Cyware Daily Threat Intelligence November 21, 2018

The Ukrainian CERT and its foreign intelligence service identified a new variant of the Pterodo malware - a Windows backdoor. The new malware variant was found targeting Ukrainian government agencies. Pterodo is a custom backdoor that can download additional malware and collect information and is associated with the Gamaredon threat group. The new variant of the backdoor generates a unique URL for C2, to which all stolen data is uploaded. This allows attackers to analyze which tools to remotely install and run.

A recently discovered Apple Pay malvertising campaign was found distributing the PayLeak malware, which poses as a legitimate ad and redirects newspaper or magazine visitors who click on the ad to a malicious domain registered in China. The malware checks to see whether the visitor’s device is in motion or at rest, upright or lying down and whether it is an Android or iPhone. It also checks whether any malware detection technology is running on the device. While Android users are redirected to other phishing sites, iPhone users are presented with popups that trick users into entering their credit card data.

Multiple vulnerabilities discovered in VMWare's vSphere Data Protection. An attacker could exploit some of these vulnerabilities to take control of an affected system. The flaws include a remote code execution vulnerability tracked as CVE-2018-11066, an open redirection vulnerability (CVE-2018-11067), an an OS command injection vulnerability (CVE-2018-11076), and an information exposure vulnerability (CVE-2018-11077). The firm has released patches addressing the bugs. 

Security experts have discovered three new vulnerabilities in Atlantis Word Processor. These flaws, if exploited, could corrupt the memory of the application, resulting in remote code execution attacks. The first flaw CVE-2018-4038 is an open document format NewAnsiString length remote code execution flaw. The second flaw CVE-2018-4039 is Huffman table code length remote code execution vulnerability. The third flaw CVE-2018-4040 is a rich text format uninitialized TAutoList remote code execution vulnerability.

A bug in EA Origin’s online gaming and digital distribution platform exposed gamers' information to hackers. If the user is on an unsecured network or WiFi hotspot; such as at a cafe or hotel, anyone can easily grab these token auto-login URLs and log in as the end user who requested these token links. An attacker could also use the auto-login URL to collect information from the user's EA settings panels, such as a player's real name, the last four digits of his credit card, the last digits of his phone number, order history, and more. 

East Tennessee State University suffered a data breach after a couple of its employees fell victim to a phishing attack. One of the employee’s email mailbox contained personal information about the employee and/or individuals in his/her family, household and otherwise. The information present in the email mailboxes includes full name and security numbers of each individual. The breach potentially exposed the personal information of up to 7,700 people.