Go to listing page

Cyware Daily Threat Intelligence, March 18, 2020

Cyware Daily Threat Intelligence, March 18, 2020

Share Blog Post

Magecart-like attacks that are designed to steal personal and payment card details of customers from websites continue to be a major concern for retailers. Lately, the blender manufacturer, NutriBullet and the online guitar tutoring platform TrueFire have fallen victim to these types of attacks. While NutriBullet has been targeted by Magecart group 8 with a variety of skimmers, TrueFire suffered a breach after hackers gained unauthorized access to its multiple websites.

Two new malware that are capable of damaging victims’ files and systems were also reported in the last 24 hours. The first one is a CrazyCoin worm that spreads through the EternalBlue exploit kit and the second is Nefilim ransomware that most likely spreads via Remote Desktop Services. The CrazyCoin worm includes mining, hacking, and backdoor modules in its arsenal.

Top Breaches Reported in the Last 24 Hours

MCA Wizard leaks confidential documents
Around 425GB of highly sensitive legal and financial documents were leaked by an app known as MCA Wizard, developed by New York-based fintech firms Advantage Capital Funding and Argus Capital Funding. The incident had occurred due to a misconfigured AWS S3 bucket. The exposed data also included customers’ information like their credit reports, bank statements, driver’s licenses, Social Security information, tax returns, and purchase orders.

Doxzoo leaks customer data
The UK printing company Doxzoo had left its customer files exposed due to an unprotected Amazon S3 bucket. The exposed bucket, containing more than 250,000 customer-uploaded files, was later secured by the company upon discovery.

Magecart targets NutriBullet
Magecart group 8 targeted the website of the blender manufacturer, NutriBullet, in an attempt to steal payment-card data of customers. The skimmer code was first inserted into the website’s checkout page on February 20. Despite taking down the attackers’ exfiltration domain, researchers found that the website was infected with a new skimmer on March 5 and later again on March 10.

TrueFire website hacked
The popular online guitar tutoring website TrueFire has also suffered a Magecart-like attack. The incident may have exposed customers’ personal information and payment card data. The incident has affected Guitar.com and Jazzguitar.be websites.

Top Malware Reported in the Last 24 Hours

CrazyCoin worm
CrazyCoin is a newly discovered worm that spreads through the Eternal Blue exploit kit. The worm integrates mining, hacking, and backdoor features. Once launched, the worm downloads mining and information-stealing modules. It later plants the Double Pulsar backdoor program to launch further malicious activities.

New TrickBot variant
Researchers have discovered a new version of TrickBot trojan that includes an RDP bruteforcing (rdpScanDll) module. The variant was first found on January 30, 2020, targeting telecommunication services in the U.S and Hong Kong. This version of the trojan communicates with attackers through a C2 server located in Russia.

New Ursnif campaign
A new Ursnif campaign that is targeting people in Italy has been detected recently. The attack makes use of an Italian compromised website that acts as a DropUrl. The malware is dropped via a malicious mail containing a password-protected document.

New Nefilim ransomware
A new ransomware called Nefilim that borrows its code from Nemty 2.5 ransomware has been found in the wild. The ransomware is most likely distributed through exposed remote Desktop Services. It uses the AES-128 algorithm to encrypt files.

Top Vulnerabilities Reported in the Last 24 Hours

Trend Micro patches two zero-day flaws
Trend Micro has patched two zero-day vulnerabilities that are exploited in the wild by hackers. The two flaws tracked as CVE-2020-8467 and CVE-2020-8468, impact the company’s Apex One and OfficeScan XG enterprise security products.

Adobe releases updates
Adobe has released security updates for 13 vulnerabilities affecting Acrobat and Reader. The vulnerabilities range from information disclosure to arbitrary code execution. Four of these vulnerabilities are rated as ‘Important’.

Vulnerable password managers
Security experts claim that some commercial passwords managers are liable to cyberattacks by fake apps. This is because these password managers use weak criteria to identify an app and which username and password to suggest for autofill. These flaws can allow malicious hackers to extract credentials, compromise commercial information, or violate employee information.


password managers
truefire website
mca wizard
trickbot trojan

Posted on: March 18, 2020

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.