Go to listing page

Cyware Daily Threat Intelligence, March 19, 2019

Cyware Daily Threat Intelligence, March 19, 2019

Share Blog Post

Cybercriminals are spoiled for choice when it comes to malware attacks. Lately, they have been found using two advanced and sophisticated malware to target enterprises. The malware in the question are JNEC.a ransomware and NETWIRE backdoor trojan. While the JNEC.a ransomware spreads by exploiting the recently discovered WinRAR ACE vulnerability, NETWIRE trojan leverages a new ‘Process Hollowing’ technique for propagation. Apart from these two malware, a new variant of the infamous Mirai botnet was also discovered by security researchers in the past 24 hours. The new variant contains a total of 27 exploits and has been designed primarily to target smart signage TVs and wireless presentation systems. 

In breaches, the Health Safety Environment (HSE) website was found leaking sensitive medical records of patients due to a misconfigured ‘ShareThis’ feature. This allowed the advertising industry trackers to collect various crucial medical data such as mental health, unplanned pregnancy & abortion services and medical cards of patients. Also, a ransomware attack at the Orange County resulted in the shutdown of various important services. The attack occurred on March 18, 2019. The County is working on restoring the affected services and systems. Security researchers also discovered a data leak related to Elsevier, the paper publisher giant. The firm was found exposing users’ login credentials due to a misconfigured server. This has impacted people from universities and educational institutions from across the world. The passwords appeared to be stored in plain text format.

Top Breaches Reported in the Last 24 Hours

Ransomware attack
The entire Orange County network was out of service on March 18, 2019, due to a ransomware attack. A variety of services were impacted by the attack. The County's Planning Department was unable to process fees or permits, while the libraries' public computers were shut down.

Elsevier exposes users' credentials
Elsevier, the paper publisher giant, exposed its users' login credentials following a misconfiguration in a server. The number of users affected in the incident is unknown. However, researchers believe that the server contained the credentials of those users that had .edu (education institute) accounts. The passwords appeared to be stored in plain text format.

Israeli officials' devices hacked
According to multiple reports, hackers have stolen information from former Israeli Prime Minister Ehud Barak's computers and phone and sold it to Iran. Apart from this, hackers also hacked the cell phones of other top leaders such as Benny Gantz, the former Chief General Staff of the Israel Defense Forces.

HSE website leaks sensitive medical data
Researchers found that almost all pages on the Health Safety Environment (HSE) website were being monitored by the advertising industry trackers due to a 'ShareThis' feature on the website. These trackers were able to collect sensitive medical data of patients that includes mental health, child health, unplanned pregnancy & abortion services and medical cards. Upon discovery, HSE has started removing the feature to prevent future tracking of data.

Top Malware Reported in the Last 24 Hours

A new variant of Mirai botnet
Researchers have discovered a new variant of Mirai botnet that targets two new class of IoT devices - smart signage TVs and wireless presentation systems. The new variant uses 27 exploits, 11 of which are new to Mirai altogether. The purpose and modus operandi of this variant are the same as the previous botnets.

JNEC.a ransomware
Security researchers have discovered new ransomware named JNEC.a that spreads via recently discovered code execution ACE vulnerability in WinRAR. Once installed, the ransomware encrypts the files on the affected computer and appends them with .Jnec extension.

NETWIRE backdoor trojan
Security researchers have uncovered a new phishing campaign that involves the use of process hollowing attack technique. The attack method is leveraged to distribute the NETWIRE backdoor trojan onto the victims' machines. Once installed, the trojan can perform a series of nefarious activities such as recording keystrokes, capturing screenshots, stealing system details and creating fake HTTP proxy.
Top Vulnerabilities Reported in the Last 24 Hours

Intel releases security advisories
Intel has released several security updates and advisories to address vulnerabilities in multiple products. The vulnerabilities detected are CVE-2019-0135, CVE-2019-0129, CVE-2019-0122 and CVE-2019-0121. All these vulnerabilities can grant the attackers to gain elevated privileges and disclose systems' information.

IBM issues security patches
A total of five vulnerabilities have been discovered in IBM's Watson analytics system. The bugs are present in installations of Watson Explorer and IBM Watson Content Analytics. One of the most serious bugs is CVE-2018-2633. It can allow attackers to remotely take control of the systems. Each of the flaws can be patched up by getting the latest version of the Java Runtime.

VMware's security advisories
VMware has issued security advisories for the flaws discovered in VMware Workstation Pro/Player and VMware Horizon. While the VMware Workstation Pro/Player is affected by CVE-2019-5511 and CVE-2019-5512 flaws, VMware Horizon is impacted by CVE-2019-5513 flaw. Users are advised to update these products with the latest released versions.

Top Scams Reported in the Last 24 Hours

Sextortion email scam
Security researchers have discovered a new sextortion email scam that aims at stealing money from users. Here, the scammers pretend to be from the Central Intelligence Agency (CIA) and threaten users of being involved in the distribution and storage of child pornography. They, then demand $10,000 in bitcoin from each user to avoid being arrested. The scam is carried out via phishing emails. In order to make it less susceptible, these emails are sent with a subject line of "Central Intelligence Agency - Case #numbers". The numbers are different for each email.


jneca ransomware
netwire backdoor trojan
elevated privileges
sextortion email scam
mirai botnet
ransomware attack

Posted on: March 19, 2019

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.