Cyware Daily Threat Intelligence, May 29, 2020

Share Blog post

The notorious TrickBot has a new trick up its sleeves for evading detection. The creators of the trojan have updated one of its propagation modules, ‘mworm’, with a new ‘nworm’. This will enable the trojan to avoid security checks on an infected Domain Controller (DC).

Coming to vulnerabilities, it has been found hackers had abused the vulnerable SaltStack software to breach six Cisco servers. Earlier, the same vulnerability was exploited to hack LineageOS servers and the Ghost blogging platform.

Top Breaches Reported in the Last 24 Hours

Taiwanese citizens’ data leaked
A threat actor named ‘Toogod’ has dumped a database containing 3.5 GB of Taiwanese users’ data on the dark web. According to the actor, the leak is from 2019 and includes full names, home addresses, gender, birth dates, and identification details of over 20 million people.

Minted discloses a data breach
Minted, a U.S.-based marketplace for independent artists, has disclosed a data breach after a hacker sold a database containing 5 million user records on an underground market forum. The database was offered for sale at $2,500 and included email addresses and blowfish hashed passwords of users.

Industrial suppliers attacked
Kaspersky’s ICS CERT unit has reported a series of cyberattacks against industry suppliers in Japan, Italy, Germany, and the UK. The first attack was spotted in early 2020. These attacks are conducted using customized phishing emails written in different languages.

Bigfooty’s data leak  
A popular online AFL forum, Bigfooty, has exposed about 70 million records online, including private conversations. The leaked data includes the names of some Australian police officers and government employees. 

NTT reveals data breach
NTT has revealed a data breach that impacted the data of some 600 customers. The hackers had gained access to the data via Active Directory services on May 7. The Active Directory deployment was accessed remotely and then used internally as a stepping stone to access other systems.

Top Malware Reported in the Last 24 Hours

TrickBot evolves
TrickBot trojan’s evasion capability has been improved by replacing ‘mworm’ module with ‘nworm’. Infection caused through ‘nworm’ leaves no artifacts on an infected Domain Controller (DC) and they disappear once the system reboots or shutdowns.

Android.FakeApp.176
A fraudulent campaign that misleads mobile device owners to download a fake Valorant game app via YouTube video has been uncovered. The fake app caused the download of Android.FakeApp.176 on a victim’s phone.

Top Vulnerabilities Reported in the Last 24 Hours

Flawed SaltStack software exploited
Hackers had abused vulnerabilities in the SaltStack data center software to breach six Cisco servers. The issue was addressed after Cisco deployed updates for the SaltStack software on all hacked VIRL-PE servers.

Flawed PageLayer plugin
Two security flaws discovered in PageLayer plugins can allow attackers to take over websites and wipe their content. While one flaw is related to authentication bypass, the other arises due to cross-site request forgery. The two flaws have been patched in version 1.1.4 of the plugin.

 Tags

trickbot malware
pagelayer plugin
saltstack software
androidfakeapp176

Posted on: May 29, 2020

Get the Daily Threat Briefing delivered to your email!


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.


Join Thousands of Other Cyware Followers!