Cyware Daily Threat Intelligence, May 02, 2019

Share Blog Post

Misconfigured databases leaking sensitive data are on a rise. Recently, two different data leaks from unprotected Elasticsearch databases have been uncovered by security experts. While one database exposed 136,995 records of SkyMed members, the other database has leaked over 13.7 million profiles found on job recruitment site Ladders.

The past 24 hours saw the release of a free decryptor tool for the recently discovered ZQ ransomware. The ransomware is known for adding a specific extension - .w_decrypt24@qq[.]com.zq - to encrypted files. It uses a combo of Salsa20 and RSA-1024 algorithms to encrypt victims’ files.

In a major security update, Dell has released security updates for two critical vulnerabilities in its SupportAssist Client software. The flaws are tracked as CVE-2019-3719 (remote code execution vulnerability) and CVE-2019-3718 (improper origin validation flaw). The flaw could allow unauthenticated attackers to remotely execute arbitrary code or perform CSRF attacks on vulnerable computers.

Top Breaches Reported in the Last 24 Hours

PII of around 137K individuals exposed
A misconfigured Elasticsearch database has exposed 136,995 personally identifiable information and medical data of SkyMed members. SkyMed is a company that provides medical emergency evacuation services. The PII exposed includes full names, addresses, dates of birth, email addresses, phone numbers of people. Anyone who had access to the database earlier could have edited, downloaded or deleted the data without administrative credentials. Luckily, the database has been secured.

Ladders site breached
A security lapse in Ladders, a popular job recruitment site in the US, has exposed over 13.7 million user records online. The incident occurred due to an unprotected AWS-hosted Elasticsearch database. The vulnerable database included several records of data such as names, email addresses, employment histories and job titles of applicants. The misconfigured database was pulled offline within an hour after AWS was aware of the issue.

A2 Hosting suffers a ransomware attack
A ransomware attack has crippled the operations of the US-based service provider A2 Hosting for almost eight days. The infection took place on April 23, 2019 and impacted all Windows-based servers owned by A2 Hosting. Based on the appended extensions and the infection, the ransomware appears to be a version of GlobeImposter 2.0 ransomware.

Top Malware Reported in the Last 24 Hours

Office 365 accounts targeted in ATO attacks
29 percent of the monitored organizations had their Office 365 accounts compromised in different ATO attacks during March 2019. These accounts allowed scammers to add malicious mailbox rules to hide their activity. It also enabled the attackers to delete malvertising, phishing & spam emails sent from the account. The threat actors heavily leveraged credentials acquired in previous data breaches, social engineering and phishing to compromise Office 365 accounts.

A new variant of Shellbot
A new variant of Shellbot malware has been discovered that uses SSH brute force attack to compromise internet-connected Linux servers. Once the malware variant is installed, it removes other crypto miners in order to mine cryptocurrencies for itself. The attackers are using the new variant of Shellbot with an aim to gain monetary benefits.

Decryptor released for ZQ ransomware
Emsisoft researchers have released a decryption tool for ZQ ransomware. The ransomware uses Salsa20 and RSA-1024 algorithms to encrypt victims’ files. Once encrypted, it appends the files with .w_decrypt24@qq[.]com.zq extension and later drops a ransom note named HELP__DECRYPT.txt.     

Top Vulnerabilities Reported in the Last 24 Hours

Dell’s SupportAssist flaws
Dell has issued a security patch for vulnerabilities in SupportAssist Client software. The flaws are tracked as CVE-2019-3719  and CVE-2019-3718 and have been rated 8 and 8.8 respectively on CVSS. These vulnerabilities allowed unauthenticated attackers to remotely execute arbitrary code or perform CSRF attacks on vulnerable computers.

Cisco releases new advisories
Cisco has issued 40 security advisories for vulnerabilities in Nexus data-center switches, Firepower firewalls and many more. Out of these, only one has been rated ‘critical’ which had a CVSS score of 9.8 out of 10. The vulnerability exists in Nexus 9000 series Application Centric Infrastructure (ACI) Mode data-center switch. It can allow an attacker to secretly access system resources.

Vulnerable ISPsystem
A critical vulnerability in ISPsystem software has been uncovered by security experts. The vulnerability can allow an attacker to hijack a session of any logged-in user and later take control of that user’s websites, virtual machines and billing data. All ISPsystem products - ISPmanager, BILLmanager, DCImanager and VMmanager - affected by the flaw. The vulnerability has been fixed in version 5.178.2.   


globeimposter 20 ransomware
shellbot malware
zq ransomware
office 365 accounts

Posted on: May 02, 2019

Get the Daily Threat Briefing delivered to your email!

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

Join Thousands of Other Cyware Followers!