Cyware Daily Threat Intelligence, May 26, 2020

Share Blog post

Security researchers have raised alarm about a new DoS attack. Termed as RangeAmp, the attack technique can take down websites and Content Delivery Network (CDN) servers by abusing the HTTP protocol. So far, the researchers have discovered two variants of the attack, namely RangeAmp Small Byte Range (SBR) attack, and RangeAmp Overlapping Byte Ranges (OBR) attack.

The past 24 hours also witnessed new variants of ComRAT and Sarwent malware. While the new ComRAT v4 receives commands through the Gmail web interface, the new version of Sarwent malware allows threat actors to gain access to computers through exposed Remote Desktop Protocol (RDP) port.

Top Breaches Reported in the Last 24 Hours

AIS leaks billions of records
Thailand’s largest cell network, AIS, was found spilling billions of real-time internet records of Thai internet users. The leak occurred due to a misconfigured database containing DNS queries and NetFlow data, that was accessible on the internet without a password. AIS took the database offline as soon as it was made aware by ThaiCERT.

Databases on sale
Around 31 SQL databases are being offered for sale by threat actors. These were stolen from e-commerce websites based in different countries. Some of the databases date back to 2016. The attackers have demanded a ransom of $525 in Bitcoin from victim organizations to prevent the sale of their leaked databases.

Top Malware Reported in the Last 24 Hours

ComRAT v4
Turla threat actor group updated its ComRAT backdoor to exfiltrate antivirus logs from victim organizations. The new version, ComRAT v4, was recently used in a cyber espionage campaign targeted against three high-profile entities that included a national parliament in the Caucasus and two Ministries of Foreign Affairs in Eastern Europe. The malware receives commands through the Gmail web interface.

New Sarwent malware variant  
Security researchers have uncovered a new variety of Sarwent malware that allows cybercrooks to gain access to Windows machines via the Remote Desktop Protocol (RDP) port. This new variant can also enable threat actors to create a new Windows user account on an infected system.

RangeAmp attack
A team of academics has found a new way to launch large-scale DoS attacks. Termed as RangeAmp, the technique exploits HTTP range requests to cause network congestion by amplifying the web traffic. So far, the team has discovered two variants of the attack - RangeAmp Small Byte Range (SBR) attack and RangeAmp Overlapping Byte Ranges (OBR) attack.

Top Vulnerabilities Reported in the Last 24 Hours

Flawed SCADA product
Four vulnerabilities discovered in Emerson OpenEnterprise, a SCADA solution designed for the oil and gas industry, can allow attackers to take control of systems. The four flaws originate from heap-based buffer overflow, missing authentication, improper ownership management, and weak encryption issues. Two of them are critical flaws and are tracked as CVE-2020-6970 and CVE-2020-1064. These two flaws can allow attackers to remotely execute arbitrary code with elevated privileges on devices running OpenEnterprise.

 Tags

remote desktop protocol rdp port
sarwent malware
content delivery network cdn servers
comrat v4
http protocol
rangeamp attack

Posted on: May 26, 2020

Get the Daily Threat Briefing delivered to your email!


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.


Join Thousands of Other Cyware Followers!