Cyware Daily Threat Intelligence, March 23, 2020

Share Blog Post

No doubt, dark web is becoming a cybersecurity nightmare for businesses. In a major finding, researchers have revealed that threat actors are selling personal data of 538 million Weibo users on dark web forums. The data on sale includes real names, site usernames, gender, locations, and phone numbers of 172 million users.

In a situation where the whole world is gripped with the pandemic of COVID-19, bad actors were seen using the disease name to sell malware and exploitation tools. Not just that, cybercriminals are also using the disease name as a discount code to sell fake items such as MacBook Air.

Talking about malware attacks, three botnets, namely Chalubo, FBot, and Moobot, were observed exploiting LILIN DVR zero-day vulnerabilities to spread across systems. The attack had been active since August 2019.

Top Breaches Reported in the Last 24 Hours

Data of Weibo users put on sale
Personal data of 538 million Weibo users including 172 million phone numbers was put up for sale on the dark web. Among the personal data, it is reported that real names, site usernames, gender, and locations of 538 million users are exposed. The stolen data is sold at a price of $250 on a dark web marketplace.

Finastra suffers a breach
Finastra, a leading financial technology service provider from the UK, had to take several servers offline following a ransomware attack. Officials reported that they do not have any evidence of customer or employee data being accessed or exfiltrated.

Hammersmith Medicines’ data sold online
The Maze attackers published the data stolen from Hammersmith Medicines Research online. The healthcare firm had suffered an attack on March 14 and refused to pay the ransom demanded by the attackers.

Top Malware Reported in the Last 24 Hours

Actors use discount code to sell malware
According to the latest research, hackers are using ‘COVID-19’ discount code to sell malware and exploitation tools on the dark web. For instance, a Facebook account hacking tool is available for $300 after a discount. The researchers also noted that around 93 malicious coronavirus-related domains were registered last week.

Netwalker ransomware campaign
Researchers have detected a new Coronavirus phishing campaign that installs the Netwalker ransomware. The campaign uses an attachment named ‘CORONAVIRUS_COVID-19.vbs’ that contains an embedded Netwalker executable. The ransomware, once executed, will encrypt the files on the computer and append a random extension to encrypted file names.

Mukashi botnet
Mukashi is the latest variant of Mirai botnet that is targeting a recently uncovered critical vulnerability (CVE-2020-9054) in Zyxel NAS devices. This new variant uses brute force attacks in order to take control of devices and later use them to conduct DDoS attacks.

Top Vulnerabilities Reported in the Last 24 Hours

LILIN DVR Zero-day exploited
Three botnets - Chalubo, FBot, and Moobot - have been found using LILIN DVR zero-day vulnerabilities to spread across systems. The attacks have been found to be active since August 30, 2019. The command injection vulnerability along with two other vulnerabilities found in the video records was patched this February after the vendor became aware of it.


lilin dvr
weibo users
netwalker ransomware
chalubo botnet
mukashi botnet

Posted on: March 23, 2020

Get the Daily Threat Briefing delivered to your email!

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

Join Thousands of Other Cyware Followers!