Cyware Daily Threat Intelligence, May 08, 2020

Share Blog post

Malicious actors are devising new ways to capitalize on their targeted attacks by mining cryptocurrencies. In the last 24 hours, it has come to notice that attackers exploited a Salt software vulnerability and a deserialization flaw in Telerik UI for ASP.NET AJAX to deploy cryptominers on systems and servers.

Besides, around 26 million user accounts stolen from HomeChef, ChatBooks, and Chronicle.com were found being offered for sale by a threat actor group named Shiny Hunters. Previously, the group claimed to have sold the user records pilfered from Tokopedia, Unacademy, and Microsoft’s GitHub repositories.

Top Breaches Reported in the Last 24 Hours

HomeChef’s stolen data on sale
Shiny Hunters group, which previously offered databases of Tokopedia, Unacademy, and Microsoft’s GitHub repositories for sale, is now selling user records stolen from HomeChef, ChatBooks, and Chronicle.com. Altogether, the three databases contain 26 million accounts and are set at prices between $1,500 and $2,500.

Ruhr University Bochum attacked
The Ruhr University Bochum (RUB) shut down its central IT infrastructure after falling victim to cyberattacks between May 6 and May 7, 2020. The university is currently investigating the incident to understand the extent of the attack.

Top Malware Reported in the Last 24 Hours

Flawed Elementor Pro plugin targeted
A vulnerability in the Elementor Pro plugin for WordPress is being abused to compromise websites. The vulnerability, which has a CVSS score of 9.9, can be exploited by attackers to upload arbitrary files and remotely execute codes on the affected websites.

Blue Mockingbird campaign
An attack campaign, dubbed Blue Mockingbird, was found exploiting a deserialization vulnerability (CVE-2019-18935) in the ASP.NET open-source web framework to deploy the XMRig Monero-mining payload on Windows systems. The campaign, which started in December 2019, lasted till April 2020.

Aria-body backdoor
The Naikon APT group, which has been active since at least 2010, is delivering a new backdoor called Aria-body to carry attacks against other targets. According to researchers, the malware was delivered to the Australian government via an email from a potentially compromised asset at an embassy located in the APAC region.

New trojan variant
Since the end of April 2020, a new trojan variant is affecting banking users in Portugal. The malware is disseminated via phishing emails that impersonate the Vodafone group.

Top Vulnerabilities Reported in the Last 24 Hours

Salt vulnerability exploited
US startup Algolia has become the latest victim of a Salt vulnerability. Threat actors exploited a recently patched vulnerability, CVE-2020-11651, to install both a cryptocurrency miner and a backdoor on multiple Algolia servers.

Cisco fixes 12 high-severity flaws
Cisco has issued patches for a dozen high-severity flaws found in Adaptive Security Appliance and Firepower Threat Defense software. The updates addressed eight denial-of-service issues, an information disclosure vulnerability, a memory-leak flaw, a path traversal vulnerability, and an authentication bypass flaw.

Stuxnet-type vulnerability
Researchers have uncovered another vulnerability in Schneider Electric software similar to the one exploited by the notorious Stuxnet malware. Tracked as CVE-2020-7489, the flaw has a score of 8.2 on the CVSS scale. It affects the Schneider SoMachine Basic v1.6 engineering software.

 Tags

salt vulnerability
algolia
elementor pro plugin
aria body backdoor
stuxnet type vulnerability
blue mockingbird

Posted on: May 08, 2020

Get the Daily Threat Briefing delivered to your email!


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.


Join Thousands of Other Cyware Followers!