Cyware Daily Threat Intelligence, March 20, 2019

Norsk Hydro, one of the world's largest aluminum manufacturing company, was hit by a massive ransomware attack. The attack involved the use of LockerGoga ransomware. As a result, the company was forced to shift some of its major operations in manual mode. Production at some of its factories has been halted due to the attack. Upon discovery, Norsk Hydro became alert and sent out a notification to its investors, explaining the extent and impact of the attack.

A software glitch enabled Sprint users to see personal information of other customers from their online accounts. The information visible included customers’names, phone numbers as well as calls made to other users. The firm has confirmed the issue and is working on fixing the bug. It is not clear as for how long the account information leak persisted.

A new variant of Cardinal RAT has been spotted targeting Israeli Financial Technology sector. The malware shares similarities with another malware family called EVILNUM. Once executed on a victim's machine, the malware can do a series of nefarious activities such as executing malicious commands, capturing screenshots, cleaning cookies from browsers and recording keystrokes.

Researchers have found an ongoing phishing campaign in which cybercriminals are creating fake websites using either a single or combined technique of Punycode-based spoofing attacks, typosquatting, or SubDomain spoofing attacks. For this, they are spoofing the websites of four Kingdom of Saudi Arabia government agencies and a Saudi-based financial institution. The campaign is dubbed as 'Bad Tidings' and has been found to active since November 21, 2016.

Two phishing campaigns have been found targeting Netflix and American Express (AMEX) customers in a bid to steal their credit card and social security information. While the Netflix phishing campaign uses a 'Your account is on hold' subject line to trick users, the phishing campaign designed to steal sensitive info from AMEX clients uses a generic message that reads,'Notice Concerning your CardMember Account'.

Security experts have discovered a new Monero mining campaign that is spreading wildly. The malware used in the attack consists of two variants of Trojans identified as "Trojan.Win32.Fsysna" and a variant of Monero cryptominer. The variant of Monero mining malware leverages legitimate IT admin tools, Windows system tools and older Windows flaws to spread across the entire network.

Mozilla has released security updates to fix a series of vulnerabilities found in Firefox 66 and Firefox ESR 60.6. The fixes address some of the critical vulnerabilities in Firefox 66 and Firefox ESR 60.6 such as CVE-2019-9790, CVE-2019-9791, CVE-2019-9792, CVE-2019-9789 and CVE-2019-9788. Attackers can exploit some of these vulnerabilities to take control of an affected system.

A severe security flaw has been found in TCPDF, a popular PHP library that is used for creating PDF files. The security flaw can enable attackers to achieve remote code execution on websites and web apps that use the TCPDF library, thus allowing them to run malware and potentially take over the systems.

Vulnerable SSH client PuTTY has received a series of security patches following the discovery of vulnerabilities. All these patches are included in the PuTTY v0.71. The patches include fixes for memory overwrite vulnerability, buffer overflow vulnerability, multiple denial-of-service attacks that can be triggered by writing to the terminal.

Security updates have been released to fix issues in Openswman version 2.6.6 and prior. The updates include fixes for CVE-2019-3816, a bug in openwsmand deamon which could lead to arbitrary file disclosure; and CVE-2019-3833, a flaw in process_connection() which could allow an attacker to trigger an infinite loop which leads to DoS.

Business Email Compromise (BEC) scammers have recently shifted their focus to SMS messages to trick users into purchasing gift cards that contain code. The new BEC scam starts with users receiving a phishing email that requests them to share their phone numbers in order to complete a task. Once the phone number is shared, the scammer starts a direct communication over SMS and asks the victim to send pictures of scratched codes of gift cards. These codes can then be quickly converted into bitcoin using online marketplaces like Paxful. BEC mobile scammers use services like Google Voice to perform multiple attacks from the same phone number.