Cyware Daily Threat Intelligence, November 12, 2020

Share Blog Post

Though for a short period, the threat actor ShinyHunters was back in action with a slew of new databases. After Mashable’s data leak incident, the hacker had dumped databases belonging to Eatigo, Eskimi, Geniusu, Glofox, JoinPiggy, Peatix, Pluto, Nitrogo, and Redmart. However, the incident was averted by blocking access to these databases.

In related news, the source code for the widely-used Cobalt Strike 4.0 toolkit has, allegedly, been leaked online in a GitHub repository. The leak of the offensive tool is touted to open doors for additional cybercrimes in the future.

The past 24 hours also witnessed new developments in the malware threat landscape. Researchers have uncovered new variants of the Muhstik botnet and the CRAT trojan with a wide range of obfuscation and attack capabilities to benefit their creators.

Top Breaches Reported in the Last 24 Hours

ShinyHunters leaks data
ShinyHunters had reportedly dumped a new set of databases for sale on dark web forums. These databases belonged to Animal Jam, Eatigo, Eskimi, Geniusu, Glofox, JoinPiggy, Peatix, Pluto, Nitrogo, and Redmart. However, the incident was prevented by blocking access to databases.

Timberline copes from attack
An Iowa-based medical billing and reimbursements services company, Timberline, is boosting its cybersecurity practices after suffering a ransomware attack between February 12 and March 4, 2020. The data access by attackers included names, dates of birth, Medicaid identification number, and billing information.  

Top Malware Reported in the Last 24 Hours

Muhstik botnet evolves
Muhstik botnet has been enhanced to target additional vulnerabilities impacting Oracle WebLogic server and Drupal. The exploits included in the new variant are for CVE-2019-2725 and CVE-2017-10271 (affecting WebLogic) and CVE-2018-7600 (affecting Drupal). The botnet leverages IRC servers for C2 communications.

An uptick in ransomware attacks
Researchers have observed an uptick in attacks from Pay2Key and WannaScream ransomware strains. These two ransomware were used to target Israeli companies recently. Hackers breached corporate networks, stole company data, encrypted files, and asked for huge payouts to deliver decryption keys.

CRAT variant
A new version of CRAT trojan comes equipped with additional malicious plugins and obfuscation techniques. One of the plugins is a ransomware known as Hansom. The trojan is linked with the Lazarus APT group.

New ModPipe backdoor
A new modular backdoor malware called ModPipe has been found targeting Point-of-Sale (POS) restaurant management software from Oracle in an attempt to pilfer sensitive payment information. A majority of the identified targets are primarily located in the U.S.

Top Vulnerabilities Reported in the Last 24 Hours

Google releases Chrome 86.04240.198
Google has released Chrome version 86.04240.198 with fixes for two zero-day vulnerabilities that were exploited in the wild. The flaws are related to improper implementation in Chrome V8 (CVE-2020-16013) and use-after-free memory corruption bug (CVE-2020-16017). It is currently unknown if the two vulnerabilities were used as part of an exploit chain.

Cisco’s DoS flaw patched
A high-severity flaw stemming from Cisco’s IOS XR software can allow remote attackers to cripple Cisco Aggregation Services Routers (ASR). The flaw (CVE-2020-26070), which scored 8.6 out of 10 on the CVSS scale, can be exploited by sending specific streams of Layer 2 or Layer 3 data units to an affected device. Cisco fixed this vulnerability in Cisco IOS XR Software releases 6.7.2 and later and releases 7.1.2 and later.

Critical bugs exploited in the wild
A flurry of high-severity vulnerabilities in Chrome, Android, Windows, and iOS has been found to be exploited in the wild. According to a report from Google, some of the flaws exist in font libraries, others are used to escape the sandbox in Chrome, and a few can be used to take control of whole systems.

Nvidia addresses a flaw
Nvidia has patched a high-severity flaw in the GeForce Now application for Windows. Tracked as CVE-2020-5992, the vulnerability has a CVSS score of 7.3. An attacker on a local network can exploit the flaw to execute code or gain escalated privileges on affected devices.

Top Scams Reported in the Last 24 Hours

Scammy apps
Nearly seven malicious Minecraft apps involved in fraudulently charging users with hundreds of dollars per month have been identified in Google Play Store. These apps are categorized as fleeceware, where an unsuspecting user is charged with a hefty subscription fee in the name of a free trial after installing the app.

 Tags

modpipe backdoor
nvidia geforce
shinyhunters
muhstik botnet
ciscos ios xr software

Posted on: November 12, 2020

Get the Daily Threat Briefing delivered to your email!


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.


Join Thousands of Other Cyware Followers!