Cyware Daily Threat Intelligence, May 11, 2020

Share Blog post

Sometimes mitigation steps deployed to control an issue can open doors to a new problem and this is what happened with Thunderbolt port-disabled computers. The security measure that was proposed in 2019 to counter a Thunderclap flaw can now be abused to conduct Thunderspy attack. The newly discovered attack affects all computers manufactured before 2019.

Meanwhile, the Sodinokibi ransomware has enhanced its infection capabilities by adding new encryption modules. In an attempt to affect victims severely, the ransomware will be encrypting files that are already locked by other ongoing processes.

A hacker group has been found distributing the ClodCore trojan via cracked game software to infect Russian and Ukrainian users. The trojan is distributed via cracked game software.

Top Breaches Reported in the Last 24 Hours

Nearly 4 million data leaked
The credentials of nearly 4 million MobiFriend users were leaked on a hacking forum, which included birth dates, gender, website activity, mobile numbers, usernames, email addresses, and MD5 hashed passwords. The data was originally posted on the forum for sale in January. However, later it was made freely available to all.

Stadler discloses a data breach
Rail vehicle manufacturer, Stadler, disclosed a security breach that might have resulted in the compromise of the company’s data. An internal investigation revealed that intruders had compromised the IT network of the company and deployed malware on some of its machines.

DigitalOcean exposes data
DigitalOcean inadvertently exposed some of its customers’ data after a document from 2018 was unintentionally made available on the internet. The document contained email addresses, account names, bandwidth usage, and the amount paid during 2018 by those users.

Top Malware Reported in the Last 24 Hours

ClodCore trojan
Researchers have uncovered that a hacker group is spreading the ClodCore trojan through a variety of cracked game software. Once the trojan is installed, the operators use the C2 server to deliver cryptocurrency mining payloads. The attack campaign has widely affected computers in Russia and Ukraine.

Sodinokibi evolves
The Sodinokibi ransomware has evolved to add a new feature that allows it to encrypt more victims’ files, even those that are opened and locked by another process. For execution, the ransomware uses the Windows Restart Manager API to close processes or shut down Windows services while keeping a file open during encryption.

Top Vulnerabilities Reported in the Last 24 Hours

Thunderspy attack
A newly detected Intel Tunderbolt flaw can lead to a so-called Thunderspy attack on millions of PCs. The flaw affects computers manufactured before 2019 and can be exploited in less than five minutes. Experts highlight that the flaw can also lead to evil maid attacks on computers.

Flawed Oracle iPlanet Web Server
Two vulnerabilities impacting Oracle iPlanet Web Server can result in sensitive data exposure and limited injection attacks. The flaws are identified as CVE-2020-9315 and CVE-2020-9314. Since Oracle no longer supports the affected iPlanet Web Server 7.0.x, it will not issue security patches to fix the bugs.

 Tags

oracle iplanet web server
mobifriend users
sodinokibi ransomware
clodcore trojan
stadler rail
thunderspy attack

Posted on: May 11, 2020

Get the Daily Threat Briefing delivered to your email!


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.


Join Thousands of Other Cyware Followers!