Cyware Daily Threat Intelligence, March 31, 2020

Share Blog post

Earlier in March, a watering hole campaign targeted iOS users in Hong Kong with a powerful spyware called LightSpy. Following that research, a group of researchers from Kaspersky have uncovered a new campaign that leverages several compromised websites to launch drive-by download attacks with fake Adobe Flash update warnings. The campaign has been active since May 2019 and uses a variety of creative toolsets like Go language, NSIS installer, and more.

In a different discovery, researchers have observed  that a ‘Stuxnet-type’ attack is possible on Schneider’s Modicon M340 Programmable Logic Controller. The attack targets the controller via Schneider’s EcoStruxure Control Expert engineering software, formerly known as Unity Pro.

The past 24 hours also saw a new cryptocurrency Ponzi scam doing the rounds on the internet. For this, a hacker has hijacked more than 30 YouTube accounts and rebranded them with Microsoft product names in order to attract online users. The victims are asked to invest a small amount of cryptocurrency in order to receive a big return.

Top Breaches Reported in the Last 24 Hours

42 million records leaked
A trove of 42 million records from a third-party version of Telegram was leaked through an Elasticsearch cluster targeted by a group called ‘Hunting system’. The exposed data included usernames, phone numbers, account IDs, hashes, and secret user keys .

Campaign Sidekick app exposed
A code repository including access credentials of the Campaign Sidekick app was exposed online due to a fault in its configuration settings. The repository included the full history of changes to the code since the time it was uploaded in November 2016. Additionally, it had  exposed the credentials for the CPanel and Secure File Transfer Protocol (SFTP) servers of another US-based data aggregating company, Voter Gravity.

Top Malware Reported in the Last 24 Hours

Stuxnet type attack
Researchers recently demonstrated a ‘Stuxnet type’ attack on a Schneider’s Modicon M340 Programmable Logic Controller. The attack targeted the controller via Schneider’s EcoStruxure Control Expert engineering software, formerly known as Unity Pro. Such an attack can have serious consequences, including the disruption of manufacturing processes or other types of damages.

Watering hole attack
A widespread watering hole attack campaign has been observed affecting several websites that belong to public bodies, charities, and organizations of the targeted group. The campaign, that has been active since May 2019, targets people in a few Asian countries. The attackers’ toolset include Sojson obfuscation, NSIS installer, open-source code, Go language, and Google Drive-based C2 channels.

Top Vulnerabilities Reported in the Last 24 Hours

Vulnerable AVN systems
Malicious actors can exploit the Audio, Visual and Navigation (AVN) systems in the 2017 model of Lexus and Toyota cars to compromise the internal Controller Area Network (CAN) network and related electronic control units (ECUs). The AVN systems are affected by two vulnerabilities that can allow attackers to achieve remote code execution in the Display Control Unit (DCU) system with root privilege.

Adobe patches critical flaw
Adobe has issued a security advisory and patch for a critical vulnerability CVE-2020-3808 affecting its Creative Cloud Desktop Application. The flaw affects versions prior to 5.0 of the Creative Cloud for Windows. The issue can allow attackers to delete arbitrary files from a target system.

Top Scams Reported in the Last 24 Hours

Cryptocurrency Ponzi scam
A hacker has hijacked over 30 YouTube accounts with a purpose to launch a cryptocurrency Ponzi scam. The hijacked accounts have been renamed to various Microsoft brands before broadcasting the scam. It tricks victims into sending a small sum of cryptocurrency in exchange for a good return. The various Microsoft brands used in the scam include Microsoft US, Microsoft Europe, Microsoft News, and others. Meanwhile, Microsoft has denied the breach of any official account of the company.

Bad actors misuse CARES Act 
Threat actors have started leveraging the recently launched CARES Act to launch a variety of attacks on unsuspecting victims. Researchers are seeing this as a channel for attackers to collect personal and financial details from victims. Therefore, SMBs must be vigilant of unsolicited emails that claim to provide a relief package.

 Tags

stuxnet type attack
cares act
cryptocurrency ponzi scam
campaign sidekick app
watering hole campaign
avn systems

Posted on: March 31, 2020

Get the Daily Threat Briefing delivered to your email!


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.


Join Thousands of Other Cyware Followers!