Go to listing page

Cyware Daily Threat Intelligence, May 22, 2020

Cyware Daily Threat Intelligence, May 22, 2020

Share Blog Post

Video-conferencing app installers have become the latest channel for cybercriminals to drop malware and conduct malicious activities. Lately, cybercriminals used fake Zoom installers to distribute a backdoor and the Devil Shadow botnet to victims’ devices. The operators of RagnarLocker ransomware evolved their obfuscation technique by using virtual machines to hide their presence on compromised devices.

In the past 24 hours, a new class of vulnerabilities called Spectra has been found impacting wireless chipsets. The flaw takes advantage of combo chips used in laptops, smartphones, and tablets to perform side-channel attacks.

Top Breaches Reported in the Last 24 Hours

2.3 million citizens’ data breached
A threat actor leaked personal and electoral data of 2.3 million Indonesian citizens. It included full names, addresses, registration numbers, family card numbers, dates of birth, and places of birth of citizens. The data appeared to have been stolen from the official website of the General Elections Commission in Indonesia.

Security breach
A security issue in the website of Santander Consumer Bank allowed outsiders to view sensitive information, including an SQL dump and JSON file related to the company, which were indexed on search engines. However, the company claimed that no customer data or critical information from the website was visible.

Top Malware Reported in the Last 24 Hours

Malicious operation
Security experts have spotted new malicious activities targeting some Italian companies operating worldwide in the manufacturing sector. The infection chain starts with a malicious Microsoft Powerpoint weaponized with malicious macros. The campaign is being used to deliver Agent Tesla as the final payload.

New PipeMon backdoor
The notorious Winnti threat actor group is targeting the video game industry with a new PipeMon backdoor malware. The malware is delivered by exploiting a vulnerability in the Print Processor used by several video gaming companies in South Korea and Taiwan. The backdoor uses a digital certificate linked to a video game company that was compromised in late 2018.

RagnarLocker gang evolves
The operators of RagnarLocker are using Oracle VirtualBox Windows XP virtual machine to hide the ransomware from detection. The 122 MB installer file is downloaded from an external server using a Group Policy Objects task.

Devil Shadow botnet
Cybercriminals are using fake Zoom installers as a channel to distribute a backdoor and the Devil Shadow botnet. The purpose of threat actors is to gain remote access to victims’ computers.

Top Vulnerabilities Reported in the Last 24 Hours

Cisco releases update
Cisco has released updates for the Unified CCX platform to address a critical deserialization vulnerability in its Java-based remote management interface. It could allow a remote attacker without credentials to install malware on the device.

Buggy Signal app
A security vulnerability in the Signal app could allow attackers to gain access to users’ location data. The flaw exploits the WebRTC code handling DNS requests on a user's device. Signal has fixed the vulnerability by releasing a new version of the app.

New Spectra attack
Academics have found a new vulnerability called Spectra, which impacts combo chips used in laptops, smartphones, and tablets. The flaw can be abused to launch side-channel attacks and steal data from devices.

Authentication bypass flaw
The Epson EB-1470UI Projector is affected by an authentication bypass vulnerability. Attackers can abuse the flaw, tracked as CVE-2020-6091, to trick a user into opening a specially crafted malicious web page.


ragnarlocker ransomware
spectra attack
santander consumer bank
devil shadow botnet
fake zoom installers

Posted on: May 22, 2020

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.