Go to listing page

Cyware Daily Threat Intelligence, March 12, 2019

Cyware Daily Threat Intelligence, March 12, 2019

Share Blog Post

Top Breaches Reported in the Last 24 Hours

Unprotected database exposes data
An unprotected database in China has exposed private data of almost 1.8 million Chinese women. The information exposed in the data leak includes names, ID numbers martial status, political details and education details of women. Researchers found the database was left publicly available without any password protection. The leaky database also contained URLs to photos, BreedyReady status and a ‘HasVideo’ field. The ‘HasVideo’ status implies that women are monitored. It is not clear whether the database is related to a dating app, a government registry, or another organization or company.

Winnti hacker group target Asian companies
Winnti threat actor group has breached three Asian gaming companies to install a backdoor trojan. According to researchers, the threat actor group used the ‘normal game updates’ trick to push the backdoored version on to the victims’ computers. Upon discovery, two of these affected companies immediately blocked the C2 servers. However, the third company - the Thai Electronics Extreme - continues to push the fake updates.
Top Malware Reported in the Last 24 Hours

WordPress sites are under attack
Hackers are exploiting a cross-site scripting vulnerability in abandoned cart plugin to target WordPress-based shopping sites. They are exploiting the ‘Abandoned Cart Lite for WooCommerce’ plugin to install backdoor malware and infect other vulnerable sites. The exploit code is distributed via URL shortening services like ‘bit.ly’.

Emotet trojan evolves
Malware authors have enhanced the capabilities of the infamous Emotet trojan. The banking trojan which has been active since 2014, has now evolved into a polymorphic malware that can deliver a custom variant for every victim. This enables the malware to entirely bypass signature-based security solutions. The evolved malware uses a couple of tricks to gain persistence on victims’ computers. In the first method, the malware leverages two unique and large sets botnets - Epoch1 and Epoch2 - to further the attack process. However, in the second method, a phishing email is used to facilitate the spread of Emotet to other computers.

New phishing campaign
Researchers have come across a new and creative phishing campaign that tricks even the most vigilant users into giving away their login credentials to attackers. For this, the cybercriminals are creating a malicious web page that mimics the look and feel of a normal browser window such as iOS Safari. To further the attack process, they created a fake Airbnb page that prompted users to authenticate using Facebook login. 

Yatron ransomware
Security researchers have discovered a new ransomware called Yatron. It is widely promoted on Twitter. The ransomware spread using the EternalBlue and DoublePulsar NSA exploits. It attempts to delete encrypted files if a payment is not made within 72 hours.

A new variant of Ursnif
Researchers have unearthed a new variant of Ursnif trojan which applies different, stealthier infection tactics for propagation. Researchers refer to this technique as ‘last minute persistence’ - a method of installing malicious payloads without being detected by antivirus software. Phishing emails are used to spread the malware variant. 

Top Vulnerabilities Reported in the Last 24 Hours

Bug in StackStorm patched
A critical bug in the open source event-drive platform StackStorm has been patched recently. The flaw, tracked as CVE-2019-9580, existed in the way the StackStorm REST API improperly handled CORS (cross-origin resource sharing) headers. It affected StackStorm Web UI before 2.9.3 and 2.10.3 and could allow remote attackers to trick developers into executing arbitrary commands.

Google releases a pack of security updates
Google has released a series of security patches as a part of its March Updates. The security updates include fixes for a total of 45 bugs, out of which 11 have been rated as critical. Security patches for three critical remote code-execution vulnerabilities that impacted Android 7.0 and after are also released in the Google’s March update.

Cisco patches command injection bug
Cisco has released a security update to fix a command injection bug in the NX-API feature of Cisco NX-OS Software. The bug could allow an authenticated, remote attacker to execute arbitrary commands with root privileges. The vulnerability is due to incorrect input validation of user-supplied data by the NX-API subsystem.

Top Scams Reported in the Last 24 Hours

‘Final warning’ sextortion scam
A new sextortion email campaign that infects the recipients’ computers while they are visiting an adult website has been detected recently. Here, the scammers send sextortion email warning users that their computers have been infected with a virus that is capable of recording videos while the user is on an adult site. They, then threaten the victims that they will share the videos on Facebook if a ransom in bitcoin is not paid. The scammers demand $2,000 per person in the scam.   


cross site scripting vulnerability
unprotected databases
wordpress sites
ursnif trojan
emotet trojan
yatron ransomware

Posted on: March 12, 2019

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.