Cyware Daily Threat Intelligence, May 08, 2019

Share Blog Post

Cybercriminals are lately seeking a known vulnerability - CVE-2019-3396 - in Confluence Server and Data Center to drop a variety of malware. After distributing GandCrab v5.2 ransomware and a variant of AESDDoS botnet, threat actors are now exploiting the same vulnerability to propagate a Monero miner that contains a rootkit. The Monero miner and rootkit are detected as Coinminer.Linux.MALXMR.UWEJI and Rootkit.Linux.KERBERDS.A respectively. The purpose of Rootkit.Linux.KERBERDS.A is to hide the malicious activities of the attackers while propagating across the network.

In the past 24 hours, we also saw two major security breaches ascribed to misconfigured Elasticsearch databases. In one incident, an unprotected database leaked personal information of 15,000 Freedom Mobile customers. In another incident, an unguarded Elasticsearch database exposed 37,900 records of Kool King Shop customers. The leaky database belonging to the fast food restaurant contained data in plaintext format. It is believed that the database was left open on the internet since at least April 24, 2019.

Upon discovery, both the databases were taken offline by the respective firms and are no longer available to the public.

Top Breaches Reported in the Last 24 Hours

Freedom Mobile exposes customer data
An unprotected Elasticsearch database belonging to Freedom Mobile has leaked personal information of 15,000 customers. The incident has affected those customers who had opened or made any changes to their accounts between March 25, 2019, and April 15, 2019. The misconfigured database is believed to be part of a logging system used by the company to record any error and store customer data. The data exposed in the incident includes customers’ names, email addresses, phone numbers, postal addresses, dates of birth and Freedom Mobile account numbers.

Kool King Shop data leak
Another unguarded Elasticsearch database discovered via Shodan search has exposed 37,900 records of Kool King Shop customers. The unprotected database contains plain text data which has been left out in the open since at least April 24, 2019. The compromised records included personally identifiable information such as emails, passwords, names, phones, voucher codes and links to the externally stored certificates. Burger King which provides menus to the fast food restaurant has been notified about the incident, following which the leaky database was taken offline.

Baltimore City Hall government servers attacked
The servers of Baltimore City Hall and Amarillo, Texas, Potter County, have been hit by ransomware attacks. This has forced some of the government departments to halt their operations. The government is yet to assess the extent and source of infection. It is believed that no personal data has been affected by the incident.

Top Malware Reported in the Last 24 Hours

Cryptominer includes rootkit
Threat actors are exploiting a recently discovered vulnerability in Confluence Server and Data Center to deliver Monero miner that contains a rootkit. The vulnerability is tracked as CVE-2019-3396 and exists in the Widget Connector. The Monero miner and rootkit are detected as Coinminer.Linux.MALXMR.UWEJI and Rootkit.Linux.KERBERDS.A respectively. In order to stay safe, users are advised to update their Atlassian Confluence Server and Data Center to the latest versions.

GandCrab v5.2 ransomware returns
An unnamed Japanese firm has been hit by GandCrab ransomware version 5.2. The attack was launched using a Korean Office document that contained a malicious macro. The attackers behind the attack used a variation of the Squiblydoo technique to bypass Windows AppLocker. After encrypting files, GandCrab v5.2 ransomware demands ransom in DASH or Bitcoin cryptocurrency.

A new variant of Clippy released
Security researchers have released a new variant of the old Microsoft Office Assistant Clippy. Dubbed Evil Clippy, this tool can modify Office documents at the file format level. This makes the malicious Microsoft Office docs undetectable. It can hide VBA macros, stomp VBA code and confuse popular macro analysis tools.
Top Vulnerabilities Reported in the Last 24 Hours

Vulnerable WP Live Chat Plugin
WP Live Chat plugin contains a vulnerability that can allow an attacker to upload arbitrary files to vulnerable systems. The flaw is detected as CVE-2018-12426 and exists in versions prior to 8.0.07. While the flaw has been patched in version 8.0.07, researchers have found that the patch can be bypassed in version 8.0.11.

Vulnerability in ESC fixed
Cisco has released security updates for a critical vulnerability in Elastic Services Controller (ESC). The flaw can allow an unauthenticated, remote attacker to make deployments that have REST API enabled. The flaw is identified as CVE-2019-1867 and exists due to improper validation of API requests. All instances of CISCO ESC running versions 4.1, 4.2, 4.3 or 4.4 are vulnerable to the flaw. Users are recommended to update the software with the latest versions.

Top Scams Reported in the Last 24 Hours

YouTube channel owners targeted
Scammers are targeting the channel owners of YouTube to steal their credentials. The scam begins with channel owners receiving an email purporting to be from YouTube support. The email warns that their channel does not meet several rules mentioned on the platform. In order to resolve the matter at the earliest, the scammers offer to perform a detailed analysis on behalf of the owner. To proceed with this, the owner is required to provide some information including the access passwords. Thus, users should look out for telltale signs such as online services asking for access to their accounts, in order to stay safe from such scams.


atlassian confluence server
monero miner
squiblydoo technique
gandcrab v52 ransomware
evil clippy

Posted on: May 08, 2019

Get the Daily Threat Briefing delivered to your email!

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

Join Thousands of Other Cyware Followers!