Cyware Daily Threat Intelligence, March 20, 2020

Share Blog post

Password managers can be the bane of one’s life if they fail to keep one’s passwords safe. In an extensive research study conducted by the University of York, it has been discovered that several popular password managers like LastPass, Dashlane, Keeper, 1Password, and RoboForm are affected by four new vulnerabilities. These flaws can result in phishing and brute force attacks.

Two malware called RedLine and HawkEye were observed in two email phishing campaigns that leveraged the ongoing COVID-19 scare. While RedLine is distributed through emails that promote a fake Folding@home app, the HawkEye info-stealer leverages the identity of the WHO to send a malicious “Coronavirus Disease (Covid-19) CURE.exe” attachment.

Top Breaches Reported in the Last 24 Hours

Healthcare clinic attacked
The infamous Maze ransomware has struck the Affordacare Urgent Care Clinic, crippling their systems and digital equipment. The operators have threatened to leak the caregiving unit’s patients’ data if the ransom is not paid.

Rogers data breach
Canadian ISP Rogers Communications has begun notifying customers of a data breach that occurred on February 26, 2020. The incident occurred due to an unsecured database. The exposed data included addresses, account numbers, email addresses, and telephone numbers of users.

Top Malware Reported in the Last 24 Hours

RedLine info-stealing malware
A new phishing email pretending to promote a fake Folding@home app has been found by researchers. The purpose of the campaign is to distribute the RedLine information-stealing trojan. The phishing email is sent under the subject line of ‘Please help us with Fighting corona-virus’ and includes a ‘Download now’ button.

HawkEye malware
Researchers have detected an ongoing phishing campaign that delivers the HawkEye info-stealing malware. The campaign impersonates the Word Health Organization (WHO) to send phishing emails that come with archive attachments containing a file named “Coronavirus Disease (Covid-19) CURE.exe”.

Stolen data on sale
Over 12 GB of data allegedly stolen from a company named Brooks International is now being sold and distributed on hacker forums. The data was stolen by the Sodinokibi ransomware operators. The stolen data included usernames, passwords, credit card statements, tax information, and much more.

Top Vulnerabilities Reported in the Last 24 Hours

ATP28 actively scanning vulnerable servers
For the past year, APT28, also known as Fancy Bear, has been actively scanning and probing the internet for vulnerable email servers. Trend Micro has reported that they are scanning for vulnerable webmail and Microsoft Exchange Autodiscover servers on TCP ports 445 and 1433.

Vulnerable password managers
Several password managers like LastPass, Dashlane, Keeper, RoboForm are vulnerable to a total of four new vulnerabilities. While the flaw in 1Password and LastPass is caused by the use of weak matching criteria for identifying the stored credentials stored in autofill, the flaw in RoboForm and Dashlane can result in brute force attacks.

Drupal releases updates
Drupal has released updates for versions 8.8.x and 8.7.x to address two cross-site scripting vulnerabilities affecting the CKEditor library. The vulnerabilities do not affect Drupal version 7. The flaws can be abused if Drupal is configured to use the WYSIWYG CKEditor on a user’s site.

Google rolls out an update
Google this week has rolled out an update to address thirteen high-severity vulnerabilities affecting both Chrome and Chrome OS release. The most serious of these vulnerabilities is a use-after-free vulnerability in WebGL, tracked as CVE-2020-6422. The new stable iteration of Chrome is available for download for Windows, Mac, and Linux as version 80.0.3987.149.

Microsoft releases a micropatch
Microsoft has issued a micropatch to fix a remote code execution vulnerability in the Windows Graphics Device Interface (GDI+). The patch is available for oPatch users with PRO accounts with fully updated Windows 7 or Sever 2008 R2 devices. The vulnerability is tracked as CVE-2020-0881.


 Tags

microsoft exchange autodiscover servers
rogers communications
hawkeye malware
redline info stealing malware
wysiwyg ckeditor
windows graphics device interface gdi

Posted on: March 20, 2020



More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.