Go to listing page

Cyware Daily Threat Intelligence, May 22, 2019

Cyware Daily Threat Intelligence, May 22, 2019

Share Blog Post

Ransomware continues to dominate the cyber threat ecosystem, with threat actors aiming to make a quick buck from ransomware attacks. Lately, security researchers have explored new variants of two prolific ransomware - GandCrab and Satan. While the new variant of GandCrab is delivered via a RAR attachment through a spam email, the new Satan ransomware variant leverages vulnerable web services and applications for propagation.

The new strain of Satan ransomware exploits many vulnerabilities such as JBoss default configuration vulnerability (CVE-2010-0738), WebLogic arbitrary file upload vulnerability (CVE-2018-2894), WebLogic WLS component vulnerability (CVE-2017-10271), Spring Data REST Patch Request flaw (CVE-2017-8046), Spring Data Commons remote code execution vulnerability (CVE-2018-1273) among others.

Security experts have also discovered a new phishing campaign that is distributing a new version of Babylon RAT. The malware variant is written in C# and is capable of harvesting credentials and conducting DoS attacks.

Top Breaches Reported in the Last 24 Hours

Truecaller users data set for sale
Cybercriminals are selling personal data of Truecaller users for as high as 25000 Euros on the dark web. However, data belonging to Indian users are being sold at 2000 Euros. The dataset for sale contains personal identifiers, the state of residence and users’ mobile service providers. It also includes names, phone numbers and email addresses. On the other hand, Truecaller has denied the data breach.

Google’s security lapse
Tech giant Google has disclosed that it accidentally stored G Suite user passwords in plaintext since 2005. The incident occurred due to a bug in G Suite’s password recovery feature for administrators. Apart from G Suite users, the incident has also affected some business and corporate accounts. Upon learning this incident, Google has disabled features which contained this bug.

TalkTalk’s data security failure
Personal details of about 4,545 TalkTalk customers was found available on the internet through Google Search. These customers were the ones who had fallen victim to the company’s 2015 data breach that had impacted nearly 157,000 customers. The details exposed online included full names, addresses, email addresses, dates of birth, phone numbers, and bank details of customers.  

Golfers’ personal data exposed
An unprotected Elasticsearch database has exposed millions of sensitive data points belonging to users of the Game Golf app. The records include GPS details from courses played, usernames, passwords and Facebook IDs of users. Overall, the misconfigured database consisted of details on 134 million rounds of golf, 4.9 million user notifications and 19.2 million records in a folder called ‘activity feed’.

Top Malware Reported in the Last 24 Hours

New Satan ransomware variant
A new variant of Satan ransomware has been found leveraging three new remote code execution vulnerabilities to spread across private and public networks. The three new vulnerabilities are related to the flaws in the Spring Web application framework, the Elasticsearch engine, and ThinkPHP Web application framework. Depending on the port number, the malware variant implements either EternalBlue exploit, Mimikatz, an SSH Brute-Force attack or other web exploits to spread across the targeted port.   

New GandCrab ransomware variant
GandCrab ransomware has resurfaced with another new variant. The variant is detected as Ransom.Win32.GANDCRAB.TIOIBOCX. It spreads via a spam email written in the Korean language. The email contains details about an incorrectly shipped order and a RAR attachment named Fedex-info_2019-05-15_02-24.dok. This attachment, if opened, downloads the malware payloads.

New Babylon RAT variant
Researchers have spotted a new phishing campaign that distributes a new variant of Babylon RAT. The malware sample is written in C# and come with an administration panel written in C++. The malware variant is capable of harvesting credentials and conducting DoS attacks.

iframe-based skimming attack
Hackers are using rogue iframe phishing code into their credit card skimming scripts to pilfer credit/debit card details from Magento-based online stores. The attack process is initiated by injecting the malicious code on every page of the Magento-based shopping site. However, it is only triggered if the URL in the address bar has the shopping cart’s checkout page. If all the conditions are met, a piece of JavaScript is downloaded from ‘thatispersonal[.]com’ for harvesting customers’ financial details.

Top Vulnerabilities Reported in the Last 24 Hours

Mozilla releases updates
Mozilla has released security updates to address vulnerabilities in Firefox 67 and Firefox ESR 60.7. 3 out of 21 vulnerabilities found in Firefox 67 and Firefox ESR 60.7. 3 have been marked ‘critical’. These are CVE-2019-9800, CVE-2019-9814, and CVE-2019-9815. Attackers can exploit these vulnerabilities to take complete control of an affected system.  

Windows 10 zero-day PoC released
A security researcher has published an exploit code on GitHub, for a Windows 10 zero-day vulnerability. The zero-day is a local privilege escalation (LPE) vulnerability and can be used by attackers to elevate their access on compromised hosts from low-privileged to admin-level accounts.

Nokia 6 and 8 updated
HMD Global has released an Android security update to fix an arbitrary code execution vulnerability in two Nokia smartphone series. The flaw can allow a remote attacker to execute arbitrary code within the context of a privileged process. The flaw exists in Nokia’s version 6’s and 8’s Media framework.
Top Scams Reported in the Last 24 Hours

Online trading scam  
The Financial Conduct Authority regulator in collaboration with Action Fraud UK has warned about the rise in the cryptocurrency and foreign exchange-based "get rich quick" scams. More than 1800 such scams have been reported in 2018-2019. Such schemes are usually promoted on social media platforms, urging people to invest a small amount in exchange for a huge return. In order to do this, scammers created fake online trading platforms. Thus, users are advised to be wary about such scams.


gandcrab ransomware
satan ransomware
credit card skimming scripts
babylon rat

Posted on: May 22, 2019

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.