Cyware Daily Threat Intelligence, March 18, 2019

Gnosticplayers, the hacker, has put up the 4th set of massive data for sale on the dark web forum. The data, totaling around 26.42 million user records, belongs to 6 companies namely GameSalad, Estante Virtual, Coubic and LifeBear, Bukalapak, and YouthManual. The data is being sold at a price of $4.940 or 1.2431 bitcoin.

A database hosted on ElasticSearch server was found exposing 257,287 legal documents on the internet. Some of these documents were marked as 'not designated for publication'. The database was left online for roughly two weeks and contained unpublished legal documents relating to US court cases, exchanged between 2002 and 2010.

An unsecured database that contained private data of 808,201 Singaporean blood donors since 1986, was found publicly accessible on the internet. The leakage occurred for nearly 2 months until the database was patched. The exposed database contained information like donor’s name, NRIC number, gender, number of blood donations, and the dates of their last 3 blood donations.

Gearbest, a Chinese online shopping giant, has exposed millions of user profiles and shopping orders due to an unprotected ElasticSearch server. The server was not properly protected with a password. This enabled anyone to access customers' sensitive details like their names, phone numbers, email addresses and orders. The database also had payment and invoice information, with the amount spent and semi-masked names and addresses.

Security researchers have discovered a new malspam campaign that is trying to utilize the tragic Boeing 737 Max crash incidents as a way to spread malware. The emails pretend to be leaked documents about the crashes and urge the victims to share them with other close friends. In order to make it less suspect, the email goes with the subject line 'Fwd: Airlines plane crash Boeing 737 Max 8'.

Chinese government officials are being warned about a phishing campaign that delivers the infamous GandCrab v5.2 ransomware. North Korean hackers are believed to be behind the campaign. The malware is distributed via a .rar file. Once installed, the ransomware redirects the victims to download a Tor browser to further the attack process.

Researchers claim that hackers are using IMAP-based password spraying attack to crack Microsoft Office 365 and G Suite accounts that are protected with multi-factor authentication. This enables the malicious actors to steal sensitive data from the compromised accounts. Password-spraying attacks allow hackers to brute force the accounts without triggering an alert to the IT team.

Fujitsu LX wireless keyboards have been found susceptible to keystroke injection flaw. The flaw can allow a threat actor to beam wireless radio signals to the keyboard's receiver (USB dongle) and inject malicious keyboard presses on a user's computer. The flaw impacts the wireless desktop set Fujitsu LX901.

Microsoft has decided to fix a series of bugs called a 'novel bug class' in Windows 10 19H1. These bugs were discovered by a Google security engineer. This includes a total of 11 potential initiators and 16 potential receivers that could be abused for attacks.

Proof-of-Concept for CVE-2019-0808 has been made public by the researchers from Qihoo 360. The vulnerability affects the Win32k component in Windows and allows an attacker to elevate his privileges and execute arbitrary code in kernel mode. If combined with the Chrome vulnerability, It can also be used to escape sandboxes.