Cyware Daily Threat Intelligence, May 21, 2019

See All
The powerful Trickbot trojan, which has been around since 2016, is back with new tricks up its sleeve. Security experts have unearthed a new variant of this banking trojan which is being distributed via URL redirection technique in a spam email. The malware variant is dubbed as TrojanSpy.Win32.TRICKBOT.THDEAI and is capable of capturing browser history & cookies, injecting malicious code and collecting system & network information. The spam email appears to contain details about a processed order ready for shipping.

The past 24 hours also saw the release of free decryption key for a newly discovered ransomware named JSWorm 2.0. The malware is written in C++ and uses the Blowfish algorithm to encrypt files. It appends the encrypted files with ‘.JSWORM’ extension and later leaves a ransom note named ‘JSWORM-DECRYPT.txt’.

In another big incident, the IT service giant HCL exposed employee data, project details, and other sensitive information online due to a security lapse. The data was openly available on HCL’s human resources portal and ‘SmartManage’ reporting system. The HR portal had exposed crucial information related to its new employees such as their names, mobile numbers, joining locations, ID, joining dates, BGV status, and recruiter name. Upon being aware, the firm was quick at taking remedial steps and secured the exposed data. 

Top Breaches Reported in the Last 24 Hours

HCL leaks sensitive data
IT giant HCL’s HR portal had exposed employee data on the internet. It was found that the data was stored without any authentication. The exposed data belonged to new employees which included their usernames, ID numbers, mobile numbers, recruiters, BGV status, joining locations, joining dates and plain text passwords. Apart from this, the firm had also leaked customer project details on its SmartManage portal. The portal included a list of around 2000 customers. HCL had also exposed names and SAP codes for over 2,800 employees due to openly left subdomains. Upon learning the incident, the firm quickly secured the exposed data.  

Instagram data leak
An unprotected AWS bucket had leaked over 49 million records belonging to several Instagram influencers, celebrities and brand accounts. The exposed data of Instagram influencers include their bio, profile picture, and the number of followers. The database also leaked private contact information of some Instagram account owners such as their email addresses, locations, and phone numbers. Reports claim that the misconfigured database belonged to an Indian-based social media marketing firm named Chtrbox. Shortly after the discovery, Chtrbox pulled the database offline. 

Top Malware Reported in the Last 24 Hours

W97M downloader malware
Recent investigations show that a new variant of W97M downloader malware is being distributed via compromised websites using a custom PHP dropper. The dropper is hosted on multiple CMS like Magento, WordPress, and Joomla. The new variant of W97M is used to drop ransomware such as TeslaCrypt and banking trojan such as Dridex & Vawtrak.

New variant of Trickbot
A new variant of Trickbot trojan has been found to be distributed via URL redirection technique. The malware is tracked as TrojanSpy.Win32.TRICKBOT.THDEAI and is capable of carrying out several malicious activities. This includes stealing browser data and credentials. It is also capable of capturing system and network information. 

EternalBlue-based attacks rise
ESET’s research has revealed that there are hundreds of thousands of blocked EternalBlue-based attacks that are taking place daily. Despite the release of security patches, data from Shodan showed that almost a million machines could be compromised by EternalBlue. The exploit was allegedly stolen from the NSA in 2016 and leaked online on April 14, 2017. It targets a vulnerability in Microsoft’s implementation of the Server Message Block (SMB) protocol.

Free decryptor for JSWorm 2.0 ransomware
Emsisoft has released a free decrypter for the new JSWorm 2.0 ransomware. The ransomware is written in C++ and uses the Blowfish algorithm. After encryption, the ransomware appends the encrypted files with ‘.JSWORM’ extension and later leaves a ransom note named ‘JSWORM-DECRYPT.txt’.

Top Vulnerabilities Reported in the Last 24 Hours

BlueKeep vulnerability
Security researchers have created a dangerous exploit code to abuse a remote code execution vulnerability in Microsoft’s Remote Desktop Services. The vulnerability - tracked as CVE-2019-0708 - is named BlueKeep. The flaw, having a CVSS score of 9.8, can allow attackers to gain remote access to computers and an entire network. Microsoft has released a security patch to address this critical flaw.

Privilege escalation vulnerability
A privilege escalation vulnerability has been discovered in Linux kernel implementation of Reliable Datagram Sockets (RDS). Detected as CVE-2019-11815, the flaw can lead to possible memory corruption and privilege escalation. It has a CVSS score of 8.1. Linux kernel versions prior to 5.0.8 are affected by the flaw. 

ZombieLoad vulnerability
ZombieLoad or Microarchitectural Data Sampling is the latest side-channel vulnerability that impacts Intel CPUs. The nature of the attack is similar to Meltdown and Spectre which were discovered in 2018. The vulnerability can allow attackers to steal personal information from the systems. AMD chipsets are not affected by the flaw. Meanwhile, Apple has recommended Mac users to disable hyper-threading on the CPU as a mitigating process. In addition, it has also users to apply updates to macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.4.  




  • Share this blog:
Previous
Cyware Daily Threat Intelligence, May 22, 2019
Next
Cyware Daily Threat Intelligence, May 20, 2019
To enhance your experience on our website, we use cookies to help us understand how you interact with our website. By continuing navigating through Cyware’s website and its products, you are accepting the placement and use of cookies. You can also choose to disable your web browser’s ability to accept cookies and how they are set. For more information, please see our Privacy Policy.