Cyware Daily Threat Intelligence, November 06, 2020

Share Blog Post

Sophisticated new malware families mark the evolution of the cyber threat landscape. In the last 24 hours, researchers have uncovered three new malware, namely Pay2Key ransomware, Torisma spyware, and Gitpaste-12 botnet.

The Pay2Key ransomware spreads via weak RDP connections and is currently being used against organizations in Israel. On the contrary, the Gitpaste-12 botnet leverages GitHub and Pastebin to host malicious code. The newly discovered Torisma spyware was a part of the Operation North Star cyberespionage campaign carried out in July by the North Korea-linked Hidden Cobra group.

Top Breaches Reported in the Last 24 Hours

Campari hit by Ragnar Locker
Italian liquor company, Campari, has been hit by the Ragnar Locker ransomware, following which threat actors have stolen 2TB of unencrypted files. The attackers have demanded a ransom of $15 million to decrypt the files. Due to the attack, the websites for Campari and Campari Group are currently down.

STJ attacked
The cyber infrastructure of the Brazilian Superior Court of Justice (STJ) has suffered a massive ransomware attack. As a result, its services including the official website have been forced to go offline.

Top Malware Reported in the Last 24 Hours

TikTok Pro spyware
A malicious version of the TikTok Pro app is doing the rounds on WhatsApp and SMS messages to trick users. Once downloaded, the fake app asks for credential and Android permissions from users. The app is a full-fledged spyware with premium features to spy on victims.

Pay2Key ransomware
Researchers have uncovered a new ransomware strain called Pay2Key targeting large corporations in Israel. The initial infection process starts through RDP connection. Once installed, the ransomware uses AES and RSA algorithms to encrypt victims’ files.

Torisma spyware
A recent cyberespionage campaign, codenamed ‘Operation North Star,’ used fake job offers to trick employees in the aerospace and defense sectors into downloading the Torisma spyware. The campaign was active in July and is believed to be an act of the North Korea-linked Hidden Cobra group.

Gitpaste-12 botnet
Gitpaste-12 is a newly discovered worm and botnet that lives on GitHub and uses Pastebin to host malicious code. The malware comes equipped with reverse shell and cryptomining capabilities and exploits over 12 known vulnerabilities.

Top Vulnerabilities Reported in the Last 24 Hours

Apple fixed iOS zero-days
Apple has patched three iOS zero-day vulnerabilities exploited in the wild. The flaws are related to a remote code execution flaw (CVE-2020-27930), a privilege escalation bug (CVE-2020-27932), and a memory leak bug (CVE-2020-27950). All three bugs are believed to have been used together as part of an exploit chain, allowing attackers to compromise iPhone devices remotely.

VMware patches a bug
VMware has fixed a critical remote code execution flaw (CVE-2020-3992) in its ESXi hypervisor products. The flaw exists in the OpenSLP feature of VMware ESXi and has a score of 9.8 out of 10 on the CVSS scale.

Exploiting vulnerable WebLogic servers
Threat actors are actively exploiting vulnerable Oracle WebLogic servers to deploy Cobalt Strike beacons on compromised devices. The flaw in question, is CVE-2020-14882, and can enable attackers to gain persistent remote access.

 Tags

pay2key ransomware
torisma spyware
vmware
gitpaste 12 botnet
tiktok pro spyware

Posted on: November 06, 2020

Get the Daily Threat Briefing delivered to your email!


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.


Join Thousands of Other Cyware Followers!