Go to listing page

Cyware Daily Threat Intelligence, May 03, 2019

Cyware Daily Threat Intelligence, May 03, 2019

Share Blog Post

Ransomware has become the number one security risk to businesses and users. In situations where an organization does not have back up files, a decryption key is the only way to unscramble the encrypted files. Lately, security researchers have cracked the decryption key for MegaLocker or NamPoHyu Virus ransomware.

The MegaLocker ransomware was first detected in March 2019. It appends the encrypted files using .cryptd extension. However, in early April 2019, the ransomware switched its name to NamPoHyu Virus and started appending the .NamPoHyu extension to encrypted files.

The past 24 hours saw a major fake tech support scam that leveraged Google search results to push fake ads for customer contact numbers of popular sites such as Amazon, PayPal, and eBay. These ads look legitimate on mobile browsers. However, this is not the case in the desktop version of the Google search result page. The contact numbers on the desktop version were shown with parenthesis, pipes, and Unicode symbols, thus making it less convincing to users.             

Top Breaches Reported in the Last 24 Hours

Porr company affected by cyberattack
A cyberattack on the communication infrastructure of Austrian construction company Porr has disrupted the firm’s telephone lines and email systems. The damage has been caused by an unidentified virus. Technicians are working to find a solution and estimate the potential damage. Porr has revealed that the company’s data is safe.

UNIFAST’s database breached
Hackers have breached a database of the Unified Student Assistance System for Tertiary Education (UNIFAST) to steal the personal information of 1,130,899 Tertiary Education Subsidy (TES) applicants. The database contained student identification numbers, full names, birth dates, parents’ names and addresses of applicants. The hack took place on March 16, 2019.  

A major update on US Power grid attack
An update on the cyber attack that disrupted the electrical system operations in California, Utah and Wyoming has resurfaced recently. The cyber event that took down systems of an energy company on March 5, 2019, was due to a DDoS attack. The affected company provided power in several western U.S. states. The attackers leveraged a known software vulnerability to launch the attack.  

Top Malware Reported in the Last 24 Hours

Decryptor for ‘NamPoHyu Virus’ ransomware
Emsisoft has released a decryptor tool for the MegaLocker or NamPoHyu Virus ransomware that has been targeting Samba servers. The MegaLocker ransomware made its first appearance in March 2019 and later in early April, its name was changed to NamPoHyu. The NamPoHyu virus appends the encrypted files with extension with the same name.

New Qakbot variant
A new variant of Qakbot or Qbot banking trojan has been detected using a novel persistence technique to evade detection and make its removal a lot more cumbersome. The malware variant is launched via a dropper. Once infected, the victim machine will create a scheduled task. This task will execute a JavaScript downloader that makes a request to one of several hijacked domains. The functionality of the variant remains the same as the original.

Magecart’s card skimming attack expands
The Magecart threat actor group has expanded its card skimming attacks to other e-commerce sites that use OpenCart, OSCommerce, WooCommerce and Shopify platforms. Earlier, the group’s operation was only limited to Magento-based online stores. However, lately, researchers have discovered that Magecart Group 12 is primarily targeting the OpenCart platform. The group initiates the attack by injecting a small piece of JavaScript code in the URL. The code looks for the word ‘checkout’ in the URL the user is visiting and only then the skimmer script is inserted.    

Top Vulnerabilities Reported in the Last 24 Hours

Orpak SiteOmat software vulnerable
Several vulnerabilities have been discovered in the Orpak Site Omat software. The bugs affect all the versions of SiteOmat prior to 6.4.414.084 and 6.4.414.122. One of the critical bugs, tracked as CVE-2017-14728, can allow an attacker to gain access to the system’s configuration, including payment information. The bug can also shut down the system altogether. Orpak recommends users of affected versions to update to the latest version v6.4.414.139.  

Revive Adserver patches flaws
Revive Adserver has patched two vulnerabilities by releasing a new version - 4.2.0. Out of the two flaws, one has been marked critical with a CVSS score of 10. It is classified as deserialization of untrusted data vulnerability. The second vulnerability has a CVSS rating of 4.2.   

Vulnerable D-Link DCS 2132L cloud camera
Multiple vulnerabilities have been discovered in  D-Link DCS 2132L cloud camera. The flaws include unencrypted cloud communication, insufficient cloud message authentication, and unencrypted LAN communication. Some of these flaws have been mitigated, while patches for rest of the flaws are yet to be released.  

Top Scams Reported in the Last 24 Hours

Fake customer support numbers
Google search result was displaying fake customer support numbers for popular sites such as Amazon, PayPal, and eBay. These ads look legitimate on smartphones. However, on the desktop version, they look different as the numbers are separated by parenthesis, pipes, and Unicode symbols. It is believed that scammers are using symbols to bypass Google’s automated ad quality screening tools. Google, on the other hand, has assured that it removed the ads as they violated the company’s policies. Users are urged to report such ad scams - appearing on Google search result - using Google’s ad flagging tool.  


magecart threat actor group
megalocker ransomware
d link dcs 2132l cloud camera
nampohyu virus ransomware

Posted on: May 03, 2019

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.