Cyware Daily Threat Intelligence, November 20, 2019

Share Blog Post

Cybercriminals are spoilt for choice when it comes to malware attacks. The past 24 hours saw the discovery of three new malware, namely Cyborg ransomware, Phoenix keylogger, and Mispadu banking trojan. While Cyborg ransomware and Mispadu trojan are distributed via phishing emails that make fake offers, Phoenix keylogger is directly available for sale on hacking forums.

In a new disclosure, researchers have uncovered that Google and Samsung camera apps that are installed on hundreds of millions of Android devices are affected by a collection of vulnerabilities that stem from permission bypass issues. These vulnerabilities can be abused by threat actors to record videos, take pictures and extract GPS data from media without having the required permission.

Several models of D-Link have also been found to be affected by critical RCE bugs. The flaws can allow remote hackers to take control of hardware and steal data. The impacted models are DIR-866, DIR-655, DHP-1565, DIR-652, DAP-1533, DGL-5500, DIR-130, DIR-330, DIR-615, DIR-825, DIR-835, DIR-855L and DIR-862.

Top Breaches Reported in the Last 24 Hours

Official Monero website compromised
The official website of the Monero cryptocurrency has been compromised to deliver a malware-infected file that steals funds from account owners. The incident occurred on November 18. The hack was observed after a user downloaded a 64-bit Linux binary for working with Monero cryptocurrency from the Linux command-line interface.

NVA’s 700 facilities attacked
National Veterinary Associates (NVA), a California company that owns more than 700 animal care facilities around the globe, is still working to recover from a ransomware attack. The attack is believed to have been carried out using Ryuk ransomware on October 27, 2019. The company’s facilities are located in the United States, Canada, Australia, and New Zealand.

Open Amazon data storage bucket
The personal records of PayMyTab customers have been exposed due to an unsecured Amazon data storage bucket. The leaked personal information included customers’ names, email addresses, phone numbers, last 4-digit of a payment card, meal items ordered and more.

Top Malware Reported in the Last 24 Hours

Mispadu banking trojan
A new banking trojan named Mispadu is using a McDonald’s malvertising tactic to steal payment card data and online banking information. The malware is written in Delphi and is used against customers in Brazil and Mexico. Mispadu spreads via email as well as sponsored advertisements on Facebook that offer fake discounts for McDonald’s with the call-out, ‘Use them on any September day! Independence coupons. Get yours now.’

Cyborg ransomware
A new spam campaign that pretends to be a ‘Critical Microsoft Windows Update’ from Microsoft has been discovered delivering Cyborg ransomware. The email includes a JPG file which is actually a downloader for the Cyborg ransomware executable. The campaign has been ongoing since at least November 7.

New Phoenix keylogger
A newly discovered keylogger called Phoenix has been linked to more than 10,000 infections. The malware is sold on hacking forums. Researchers note that Phoenix has evolved from a simple keystroke logger into a multi-functional information-stealing trojan over the past few months. The latest version comes with the ability to dump user data, such as passwords from 20 different browsers, four different mail clients, FTP clients, and chat applications.

Top Vulnerabilities Reported in the Last 24 Hours

Vulnerable D-Link routers
13 router models of D-Link are vulnerable to critical RCE bugs. The flaws can allow remote hackers to take control of hardware and steal data. The impacted models are DIR-866, DIR-655, DHP-1565, DIR-652, DAP-1533, DGL-5500, DIR-130, DIR-330, DIR-615, DIR-825, DIR-835, DIR-855L and DIR-862.

Vulnerable EBS
Two critical vulnerabilities identified in Oracle’s E-Business Suite (EBS) could allow attackers to potentially take full control over a company’s entire enterprise resource planning solution. The vulnerabilities are tracked as CVE-2019-2638 and CVE-2019-2633. For protection against exploitation of these flaws, admins have been asked to apply the latest Oracle Critical Patch Update.

Docker patches a severe security issue
Docker has patched a serious security issue that can lead to full container escape when exploited by an attacker. The vulnerability is assigned with CVE-2019-14271 and can be exploited only when a container has been compromised in a previous attack. The flaw has been fixed in Docker version 19.03.1.

Flawed camera apps
Google camera and Samsung Camera apps on Android are affected by a vulnerability tracked as CVE-2019-2234. It can be exploited by threat actors to record videos, take pictures, and extract GPS data without having the required permissions. 


oracles e business suite ebs
phoenix keylogger
mispadu banking trojan
cyborg ransomware
d link routers

Posted on: November 20, 2019

Get the Daily Threat Briefing delivered to your email!

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

Join Thousands of Other Cyware Followers!