Go to listing page

Cyware Daily Threat Intelligence, November 18, 2019

Cyware Daily Threat Intelligence, November 18, 2019

Share Blog Post

Customized droppers that include highly-sophisticated obfuscation techniques are one of the primary go-to techniques for cybercriminals. Lately, researchers have uncovered a wave of ongoing campaigns that has been active since January 2019. The attack campaigns have managed to last this long due to the custom droppers used by attackers. The adversaries are exploiting weaknesses in web browsers to inject these droppers, which in turn download information-hijacking malware like Agent Tesla and Lokibot.

A new ransomware named NextCry was also observed in the past 24 hours. The ransomware is used against clients using the Nextcloud file sync and share service. It uses the AES-256 algorithm to encrypt the files. The ransomware has been found to be active in the wild as it remains undetected by antivirus engines on public scanning platforms.

Top Breaches Reported in the Last 24 Hours

Disney+ user accounts hacked
Accounts of thousands of hijacked Disney+ users are already on sale on dark web markets. Many of these accounts are offered for free or a price ranging between $3 and $11. The Disney+ platform was launched on November 12 and was marred by technical issues. Many users reported that hackers were accessing their accounts, logging them out of all devices, and changing their account email and password.

Players data exposed
The maker of ‘Magic: The Gathering’ has urged its customers to change their passwords after it disclosed a security lapse. The issue that occurred due to an unprotected AWS storage bucket has exposed the data of 452,634 players. The database included player names and usernames, email addresses, and the date and time of the account’s creation. The database also had user passwords, which were hashed and salted.

Details of police officers exposed
Personal details of more than 500 employees of a Virginia police department may have been exposed following a data breach. The potentially compromised data includes officers’ names, birth dates, and Social Security numbers.

Top Malware Reported in the Last 24 Hours

NextCry ransomware
A new ransomware named NextCry has been found targeting clients using the Nextcloud file sync and share service. The malware uses the AES-256 algorithm to encrypt the files. When executed, the ransomware first searches the victim’s Nextcloud file share and sync data directory by reading the service’s config.php file. After encryption, it demands a ransom of 0.025 bitcoin to decrypt the files.

Malware droppers evolve
A new wave of ongoing campaigns, that has been active since January 2019, has been found using custom droppers to plant information-hijacking malware such as Agent Tesla and Lokibot. The attackers behind the campaign are actively exploiting the weaknesses in web browsers to drop malware. Several stages of obfuscation techniques are also used to remain hidden in the background of targeted systems.

Top Vulnerabilities Reported in the Last 24 Hours

WhatsApp bug fixed
WhatsApp has fixed a security issue that could allow an attacker to remotely access messages and files stored in the app. The flaw is tracked as CVE-2019-11931 and can be exploited using malicious MP4 video files. It affects the app’s Android versions prior to 2.19.274, iOS versions prior to 2.19.100, Enterprise Client versions prior to 2.25.3, Windows Phone versions before and including 2.18.368, Business for Android versions prior to 2.19.104, and Business for iOS versions prior to 2.19.100.

Faulty Siemens PLC
A vulnerability discovered in Siemens SIMATIC S7-1200 programmable logic controller (PLC) can be exploited by an attacker to execute arbitrary code by abusing a hardware-based access mode. The bug exists in the device’s firmware integrity verification mechanism. Siemens is tracking the vulnerability as CVE-2019-13945.

Top Scams Reported in the Last 24 Hours

Singtel customers targeted
Scammers are targeting Singtel customers by masquerading as their customer service employee. The fraudsters call customers with the pretense of resolving their broadband connection issues. The caller promises to rectify any problems with the victims’ Wi-Fi connections if they follow their instructions. This includes giving the caller remote access to the computer and asking the victims to log into their Internet banking account. The scammer also asks the victims to provide their personal details.


whatsapp inc
lokibot trojan
nextcry ransomware
agent tesla

Posted on: November 18, 2019

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.