Go to listing page

Cyware Daily Threat Intelligence, November 25, 2019

Cyware Daily Threat Intelligence, November 25, 2019

Share Blog Post

The developers behind the TrickBot trojan have once again upgraded its password-stealing capabilities. The notorious trojan, which was first spotted with a pwdgrab64 password grabber module in November 2018, has now been enhanced to target OpenSSH and OpenVPN applications. This new variant is being used to steal OpenSSH private keys and OpenVPN passwords & configuration files.

The past 24 hours also saw a new bypass technique adopted by cybercriminals behind Raccoon Stealer. The technique is being used to circumvent Microsoft and Symantec anti-spam messaging gateways to target financial institutions. The malware is delivered inside an IMG file hosted on a hacker-controlled Dropbox account.

Top Breaches Reported in the Last 24 Hours

Unprotected Elasticsearch server
An open Elasticsearch server has exposed the more than 4 terabytes of scraped data from social media sources like Facebook, LinkedIn, Twitter and more. The breach has affected the personal data of over 1.2 billion people. The compromised data included names, email addresses and phone numbers of users.

OnePlus data breach
A vulnerability in OnePlus online store had exposed the firm to a security breach. The incident allowed hackers to gain access to past customer records. The exposed information included details like customers’ names, contact numbers, emails, and shipping addresses, but not passwords or financial details.

Ransomware attack
A ransomware attack at Virtual Care Provider Inc. has affected more than 100 nursing homes across the United States. The affected nursing homes used cloud data hosting, security and access management from the company. The attack has affected the business operations of these care centers and prevented them from accessing crucial patient medical records.

Top Malware Reported in the Last 24 Hours

Trickbot trojan evolves
The Trickbot trojan has evolved to include a password grabber module that could be used to steal OpenSSH private keys and OpenVPN passwords and configuration files. This new variant is now using HTTP POST request to send the collected passwords and configuration files to its C2 servers.

Raccoon Stealer
Threat actors behind malware dubbed Raccoon Stealer have adopted a simple and effective technique to bypass Microsoft and Symantec anti-spam messaging gateways. The technique has been used in a recent campaign targeting financial institutions via BEC attacks.

Clop ransomware
A new variant of Clop CryptoMix ransomware has been discovered that attempts to disable Windows Defender and Microsoft Security Essentials. This is done to prevent behavioral algorithms from detecting the file encryption and block the ransomware.

Top Vulnerabilities Reported in the Last 24 Hours

Vulnerable VNC systems
Kaspersky has identified 37 vulnerabilities in four popular open-source virtual network computing (VNC) systems, including LibVNC, UltraVNC, TightVNC, and TurboVNC. Some of the flaws can be exploited for remote code execution, allowing the attacker to make changes to the targeted system. Over 20 of the security bugs were identified in UltraVNC.

PoC for Apache Solr RCE published 
A PoC for Apache Solr RCE attacks has been published on GitHub. The exploit code uses the exposed 8983 port to enable support for Apache Velocity templates on the Solr server and later used it to upload and run malicious code.

Top Scams Reported in the Last 24 Hours

Snail-mail forwarding scam
Scammers have been found abusing the USPS mail forwarding feature to send bogus mail requests on behalf of unsuspecting victims. Threats range from obtaining a line of credit on an unsuspecting victim’s behalf, insurance fraud, intercepting a tax return, to hijacking an existing financial account, and synthetic ID theft.

Excel phishing email
A new phishing scam that scares users of signing them out of Excel has been spotted by researchers. The scam is carried out via a phishing email that asks the victims to verify their accounts in order to prevent their Excel files from being locked.


snail mail forwarding scam
elasticsearch server
vnc systems
raccoon stealer
trickbot trojan

Posted on: November 25, 2019

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.