Cyware Daily Threat Intelligence, November 15, 2019

See All
New security warning for users of Android smartphones. Researchers have found a new set of potentially serious vulnerabilities in Qualcomm’s Secure Execution Environment (QSEE). The component is widely used in mobile devices manufactured by Samsung, Pixel, OnePlus, LG, Xiaomi, Sony, and HTC. The flaws, if abused, can allow attackers to steal sensitive data such as private encryption keys, passwords, credit and debit card credentials.

In a major cyber-espionage campaign detected in the past 24 hours, a threat actor named TA2101 has been found impersonating the U.S. Postal Service (USPS) and other government agencies to deliver backdoor malware. The campaign targeted organizations in Germany, Italy and the United States.

A new variant of WannaMine cryptominer was also uncovered in the past 24 hours. Dubbed WannaMine v4.0, the cryptominer resembles its previous version. It leverages the EternalBlue exploit kit to spread and compromise vulnerable hosts.

Top Breaches Reported in the Last 24 Hours

Misconfigured AWS s3 bucket
A misconfigured AWS S3 storage bucket has reportedly exposed nearly 93,000 patient files related to billings done at Monarch Shore, Chapters Capistrano, and Willow Springs Recovery facilities. The leaked information includes full names, birth dates, postal addresses, telephone numbers, and health insurance membership of patients.

Indiana school hacked
Penn-Harris-Madison School Corp. is notifying staff and students’ families about a ransomware attack that crippled its internal network systems. The school is working on restoring its computer systems.

Australia’s parliament hacked
The computer network of Australia’s parliament was hacked earlier this year. The attackers stole data related to several elected officials from the compromised computers. After the security agencies mitigated the first attack, the parliament experienced another attack attempt late in October. The threat actors had sent an email to users saying that malware had been detected in the system.

Google Chrome crashes
A Google Chrome experiment that went horribly wrong has impacted several organizations across the globe. The experiment caused the browser to crash, displaying a ‘White Screen of Death (WSOD) error’. It did not impact all Chrome users but only Chrome browsers running on Windows Server ‘terminal server’ setups.


Top Malware Reported in the Last 24 Hours

TA2101 impersonates  USPS
A new threat actor named TA2101 has been found impersonating the U.S. Postal Service (USPS) and other government agencies to deliver backdoor malware. The campaign was observed to be carried out between October 16 and November 12, 2019. The actor had sent malicious email messages to organizations in Germany, Italy, and the United States.

New Android trojan
A new Android malware dubbed Android/Trojan.FakeAdsBlock has been observed on over 500 devices. The trojan cleverly hides on Android devices as an ad blocker while serving up a host of advertisements. The trojan serves ads in different ways such as full-page ads, offers ads in the notifications, and even ads via home screen widget.

RevengeRAT and WSH RAT
A newly discovered initial-stage malware dropper has been discovered evading detection with the ultimate goal of delivering RevengeRAT and WSH RAT payloads on targeted Windows machines. After being executed, RevengeRAT connects to two C2 servers to send back information collected from victims’ systems. On the other hand, the new version of WSH RAT includes a total of 29 functions that perform different tasks, ranging from establishing persistence to data exfiltration.

WannaMine v4.0
WannaMine v4.0 is the latest variant of WannaMine cryptominer. It leverages the EternalBlue exploit to spread and compromise vulnerable hosts. Its design is similar to WannaMine v3.0.

Office 365 account users
A broad phishing campaign targeting Microsoft Office 365 administrator account has been uncovered recently. The threat actors impersonate Microsoft and Office 365 login pages to lure victims. This enables the attackers to compromise an admin account and create new accounts within the organization to abuse SSO systems.

Top Vulnerabilities Reported in the Last 24 Hours

Faulty Qualcomm chipsets
A new report has revealed that a ‘gaping hole’ in Qualcomm’s Secure Execution Environment (QSEE) could allow attackers to steal sensitive data stored in a secure area. QSEE usually contains private encryption keys, passwords, credit and debit card credentials. The component is widely used on Pixel, LG, Xiaomi, Sony, HTC, OnePlus, Samsung and many other devices. The issue tracked as CVE-2019-10574 has been patched by the US chip giant.

Symantec fixes LPE bug
Symantec has fixed a local privilege escalation security flaw affecting its Endpoint Protection software version prior to 14.2 RU2. The flaw can allow attackers to escalate privileges on compromised devices and execute malicious code using SYSTEM privileges.

Top Scams Reported in the Last 24 Hours

Phishing scam
A new phishing scam campaign that alerts the victims that their password will expire has been doing the rounds lately. The scam is carried out via a phishing email that asks the recipients to click on the ‘Keep same password’ button to prevent it from getting expired. Once the victims click on the button, it redirects them to a page asking for their login credentials. Later, these credentials can be used by attackers to perform BEC scams or account takeover.


See Our Products In Action




  • Share this blog:
Previous
Cyware Daily Threat Intelligence, November 18, 2019
Next
Cyware Daily Threat Intelligence, November 14, 2019
To enhance your experience on our website, we use cookies to help us understand how you interact with our website. By continuing navigating through Cyware’s website and its products, you are accepting the placement and use of cookies. You can also choose to disable your web browser’s ability to accept cookies and how they are set. For more information, please see our Privacy Policy.