Cyware Daily Threat Intelligence October 06, 2017

FormBook malware
A previously unknown info stealer has made quite a climb since the past few months. The malware named FormBook has been sold on an infamous underground hacking forum as a PHP control panel. The malware may be simple and lack extension or plugin systems, but targets poor security patches. Users are advised to patch their systems immediately.

KnockKnock campaign
Recently, an attack on Office 365 Exchange Online email accounts was discovered. The campaign is called KnockKnock and is targeted toward organizations in manufacturing, financial services, healthcare and public sectors. The hackers targeted automated corporate email accounts. Those accounts lack human interference and therefore have various security concerns.

Rooting Trojans
Cybercriminals are using VMware binary to spread banking Trojans against the Brazilian financial sector. Hackers are sending phishing emails containing malicious URLs that redirect users to goo[.]gl URL shortener. The link sends them to a RAR library that contains a JAR file, clicking which triggers the Java process and installs the Trojan. SAP server bugs
Over past couple of months, security researchers have discovered eight bugs in SAP products that had the potential of taking down the SAP servers entirely. Imagine losing the most sensitive data of your enterprise that could include customer behavior, pricing, financial forecasting and business forecasting that SAP systems usually host.

Apache Tomcat fixes
Apache Tomcat versions before 9.0.1 (Beta), 8.5.23, 8.0.47 and 7.0.82 contain a potentially dangerous remote code execution (RCE) vulnerability on all operating systems. The flaw, tracked as CVE-2017-12617, was classified as an important severity. Users are advised to update their Apache Tomcat with the latest releases.

Joomla! Vulnerability
CVE-2017-14596 is an LDAP injection vulnerability in Joomla!, that allows an attacker to steal login credentials from Joomla! installations. The affected versions are Joomla! version 1.5 <= 3.7.5, and vulnerability is exposed when Joomla! is configured to use LDAP for authentication. Chief of staff’s phone breach
White House chief of staff John Kelly’s personal phone was most likely compromised, possibly for months. The suspected breach was discovered by the White House IT team when the phone was taken to them. This has raised concerns that hackers might have access to the data present on Kelly’s phone. However, it is unknown whether any data has been accessed or not.

Arkansas Oral and Facial Surgery Center
An investigation revealed that ransomware was installed on the systems of Arkansas Oral & Facial Surgery Center. The attack not only locked up patient records but also might have exposed their patients' personal information. It is believed that the motive behind the incident was extortion and not patient information theft.