Cyware Daily Threat Intelligence, May 15, 2020

Share Blog post

The cyber threat landscape is rapidly evolving as threat actors continue to launch sophisticated malware with a myriad of malicious intentions. Details about two new trojans that were used in different cyberespionage campaigns have emerged in the last 24 hours. While one of them - draws source code from COMPFun RAT - targeted diplomats in Europe, the newly discovered QNodeService trojan used fake COVID-19 tax relief theme as a lure to target users.

A campaign attributed to Hoaxcalls and Mirai botnets also surfaced in the past 24 hours. These botnets exploited a post-authentication remote code execution vulnerability in Symantec Secure Web Gateway to launch attacks.

Meanwhile, Microsoft revealed that threat actors have evolved their phishing campaigns to mimic the updated sign-in pages of Azure AD and Office 365.

Top Breaches Reported in the Last 24 Hours

550 million records on sale
A hacker has put up stolen databases of 29 firms on sale on a hacker forum. These databases contain as many as 550 million user records. Investigation rules out none of these databases were compromised recently. Some of the affected companies include Tokopedia, Shein, CafePress, Evite, Wego, and EatStreet.

Elexon attacked
Elexon has been hit by a cyberattack that impacted its internal network and employee laptops. The company’s email server was also impacted and has been taken down following the attack that is believed to have been triggered via an outdated version of Pulse Secure VPN.

Bernard Township attacked
Bernard Township’s computers were knocked off in a ransomware attack. Following this, the township’s website was taken offline.

Top Malware Reported in the Last 24 Hours

Mikroceen malware
Researchers from ESET and Avast together foiled a campaign that targeted government institutions and two companies in the telecommunications and gas sectors. A set of three backdoors, collectively called Mikroceen, were discovered in the attacks. They allowed the attacker to modify and delete files, take screenshots, manipulate services and processes, run console commands, and deploy a self-delete routine.

ProLock ransomware evolves
ProLock ransomware, which is behind the attacks at Diebold Nixdorf, has improved to match its capabilities with those of Sodinokibi and Maze ransomware. To breach victims, ProLock relies on distribution alongside QakBot trojan and accesses it targets via public-facing remote desktop servers. Similar to other ransomware operators, ProLock operators first steal data from a compromised network and later encrypt the files with unique extensions.

Trojan revived from COMPFun RAT
A new trojan built from the source code of COMPFun RAT was detected using spoofed visa applications to target diplomats in Europe. The malware is capable of fetching keystrokes, taking screenshots, and monitoring USB devices. It receives commands from the C2 server in the form of HTTP status codes.

QNodeService trojan
QNodeService is a newly discovered trojan that is written in Node.js. The malware was detected in a COVID-19 themed phishing email attack that delivered a Java downloader named, ‘Company PLP_Tax relief due to Covid-19 outbreak CI+PL.jar’. The malware’s functionality includes downloading and uploading files, stealing login credentials, and performing malicious file management.

Botnets attack
The operators of Hoaxcalls and Mirai botnets came together for a campaign that exploited a post-authentication remote code execution vulnerability in Symantec Secure Web Gateway 5.0.2.8. The first instance of the exploitation of this vulnerability came to notice on April 24, 2020 - carried out by Hoaxcalls botnet.

Top Vulnerabilities Reported in the Last 24 Hours

Faulty patch
A patch issued by Microsoft for an RDP flaw, in February, has opened room for new attacks. As a result, attackers can take advantage of the underlying issue to access sensitive information on a system, modify critical files, steal password files, expose source code of Web applications, and carry out other malicious tasks. The problem resides in an API and is related to the previously patched CVE-2020-0655 vulnerability.

PAN-OS updated
Palo Alto Networks has patched over two dozen vulnerabilities in PAN-OS. The most serious flaw is CVE-2020-2018, with a CVSS score of 9. Vulnerabilities fixed in the latest version of PAN-OS include privilege escalation, cross-site request forgery, authentication bypass, and remote code execution.

Flaws in Cyberoam devices
Two critical flaws found in devices manufactured by Cyberoam firewall and VPN technology exposed thousands of networks to hacking attacks and device takeovers. The first vulnerability was found in the FirewallOS of Cyberoam SSL VPNs, while the second was related to default passwords. The firm has addressed both the flaws by issuing security updates.

Top Scams Reported in the Last 24 Hours

Scammers steal $10 million
Scammers made away with $10 million after tricking Norfund, Norway’s sovereign investment fund, in a BEC scam that lasted several months. The scammers managed to pull it off by impersonating an individual authorized to wire large sums of money through DNB, the bank Norfund uses for these operations. As a result, the cash meant for a Cambodian company was redirected to an account in Mexico.

DHL phishing scam
A scam based on a fake DHL delivery notification has been doing the rounds. The scam originates through a phishing email and informs recipients that a package is on the way, which can be tracked by clicking on a link included in the email.

Mimicking the new Azure and Office 365
Microsoft claims that threat actors have adapted their phishing campaigns to spoof the updated Azure AD and Microsoft Office 365 sign-in pages. In one such phishing attempt, the bad actors had sent perfectly mimicked Azure AD and Microsoft 365 sign-in pages through an email with the subject line: ‘Business Document Received.’

 Tags

hoaxcalls botnet
mirai botnet
qnodeservice trojan
rdp flaw
norfund
dhl phishing scam

Posted on: May 15, 2020

Get the Daily Threat Briefing delivered to your email!



More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.



Join Thousands of Other Cyware Followers!