Go to listing page

Cyware Daily Threat Intelligence, May 23, 2019

Cyware Daily Threat Intelligence, May 23, 2019

Share Blog Post

In a situation where there are no backup files, losing important files to a ransomware infection can result in dire consequences. But if a decryptor for the related ransomware is available, then it can be a win-win situation for an organization as well as individuals. Lately, security researchers have released a decryption key for a newly discovered ransomware named GetCrypt. The ransomware is known to spread via RIG exploit kit and uses a combination of Salsa20 and RSA-4096 algorithms to encrypt a victim’s files. Later on, it appends them with a random four-character extension. GetCrypt does not encrypt Windows systems which use Ukrainian, Belarusian, Russian or Kazakh as system languages.  

Several security issues were also reported by security experts in the past 24 hours. In one of the major incidents, a total of 40 vulnerabilities have been discovered in 10 South Korean ActiveX controls. These vulnerabilities include a variety of buffer overflow issues. It is found that these vulnerable ActiveX controls are still being used by websites belonging to government entities, banks, and universities.

Cisco’s products have been found to be vulnerable to a newly disclosed vulnerability named Thrangrycat. The flaw impacts the Trust Anchor module (TAm) that is widely used in the enterprise’s routers, switches, and firewalls. The flaw can allow an attacker to bypass Cisco’s Secure Boot mechanism and install malware without detection.

Top Breaches Reported in the Last 24 Hours

Spotify resets passwords
Music streaming giant Spotify has notified an unspecified number of users that their passwords have been reset following the detection of some suspicious activity. It is unknown whether the threat actors stole personal data of users. The company, on the other hand, has clarified that it was a part of its ongoing maintenance efforts to combat fraudulent activity.

Georgia Tech data breach
Georgia Institute of Technology is notifying students, faculties, alumni and affiliates about a data breach that occurred between December 14, 2018 and March 22, 2019. The incident had affected a total of 1.26 million individuals. As a part of security measure, the institute is providing credit monitoring and identity theft services to individuals whose Social Security numbers were compromised. The incident occurred after attackers exploited a vulnerability in the organization’s web application.

Updates on Baltimore’s ransomware attack
Baltimore’s government is still working on restoring the systems that were infected in a massive ransomware attack on May 7, 2019. Upon discovery, the city immediately notified the FBI and took systems offline to prevent the ransomware from spreading further. Due to the attack, voice mail, a parking fines database and a system used to pay water bills, property taxes and vehicle citations, stopped working. It is speculated that RobbinHood ransomware was used in the attack.   

Top Malware Reported in the Last 24 Hours

Decryptor for GetCrypt ransomware
A decryption key is now available for free to decrypt the files encrypted by GetCrypt ransomware. GetCrypt is distributed via RIG exploit kit and uses two algorithms - Salsa20 and RSA-4096, to encrypt the victim’s files. After encrypting, it drops a ransom note named ‘# DECRYPT MY FILES #.txt’. The ransomware appends the encrypted files with a random four-character extension that is unique to the victim.

New details on Shade ransomware
Shade ransomware, first spotted in late 2014, has been distributed through malicious spam and exploit kits. Its major victims are from the United States, Japan, India, Thailand, and Canada. The top industries attacked in these countries are high-tech companies, wholesale retailers and education. Findings from January through March 2019 reveals that there have been 307 instances of Shade ransomware spread over 6,536 sessions.

CrySIS ransomware’s activity increases
CrySIS aka Dharma ransomware has become increasingly active lately. Researchers have observed that the ransomware’s activities have increased by 148% between February-April, 2019. The ransomware primarily targets Windows systems and is distributed via malicious attachments in spam emails.

Top Vulnerabilities Reported in the Last 24 Hours

Vulnerable Slimstat plugin
Slimstat WordPress plugin is vulnerable to cross-site scripting vulnerability. The flaw can allow a malicious actor to inject arbitrary JavaScript code on the plugin access log functionality. Versions prior to 4.8.1 are affected by the vulnerability. Users using the vulnerable versions of the plugin are urged to update their systems as soon as possible.

Vulnerable South Korean ActiveX controls
Security researchers have discovered 40 security issues in 10 South Korean ActiveX controls. These vulnerable ActiveX controls are still used by many websites belonging to the government, banking services, and universities. The flaws include several types of buffer overflows and an unsafe exposed functionality.

PoC for two more Microsoft zero-days published
A security researcher who goes by the name of SandboxEscaper has published proof-of-code for two more Microsoft zero-day vulnerabilities on GitHub. One of the flaws exists in the Windows Error Reporting service and can be exploited via carefully placed DACL operation. The second flaw impacts Internet Explorer 11.  

Thrangrycat vulnerability
Thrangrycat is a newly disclosed vulnerability in Cisco routers. The vulnerability allows attackers to subvert the router’s trusted computing module, thus allowing them to deploy malicious software without being detected. The vulnerability can allow attackers to run processes as the system’s administrator.   

Top Scams Reported in the Last 24 Hours

ANZ bank customers tricked
Australia and New Zealand Banking Group customers are being tricked into revealing their personal information in a new scam. The scam relies on a phishing email that warns recipients that their accounts have been locked following an ‘unauthorized debit’ made to Energy PRO Australia Ltd. The victims are then asked to click on a link to unlock their accounts. However, the link is actually a part of the scam and is used by scammers to harvest the personal information of users. Customers are advised to be wary of such emails and should not share their personal information as banks never ask for any confidential details.  


crysis ransomware
shade ransomware
getcrypt ransomware
thrangrycat vulnerability

Posted on: May 23, 2019

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.