Go to listing page

Cyware Daily Threat Intelligence, March 20, 2019

Cyware Daily Threat Intelligence, March 20, 2019

Share Blog Post

The global threat landscape is constantly and rapidly changing as bad actors find new and devastating ways of infiltrating networks and hijacking users’ computers. Lately, security researchers have discovered two new cyber espionage campaigns targeting enterprises. The discovered campaign include a ‘Bad Tidings’ phishing campaign and a Monero mining campaign. While the ‘Bad Tidings’, which is active since November 2016, is being carried out by spoofing the websites of four Kingdom of Saudi Arabia government agencies, the Monero mining campaign is leveraging a trojan and a variant of Monero cryptominer to infect organizations across the globe. Also, a new variant of Cardinal RAT was found targeting Financial Technology sector in Israel. Once executed, the malware can perform a series of malicious activities such as capturing screenshots, cleaning cookies from browsers, executing malicious commands and recording keystrokes.

Amid all these cyber attacks, security vendors continue to release security patches for discovered vulnerabilities. Mozilla and SSH client PuTTY released security updates to fix vulnerabilities in their products. While Mozilla’s security patches fixed critical issues in Firefox 60 & Firefox ESR 60.6, PuTTY v0.71 came with extra security updates that addressed the memory overwrite and buffer overflow vulnerabilities. In another case, a patch for a critical bug in TCPDF, a popular PHP library that is used for creating PDF files, is yet to be issued. This critical security flaw can enable attackers to achieve remote code execution on websites and web apps that use the TCPDF library.  

Top Breaches Reported in the Last 24 Hours

Norsk Hydro attacked
Norsk Hydro, one of the world's largest aluminum manufacturing company, was hit by a massive ransomware attack. The attack involved the use of LockerGoga ransomware. As a result, the company was forced to shift some of its major operations in manual mode. Production at some of its factories has been halted due to the attack. Upon discovery, Norsk Hydro became alert and sent out a notification to its investors, explaining the extent and impact of the attack.

Sprint exposes customers' data
A software glitch enabled Sprint users to see personal information of other customers from their online accounts. The information visible included customers’names, phone numbers as well as calls made to other users. The firm has confirmed the issue and is working on fixing the bug. It is not clear as for how long the account information leak persisted.

Top Malware Reported in the Last 24 Hours

A new variant of Cardinal RAT
A new variant of Cardinal RAT has been spotted targeting Israeli Financial Technology sector. The malware shares similarities with another malware family called EVILNUM. Once executed on a victim's machine, the malware can do a series of nefarious activities such as executing malicious commands, capturing screenshots, cleaning cookies from browsers and recording keystrokes.

'Bad Tidings' phishing campaign
Researchers have found an ongoing phishing campaign in which cybercriminals are creating fake websites using either a single or combined technique of Punycode-based spoofing attacks, typosquatting, or SubDomain spoofing attacks. For this, they are spoofing the websites of four Kingdom of Saudi Arabia government agencies and a Saudi-based financial institution. The campaign is dubbed as 'Bad Tidings' and has been found to active since November 21, 2016.

Netflix and AMEX customers targeted
Two phishing campaigns have been found targeting Netflix and American Express (AMEX) customers in a bid to steal their credit card and social security information. While the Netflix phishing campaign uses a 'Your account is on hold' subject line to trick users, the phishing campaign designed to steal sensitive info from AMEX clients uses a generic message that reads,'Notice Concerning your CardMember Account'.

New Monero mining campaign
Security experts have discovered a new Monero mining campaign that is spreading wildly. The malware used in the attack consists of two variants of Trojans identified as "Trojan.Win32.Fsysna" and a variant of Monero cryptominer. The variant of Monero mining malware leverages legitimate IT admin tools, Windows system tools and older Windows flaws to spread across the entire network.
Top Vulnerabilities Reported in the Last 24 Hours

Security updates for Firefox
Mozilla has released security updates to fix a series of vulnerabilities found in Firefox 66 and Firefox ESR 60.6. The fixes address some of the critical vulnerabilities in Firefox 66 and Firefox ESR 60.6 such as CVE-2019-9790, CVE-2019-9791, CVE-2019-9792, CVE-2019-9789 and CVE-2019-9788. Attackers can exploit some of these vulnerabilities to take control of an affected system.

A critical bug in TCPDF library
A severe security flaw has been found in TCPDF, a popular PHP library that is used for creating PDF files. The security flaw can enable attackers to achieve remote code execution on websites and web apps that use the TCPDF library, thus allowing them to run malware and potentially take over the systems.

PuTTY v0.71 patched
Vulnerable SSH client PuTTY has received a series of security patches following the discovery of vulnerabilities. All these patches are included in the PuTTY v0.71. The patches include fixes for memory overwrite vulnerability, buffer overflow vulnerability, multiple denial-of-service attacks that can be triggered by writing to the terminal.

Openwsman bugs patched
Security updates have been released to fix issues in Openswman version 2.6.6 and prior. The updates include fixes for CVE-2019-3816, a bug in openwsmand deamon which could lead to arbitrary file disclosure; and CVE-2019-3833, a flaw in process_connection() which could allow an attacker to trigger an infinite loop which leads to DoS.

Top Scams Reported in the Last 24 Hours

BEC scammers shift to SMiShing
Business Email Compromise (BEC) scammers have recently shifted their focus to SMS messages to trick users into purchasing gift cards that contain code. The new BEC scam starts with users receiving a phishing email that requests them to share their phone numbers in order to complete a task. Once the phone number is shared, the scammer starts a direct communication over SMS and asks the victim to send pictures of scratched codes of gift cards. These codes can then be quickly converted into bitcoin using online marketplaces like Paxful. BEC mobile scammers use services like Google Voice to perform multiple attacks from the same phone number.


monero mining campaign
bad tidings phishing campaign
bec scammers
buffer overflow
cardinal rat

Posted on: March 20, 2019

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.