Go to listing page

Cyware Daily Threat Intelligence, May 30, 2019

Cyware Daily Threat Intelligence, May 30, 2019

Share Blog Post

Malware attacks are always evolving, keeping organizations and security communities constantly on their toes. Recently, researchers witnessed the emergence of two new malware named HiddenWasp and Qulab. While HiddenWasp targeted Linux systems, Qulab trojan was used to steal users’ browser history, credentials, and cookies. Qulab is a multi-faceted malware that includes both information-stealing and clipboard hijacking capabilities. On the other hand, HiddenWasp shares a structure similar to the Linux version of Winnti malware.

Data leak due to a misconfigured Elasticsearch database was also reported in the past 24 hours. The unprotected database contained around 42.5 million records belonging to different Chinese dating apps. Most of the impacted users are from the United States.

A major cyberespionage campaign named Nansh0u was also observed targeting over 50,000 servers to mine TurtleCoin cryptocurrency. The campaign has been ongoing since February 2019 and is believed to be originating from China.

Top Breaches Reported in the Last 24 Hours

42.5 million records exposed
An unprotected Elasticsearch database belonging to different Chinese dating apps has exposed 42.5 million records. Most of the users of these apps are Americans. These apps logged and stored users’ IP addresses, age, location and user names. Names of some impacted apps are Cougardating, Christiansfinder, Mingler, Fwbs, and TS. Many of the affected apps are free and offer paid versions.

Checkers Drive-In Restaurants’ data breach
Tampa-based fast food chain Checkers Drive-In Restaurants Inc. announced a data breach that may have affected payment card information of an unknown number of customers. The incident occurred after malware was installed on certain point-of-sale systems at some Checkers and Rally’s locations in 19 states. The malware was designed by attackers to steal names, payment card numbers, card verification code and expiration dates of customers.

Over 50k servers compromised
Over 50,000 MS-SQL and PHPMyAdmin servers have been compromised as a part of Nansh0u cyberespionage campaign. The campaign was carried out with an aim to mine TurtleCoin cryptocurrency. The targeted servers belong to companies in the healthcare, telecommunications, media, and IT sectors. Nansh0u campaign has been ongoing since February 2019.  

Top Malware Reported in the Last 24 Hours

HiddenWasp malware
A new strain of Linux malware named HiddenWasp has been discovered by security researchers. The malware is composed of a user-mode rootkit, a trojan, and an initial deployment script. It shares a structure similar to the Linux version of Winnti malware. HiddenWasp can interact with the local filesystem; upload, download and run files; and run terminal commands among others.

Qulab trojan
Attackers are leveraging YouTube videos in an attempt to push Qulab information-stealing and clipboard hijacking trojan. The videos, created by hackers, promises users of free Bitcoins via a ‘bitcoin generator’ tool. The video description includes a link to download the tool, which is actually a trojan. Qulab’s capabilities include stealing browser history, credentials and cookies. It can also collect saved credentials from FileZilla, Discord, and Steam.

Top Vulnerabilities Reported in the Last 24 Hours

Convert Plus plugin flaw
A critical vulnerability has been discovered in Convert Plus, a commercial plugin for WordPress websites. The plugin is estimated to have 100,000 active installations. The flaw can allow an unauthenticated attacker to create accounts with administrator privileges. The problem exists due to a lack of filtering function when processing a new user subscription via a form provided by the plugin.

Vulnerable Dockers
All versions of Docker are currently vulnerable to a race condition that could give attackers both read and write access to any file on the host system. The flaw is similar to CVE-2018-15664 and offers an opportunity for hackers to modify resource paths. Proof-of-concept code for the vulnerability was also released.

New Feature released by GitHub
GitHub has enabled automatic security updates for known vulnerable open-source dependencies in user repositories. When the feature is enabled, a pull request is automatically created in a repository. Users can also manually create pull requests to upgrade dependencies only when they choose to. The fixes are available on the Dependabot GitHub App.

Vulnerable Microsoft’s Notepad text editor
A Google Project Zero researcher has discovered a remote code execution flaw in Microsoft’s Notepad text editor. The flaw has been reported to Microsoft. As per Project Zero’s vulnerability disclosure policy, Microsoft has to release a patch within 90 days of the discovery after which the technical details of the flaw will be disclosed to the public.


qulab trojan
turtlecoin cryptocurrency
hiddenwasp malware
convert plus plugin
nansh0u campaign

Posted on: May 30, 2019

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.