate the issue. 

Cloning car keys
Several car models from Toyota, Hyundai, and Kia are vulnerable to encryption flaws that can be abused to clone car keys. The vulnerabilities can also allow malicious actors to get away with luxury cars and SUVs. Some of the affected models are Toyota Camry, Corolla, and RAV4; the Kia Optima, Soul, and Rio; and the Hyundai I10, I20, and I40. 

Vulnerable PPP daemon software
The US-CERT is warning users of a new dangerous 17-year-old remote execution vulnerability that affects the PPP daemon (pppd) software. The vulnerability is tracked as CVE-2020-8597 and scores a rating of 9.8 on the CVSS scale. can be exploited by unauthenticated attackers to remotely execute arbitrary code on affected systems and take full control over them. Users with affected operating systems and devices are advised to apply security patches as soon as possible.

Top Scams Reported in the Last 24 Hours

New texting scam
Law enforcement agencies have issued a warning about a new text message scam that appears to come from the Social Security Administration (SSA). The message warns the recipients about a problem in their Social Security number and asks them to call on a number to get the issue resolved. Users should be wary of such messages that pretend to be from the SSA. They should immediately verify these messages with concerned authorities. Apart from these, users should also remember that SSA will never send a text asking for a return call to an unknown number.  

 Tags

malbus attack
ppp daemon software
evraz
virgin media
mokes backdoor
trickbot trojan
intel chipsets

Posted on: March 06, 2020

Get the Daily Threat Briefing delivered to your email!


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.


Join Thousands of Other Cyware Followers!