Cyware Daily Threat Intelligence, May 01, 2020

Share Blog post

The Maze ransomware operators, who were reportedly behind the recent attack on Cognizant, claimed to have got their hands on 11 million credit card credentials belonging to the network of Banco BCR, a state-owned Bank of Costa Rica. They also leaked some 240 credit card details on their site as proof of the theft. However, this time, the operators did not seem to be focused on monetizing the stole data themselves and instead wanted to highlight the security flaw in the bank’s network.

A sophisticated phishing campaign called PerSwaysion, that has targeted more than 150 companies around the world, has also been observed in the past 24 hours. Cybercriminals behind the campaign relied on Microsoft Sway service and phishing kits to steal credentials from Microsoft Office 365 users. Another spear-phishing attack was also observed targeting government employees of the Municipality of Da Nang, Vietnam. The intended victims were sent emails with ‘danang.gov.vn’ appended to the sender’s address.

Top Breaches Reported in the Last 24 Hours

Maze ransomware attacks Banco BCR
Maze ransomware operators have reportedly gained access to some 11 million credit card details belonging to Banco BCR. They also leaked the details of 240 credit cards as proof of the theft on their site.

Updates on ExecuPharma attack
Clop ransomware operators have now leaked files stolen from U.S. pharmaceutical company ExecuPharma after ransom negotiations allegedly failed. The attackers published email details of almost 19,000 ExecuPharma and Parexel employees on their site.

Le Figaro exposes 7.4 billion records
French newspaper Le Figaro had exposed 7.4 billion records due to a misconfigured Elasticsearch database.  The exposed PII data included full names, emails, home addresses, countries of residence, postcodes, IP addresses, server access tokens, and passwords for new users.

Top Malware Reported in the Last 24 Hours

PerSwaysion phishing operation
Multiple threat actors are running phishing attacks against global organizations to trick employees into giving away their Office 365 login credentials. Named as ‘PerSwaysion’, the campaign relies on Microsoft Sway service and phishing kits offered in a malware-as-a-service operation. It has been active since at least August 2019 and researchers have observed emails of at least 27 adversaries so far.

RevCode RAT
Researchers have come across a new attack that leverages Zoom installers to spread a cryptocurrency miner called RevCode WebMonitor RAT. Upon execution, the malware connects to the URL, dabmaster[.]wm01[.]to, and executes commands from remote attackers.

Spear phishing attack 
A spear-phishing attack that targeted government employees of the Municipality of Da Nang, Vietnam, was reported. The emails contained a malicious Microsoft Excel document that dropped a Dynamic-Link Library (DLL), providing the threat actors with CMD reverse shell over HTTP.

Top Vulnerabilities Reported in the Last 24 Hours

Ninja Forms plugin
The developers of Ninja Forms WordPress plugin have fixed a high severity security vulnerability that could let attackers take over websites. The vulnerability is tracked as a cross-site request forgery (CSRF) vulnerability and has been patched in version 3.4.24.2 of the plugin.

WordPress updates to 5.4.1
WordPress has released version 5.4.1 that fixes multiple bugs found in the previous versions. Some of these flaws are cross-site request forgery (XSS) vulnerabilities.

Top Scams Reported in the Last 24 Hours

Sextortion scam
A new sextortion scam, which has been active since April, is duping unwitting victims by referring to old passwords that were parts of old data breaches. The email claims that the password was obtained by compromising one of the recipient’s devices using malware. It further states that the malware had infected the victim’s system when they visited an adult website. To scare the victims further, the scammers also warn that they have made a video of the victim watching inappropriate content. The victims are asked a sum of $1900 to keep it as secret.

 Tags

ninja forms plugin
revcode rat
sextortion scam
perswaysion
maze ransomware

Posted on: May 01, 2020

Get the Daily Threat Briefing delivered to your email!


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.


Join Thousands of Other Cyware Followers!