Cyware Daily Threat Intelligence, March 16, 2020

Share Blog post

As the deadly COVID-19 blows up into a worldwide pandemic, threat actors have begun weaponizing the disease to spread malware and conduct scams. Talking about malware, experts have discovered a new backdoor malware called BlackWater that pretends to provide COVID-19 information. The main purpose of the malware is to abuse Cloudflare Workers so that it can be used as an interface to the malware’s C2 server.

A COVID-19-themed BEC scam that dupes customers into making fraudulent transactions has also been reported by researchers. The scam is carried out by a cybercrime group tracked as Ancient Tortoise. The scammers are actively using financial aging reports to inform victims to make payments to changed bank accounts on the pretense of COVID-19 threat.

Amidst all these threats, the UK’s National Cyber Security Center (NCSC) has made an effort to clamp down the phishing websites that are linked to COVID-19 scams. The initiative has been taken to protect users from losing money and sensitive data across Europe.

Top Breaches Reported in the Last 24 Hours

Aerial Direct data breach
Aerial Direct had suffered a data breach after an unauthorized third party accessed customer data on February 26. The incident had exposed personal information on both current and expired subscribers from the last six years. The accessed personal data included customers’ names, dates of birth, business addresses, email addresses, phone numbers, and product information.

Blisk browser data leak
The Chromium-based Blisk browser for web developers had exposed records of 2.9 million users due to a misconfigured Elasticsearch database. The database included 3.4 GB of records that contained email addresses, IP addresses, and user-agent details. The database was discovered in February 2019 and was available online until September.

University Hospital Brno attacked
The Brno University Hospital in the Czech Republic has been shut down on Friday due to a cyberattack. The university is one of the testing centers for COVID-19 infection in Europe. Due to the attack, the results for the COVID-19 tests have been delayed.

Top Malware Reported in the Last 24 Hours

BlackWater backdoor
Experts have found a new backdoor malware called BlackWater that pretends to provide information about the COVID-19 outbreak. The main purpose of the backdoor is to abuse Cloudflare Workers as an interface to communicate with the attackers’ C2 servers.

MonitorMinor stalkerware
MonitorMinor is a new specimen of stalkerware that can track Gmail, WhatsApp, Instagram, and Facebook user activity. Apart from these apps, the stalkerware can also record activities from Skype, Viber, Hangouts, JustTalk, and Hike News & Content. MonitorMinor’s functionality is not just limited to intercepting data from social networks apps and messengers, it also extracts the file from the device which contains the hash sum for the screen unlock pattern or the password.

Top Vulnerabilities Reported in the Last 24 Hours

Slack fixes a critical bug
Slack has fixed a critical HTTP request smuggling vulnerability that could be used to force users into open redirects, leading to a CL-TE-based hijack and the theft of user session cookies. These stolen cookies can then be used to compromise arbitrary Slack customer accounts and sessions. The vulnerability has been rated 9.3 on the CVSS scale. In addition to this, Slack has also addressed another bug that would have allowed attackers to steal a user’s authentication token.

Top Scams Reported in the Last 24 Hours

BEC scam
A scammer group tracked as Ancient Tortoise is heavily leveraging the global COVID-19 outbreak to convince potential victims to send payment to attacker-controlled accounts. The scam is carried out via emails that instruct the recipients to make pending payments on the basis of aging reports to updated account details due to the COVID-19 threat. The aging reports are sets of outstanding invoices used by a company’s financial department to track customers who haven’t paid goods or services bought on credit.

NCSC takes down phishing websites
The UK’s National Cyber Security Center (NCSC) has stepped in to remove malicious and phishing websites linked to COVID-19 scams. The initiative has been taken to prevent users from falling victim to phishing attacks. The authorities have urged businesses and consumers to consult their advice on email scams and dealing with malware to better insulate them from the threat of ransomware, credential theft, and fraud.


 Tags

cloudflare workers
brno university hospital
national cyber security center ncsc
monitorminor stalkerware
covid 19 themed bec scam
blackwater

Posted on: March 16, 2020



More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.