Go to listing page

Cyware Daily Threat Intelligence, May 07, 2021

Cyware Daily Threat Intelligence, May 07, 2021

Share Blog Post

Poor security controls on websites can easily attract cybercriminals. The U.S-based Fermilab physics laboratory could have been an easy target as weaknesses in the lab’s server exposed several documents and credentials. In another incident, an open ElasticSearch server leaked 7GB of data and over 13 million records of users and Amazon marketplace vendors in fake Amazon product review scams.

Meanwhile, unknown threat actors have been utilizing a Windows rootkit for years to deploy backdoors on vulnerable machines. While the CISA investigated FiveHands, a new ransomware variant, a newly disclosed DNS vulnerability known as TsuNAME came to light that could allow attackers to target DDoS authoritative DNS servers.

Top Breaches Reported in the Last 24 Hours

Ransomware hits CaptureRx
A ransomware attack on CaptureRx, a Texas-based administrative services company impacted at least three American healthcare providers. In the attack, cybercriminals exfiltrated files containing the PHI, including names, dates of birth, prescription information, and medical record numbers of more than 24,000 individuals.

U.S. physics lab exposes data
The Fermilab physics laboratory, a part of the U.S. Department of Energy, organized its systems after security researchers found flaws exposing documents, personal information, project details, proprietary applications, and credentials. The researchers stumbled upon a database that allowed unauthenticated access to 53,685 file entries and 5,795 documents.

Amazon fake review scam
An open ElasticSearch server revealed the identities of more than 200,000 individuals in Amazon fake product review schemes. The public and online server contained 7GB of data and over 13 million records, including usernames, email addresses, links to Amazon profiles, PayPal addresses, WhatsApp and Telegram numbers, and records of direct messages between customers. 


Top Malware Reported in the Last 24 Hours

Windows rootkit deploys passive backdoors
Security researchers have discovered a new Windows rootkit, dubbed Moriya, which is employed by an unknown actor to install passive backdoors on public-facing servers. Dating back to October 2019 and May 2020, the rootkit was detected on several instances on the networks of regional diplomatic organizations in Africa and Asia.

CISA investigates a new ransomware variant
The CISA analyzed a new ransomware variant, FiveHands, which threat actors used in a recent successful cyberattack against an organization. In addition to the FiveHands ransomware, the threat actors utilized open source tools and a RAT called SombRAT to obfuscate files, steal information, and demand ransom from victims.

Cloud malware apps detected
Threat actors have been found using malicious OAuth 2.0 apps or cloud malware to siphon data and access critical information. In 2020, researchers detected over 180 different malicious OAuth apps attacking 55% of their customers.


Top Vulnerabilities Reported in the Last 24 Hours

DNS vulnerability allows DDoS attacks
A newly disclosed DNS bug, TsuNAME, could be used as an amplification vector in DDoS attacks targeting authoritative DNS servers. These servers convert web domains into IP addresses and share this information with recursive DNS servers that are inquired by users’ web browsers while connecting to a particular website.

Security flaws in older routers
According to a new investigation, older routers present serious security vulnerabilities. About 7.5 million users in the U.K. could potentially be impacted as vulnerable routers create an opportunity for cybercriminals to spy on people as they browse or direct them to spam websites.?


 Tags

malicious oauth 20 applications
ousaban trojan
moriya rootkit
fermilab
tsuname vulnerability
router vulnerability
capturerx
fivehands ransomware

Posted on: May 07, 2021


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.