Go to listing page

Cyware Daily Threat Intelligence, May 09, 2019

Cyware Daily Threat Intelligence, May 09, 2019

Share Blog Post

In a world surrounded by cyber threats, there seems to be a new ray of hope for security researchers who continuously look out for TTPs of dangerous threat actors. A group named Lab Dookhtegan has released the operational details including the hacking tools of two Iran-linked cyberespionage groups - MuddyWater and Rana Institute. The leakers have dumped the source code of the hacking tools and other crucial details of these threat actors on different online channels including Telegram and public hacking forums.

In April 2019, the same Lab Dookhtegan had leaked the complete list of hacking tools, victim data, and identities of another elite Iranian hacker group APT34, also known as OilRig. They had exposed the complete operation of APT34, including the web shells and access details on servers from businesses and governments around the world.

The past 24 hours also saw a major data leak due to an unprotected MongoDB database. The misconfigured database has exposed 275,265,298 records of Indian citizens. The records contained PII of an individual such as name, gender, date of birth, email, contact number, education details, and professional info. 

Top Breaches Reported in the Last 24 Hours

Wolters Kluwer tax outage
A malware attack against Wolters Kluwer, a tax accounting software platform, had disrupted many of its services on May 6, 2019. This included tax and accounting services and other vital storage services. The attack had also affected the various accounting firms that use services from Wolters Kluwer. To prevent the malware from spreading, Wolters Kluwer took many of its systems including the communications systems offline. This made it difficult for accountants and IT staff to reach the company for information about the incident. 

Unprotected MongoDB
An unprotected MongoDB database has exposed 275,265,298 records of Indian citizens. The exposed data included information such as name, gender, date of birth, email, mobile number, education details, and professional info. A security researcher discovered that this publicly accessible MongoDB was indexed on Shodan on April 23, 2019.

Samsung spills code and secret keys
Samsung has leaked highly sensitive source code, credentials and secret keys on a GitLab hosted on a Samsung-owned domain, Vandev Lab. The leaked folder contained logs and analytics data for Samsung’s SmartThings and Bixby services. Private GitLab tokens of several Samsung employees stored in plaintext were also leaked in the incident. The exposed GitLab instance also contained private certificates for SmartThings’ iOS and Android apps.       

Top Malware Reported in the Last 24 Hours

A new variant of Dharma ransomware
Security researchers have observed a new variant of Dharma ransomware that uses AV detection tools as a distraction to hide malicious activities. It is distributed in the form of a password-protected archive named ‘Defender.exe’ through spam email. The new malware variant is detected as RANSOM.WIN32.DHARMA.THDAAAI.

Iranians hackers tools leaked
A mysterious entity known as Lab Dookhtegan has leaked major operational details, including source code of hacking tools of MuddyWater hacking group and a new group named ‘Rana Institute’. They have shared the details on different online channels including Telegram and public hacking forums. Apart from this, the group has also released the names, addresses, photos and phone numbers of some members of the Iranian Ministry of Intelligence responsible for state-sponsored cyber attacks.

Kerberods malware
Threat actors are exploiting a Jenkins’ vulnerability - CVE-2018-1000861 - to deliver Kerberods malware that is later used to deploy a Monero cryptominer. The vulnerability affects the Stapler HTTP request handling engine. The malware, once installed, attempts to obtain root privileges on the compromised system. After it gains the root permission, Kerberods downloads and executes the miner on the machine.

Top Vulnerabilities Reported in the Last 24 Hours

Vulnerable Alpine Linux Docker Image
A vulnerability has been discovered in the recent versions of the Official Alpine Linux Docker Images. All the versions before 3.3 are affected by the issue. The CVE number assigned to this vulnerability is CVE-2019-5021 and has been rated 9.8 on CVSS meter. Exploiting this vulnerability can allow attackers to gain the root access of compromised computers.

Security patches for Android OS released
Google has released a set of security patches for the Android operating system to fix a total of 8 critical vulnerabilities. Out of these, 4 are remote code execution flaws. The four RCE flaws are designated as CVE-2019-2044, CVE-2019-2045, CVE-2019-2046, and CVE-2019-2047. Two out of 8 flaws are privilege escalation vulnerabilities - CVE-2019-2049 and CVE-2019-2050.

Browser address bar spoofing vulnerability
An address bar spoofing vulnerability in UC Browser and UC Browser Mini apps for Android can allow attackers to control the URLs displayed in the address bar. The vulnerability resides in the way User Interface on both browsers handle a built-in feature that was designed to improve users Google search experience. The issue affects UC Browser and UC Browser Mini versions.
Top Scams Reported in the Last 24 Hours

Amazon falls victims to a massive fraud attack
A new report from Bloomberg has revealed that Amazon fell victim to an extensive fraud attack last year. The scammers had stolen hundreds of thousands of dollars from the company that was meant for Amazon’s third-party sellers and businesses. The malicious actors reportedly had hacked around 100 seller accounts and took the loan money which was intended for business and startup costs. It is unknown as to how the scammers gained access to these accounts. The fraud was carried out for a period of six months, starting from May 2018. Amazon had notified a UK regulatory about this incident in November 2018.   


android os
address bar spoofing vulnerability
unprotected mongodb
dharma ransomware
kerberods malware

Posted on: May 09, 2019

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.