Cyware Daily Threat Intelligence, March 26, 2020

Share Blog post

Failing to apply security patches on time can create unwanted problems for organizations. It has been found that the notorious China-based APT41 threat actor group was scanning for vulnerable Citrix ADC, Zoho MangerEngine, and Cisco routers to deploy malicious payloads including Cobalt Striker. The campaign has affected a wide range of industries across the globe.

A watering hole attack targeting iOS users in Hong Kong was also spotted in the last 24 hours. The campaign leveraged links on multiple forums that supposedly led to news sites. These links were injected with a new variant of an iOS malware called LightSpy. In a different incident, malware disguised as a Chrome update was used to drop several payloads such as keyloggers, info stealers, and trojans. Threat actors behind the attack used hacked corporate sites and news blogs to inject the malicious Chrome update page.

Meanwhile, the largest dark web service provider, Daniel’s Hosting, has shut down its service after it was hacked on March 10, 2020. This has affected almost 7,600 dark web portals.

Top Breaches Reported in the Last 24 Hours

Daniel’s Hosting hacked
Daniel’s Hosting, the largest free web hosting provider for dark web services, has shut down after being hacked for the second time in 16 months. Almost 7,600 dark web portals were taken offline following the hack. The incident occurred on March 10, during which an attacker deleted the web hosting portal’s entire database.

Tupperware hit by skimmer attack
Tupperware has been hit by a card skimmer attack. Threat actors compromised the official site and injected malicious code within an image file that activated a fraudulent payment form during the checkout process. This form collects customer payment data via a digital credit card skimmer and passes it onto the cybercriminals.

Top Malware Reported in the Last 24 Hours

WP-VCD malware returns
The threat actors behind the WordPress WP-VCD malware have started to distribute modified versions of Coronavirus plugins that inject a backdoor into a website. The ultimate goal of these malicious plugins is to use the compromised WordPress sites to display popups or perform redirects that generate revenue for threat actors.

56 malicious apps
Google has removed 56 malicious apps, 24 of which were apps for kids. These apps contained auto-clicker malware that went undetected by the Google Play Store and Google’s anti-malware scanner Play Protect. These apps had more than a million installs across Android devices.
 
Malware disguises as Chrome update
Certain online news blog websites of corporates that are created using WordPress CMS, have been compromised in a recent campaign. The hacker group behind the attack have embedded JavaScript code in the hacked pages to redirect visitors to a phishing site where they are prompted to install an important security update for the Chrome browser. Once the unsuspecting user downloads the update, malware gets installed that allows attackers to remotely access and control infected computers. Over 2000 people have downloaded the fake update so far.

Operation Poisoned news
A recently discovered watering hole attack has been targeting iOS users in Hong Kong. The campaign uses links posted on multiple forums that supposedly lead to various news sites. While these links lead users to the actual news sites, they also use a hidden iframe to load and execute malware. The campaign exploits vulnerabilities present in iOS 12.1 and 12.2. The malware used in the campaign is a new iOS malware called lightSpy.

Top Vulnerabilities Reported in the Last 24 Hours

Videolabs fixes flaws
Videolabs has recently addressed code execution, DoS vulnerabilities in the libmicrodns library. The most severe of these vulnerabilities is a remote code execution bug in the label-parsing functionality of the library. It is tracked as CVE-2020-6072.

Several known flaws exploited
In a widespread attack campaign, the APT41 threat actor group has exploited several known vulnerabilities in Cisco routers, Citrix ADC and Zoho ManageEngine to infect several organizations. The purpose of the campaign was to distribute backdoors like Cobalt Strike. The campaign was carried out between January 20 and March 11, 2020.

HP warns users about a flaw
Hewlett Packard (HP) is warning its customers that certain Serial-Attached SCSI solid-state drives will fail after 40,000 hours of operation. The critical issue affects drives in HPE server and storage products like HPE ProLiant, Synergy, Apollo 4200, Synergy Storage Modules, D3000 Storage Enclosure, and StoreEasy 1000 Storage. HP has advised users to update the firmware to stay safe.

Tor browser 9.0.7 addresses a flaw
The Tor Project has released Tor Browser 9.0.7 to permanently fix a server bug that allowed JavaScript code to run on sites it should not. The flaw exists in Tor Browser’s security options. The bug causes the execution of JavaScript code, even when the browser is set up to use the highest security level, the ‘Safest’.

 Tags

wp vcd malware
operation poisoned news
apt41 threat actor group
tupperware
tor browser 907
hewlett packard hp

Posted on: March 26, 2020

Get the Daily Threat Briefing delivered to your email!


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.


Join Thousands of Other Cyware Followers!