Cyware Daily Threat Intelligence, November 18, 2020

Share Blog Post

Threats due to ZeroLogon vulnerability continue to run rampant on Windows servers despite the release of security patches. Taking the advantage of this security lapse, the Cloud Hopper threat actor group has launched a massive cyberespionage campaign that targets automotive, pharmaceutical, and engineering entities across the globe.

In other news, a new malware dubbed Chaes has been specially designed by threat actors to target Brazilians. The malware has been found targeting MercadoLivre e-commerce platform to harvest a variety of sensitive information. 

Besides the emerging threats, the past 24 hours also witnessed an achievement in finding the decryption key for Nibiru ransomware. The malware uses the Rijndael-256 algorithm to encrypt files.  

Top Breaches Reported in the Last 24 Hours

TronicsXchange’s data leaked
TronicsXchange leaked over 2.6 million files due to a misconfigured AWS S3 bucket. The compromised files found in the database included full names, home addresses, gender, dates of birth, and photos of customers. The bucket was secured in October after researchers informed the firm.   

Managed.com attacked
Managed.com reported a ransomware attack that took place on November 16. According to the firm, the incident impacted a limited number of customer site, which was taken down immediately.  

Top Malware Reported in the Last 24 Hours

New Chaes malware
An active campaign targeting MercadoLivre e-commerce platform in Latic America has been found distributing a new malware called Chaes. The malware is capable of harvesting sensitive information such as login credentials, credit card numbers, and additional financial details. The malware has been designed to specifically target Brazilians.
 
Decryptor for Nibiru ransomware released
A decryption key for Nibiru ransomware has been released. The .NET-based malware traverses directories in the local disks, encrypts files with Rijndael-256 algorithm, and adds .Nibiru extension. The ransomware targets numerous common file extensions but skips critical directories like Program Files, Windows, and System Volume Information. 

Top Vulnerabilities Reported in the Last 24 Hours

ZeroLogon vulnerability exploited
A massive campaign is underway targeting businesses around the globe using the recently disclosed ZeroLogon vulnerability. The attack is backed by the APT10 threat actor group and is carried out against automotive, pharmaceutical, engineering, and the Managed Service Provider (MSP) industries.  

Vulnerable WordPress sites
Threat actors are actively scanning for WordPress sites with Epsilon Framework themes vulnerable to Function injection attacks that could lead to full site takeover. Therefore, owners and admins of websites running vulnerable versions of these themes are recommended to immediately update to a patched version if available. If no patch is currently available, they should switch to another theme as soon as possible to block attack attempts.

PoC for Privilege escalation flaw released
Researchers have shared the details of a local privilege escalation vulnerability found in the XPC service of Microsoft Teams. The flaw arises due to insecure XPC connection validation, user control of the installation package, and insufficient package signature validation. 

Vulnerable Tesla Backup Gateway
Researchers have outlined weak security points in the 379 Tesla Backup Gateway installations that can risk users’ credentials. The flaws can enable a potential malicious actor to take control of devices and even switch off backup power. 

Chrome 87 fixes NAT Slipstream attack
Google has released version 87 of its Chrome browser to fix the NAT Slipstream attack technique. The release is available for Windows, Mac, Linux, Chrome OS, Android, and iOS. The technique can allow attackers to bypass firewalls and make connections to internal networks by tricking users into accessing malicious sites.   

Critical flaws fixed
Around eleven critical vulnerabilities found in industrial control systems can be abused for remote attacks by adversaries. The flaws are rated 9.8 out of 10 on the CVSS scale. The affected ICS are from Real Time Automation, Paradox, Sensormatic Electronics, and Schneider Electric. 

Top Scams Reported in the Last 24 Hours

Office 365 phishing campaign
Microsoft has tracked an ongoing Office 365 phishing campaign that uses sophisticated evasion methods to target enterprises. One of the evasion tactics involves the use of automated redirection to a variety of domains, from a phishing landing page to legitimate sites. The phishing emails used in this credential theft campaign are also heavily obfuscated to evade detection by secure email gateways. The campaign also makes use of unique subdomains as apart of its evasion strategy. 

 Tags

nibiru ransomware
tesla backup gateway
office 365 phishing
nat slipstream attack
zerologon vulnerability

Posted on: November 18, 2020

Get the Daily Threat Briefing delivered to your email!


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.


Join Thousands of Other Cyware Followers!