Go to listing page

Cyware Daily Threat Intelligence, November 05, 2019

Cyware Daily Threat Intelligence, November 05, 2019

Share Blog Post

Potential vulnerabilities in smart devices can introduce numerous cybersecurity risks for organizations and individuals. Now, researchers have uncovered a new attack technique in voice-controlled devices that can be abused to obtain full control over them. Dubbed as ‘Light commands’, the technique leverages a serious design flaw in micro-electromechanical systems (MEMS) microphones of smart home assistants. The attack has been successfully demonstrated using Amazon’s Alexa, Apple’s Siri, and Google’s Assistant.

A huge stock of malicious files distributed via a server has also been discovered in the past 24 hours. The malicious files include a wide range of malware such as DoppelPaymer ransomware, TinyPOS point-of-sale malware, and some loaders. Security experts claim that these malicious files are being used to target several firms.

The notorious Nemty ransomware has found a new channel to spread on victims’ computers. The ransomware can now be distributed via a new version of Trik botnet that includes an SMB component and hardcoded credentials.

Top Breaches Reported in the Last 24 Hours

Ransomware attack
The NTT-DATA-owned firm Everis has suffered a ransomware attack. The attack was conducted using BitPaymer ransomware. It affected several networks and systems of Everis. The ransomware encrypted files on the company’s systems and appended the .3v3r1s extension. The attackers behind the attack have demanded $835,923 in ransom to decrypt the encrypted files.

Foxborough school attacked
Ransomware attackers are demanding almost $5,000 from Foxborough Regional Charter School after an attack last month. The school’s network, computers, printers, email servers, and other systems have been affected due to the attack.

Top Malware Reported in the Last 24 Hours

Server hosting malicious files
A new server hosting a large stock of malicious files has been found to be used against several organizations and individuals. The malicious files include ransomware like DoppelPaymer and credit card capturing malware like TinyPOS. The range of malware also includes some loaders that directly execute code through the C2 server.

WP-VCD operation
A criminal operation named WP-VCD is responsible for the vast majority of hacked WordPress sites. The operation relies on webmasters for pirated themes and plugins. Once these boobytrapped themes and plugins are installed by victims, their WordPress installations are hacked and taken over within seconds. The purpose of all of this is to generate revenue for operators.

Trik botnet spread Nemty
Security researchers have uncovered a new version of Trik botnet that delivers Nemty ransomware. The Trik botnet has been updated to include an SMB component and hardcoded credentials that try to connect to remote computers through port 139. Meanwhile, the Nemty ransomware has also been updated to version 1.6 in order to gain persistence on victims’ systems.

Fake pharma pages
Several compromised websites using .su and .eu domains have been uncovered redirecting visitors to fake ‘Canadian Pharmacy’ pages selling counterfeit health pills. The compromised pharma spam sites are associated with servers that are located in Latvia, Estonia, Moldova, Russia, and the USA. The purpose of the campaign is to monetize the attacks.

Top Vulnerabilities Reported in the Last 24 Hours

‘Light commands’ vulnerability
A new vulnerability dubbed ‘Light commands’ can be abused to remotely hack Alexa and Siri’s smart speakers. It is a design flaw in the smart assistants’ micro-electromechanical systems (MEMS) microphones that translates audio waves into an electrical signal. Researchers have demonstrated that the flaw can enable attackers to inject malicious commands into several voice-controlled devices such as smart speakers, tablets, and phones across large distances and through glass windows.

WizardOpium exploit attack
Google has issued an update to fix two high-vulnerabilities in the Chrome browser for Windows, Mac, and Linux desktop environments. The two bugs are identified as a use-after-free vulnerability in PDFium (CVE-2019-13721) and a use-after-free vulnerability in audio (CVE-2019-13720). Researchers uncovered that the former flaw was being leveraged in a campaign named Operation WizardOpium.

Vulnerable Able2Extract tool
Serious memory corruption vulnerabilities discovered in the Able2Extract professional tool can be exploited by hackers to execute arbitrary code using specially crafted image files. The flaws are tracked as CVE-2019-5088 and CVE-2019-5089 and affect version 14.0.7 x64 of the tool.


trik botnet
bitpaymer ransomware
light commands
wizardopium exploit
doppelpaymer ransomware

Posted on: November 05, 2019

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.