Cyware Daily Threat Intelligence, October 07, 2019

See All
With threat actors constantly looking out for opportunities to exploit vulnerable computers, servers, and other critical systems, organizations should always be on alert to apply the recent security patches. Two new instances related to the exploitation of vulnerabilities in VPN products and Drupal CMS have come to notice in the past 24 hours.

The National Cyber Security Center (NCSC) has issued a notice regarding the wide exploitation of vulnerable VPN products from Pulse Secure, Palo Alto, and Fortinet. It has noted that attackers can abuse a wide range of security flaws in popular enterprise VPN products to steal login credentials, change configuration settings or connect to internal infrastructure. Organizations are advised to apply patches and reset authentication credentials to address the issue.

On the other hand, one-year-old Druppalgeddon2 vulnerability is being actively exploited on websites using vulnerable Drupal CMS through malicious GIF files. The malicious files are hosted on a Brazilian bodysurfing website which appears to have been hijacked by attackers.

Amidst all these threats, there is good news for the victims affected by HildaCrypt ransomware. They can now decrypt the encrypted files from the ransomware using decryption keys which are available for free.

Top Breaches Reported in the Last 24 Hours

DCH Hospitals pay ransom
DCH hospitals in Alabama have decided to pay ransom for the Ryuk ransomware attack. The DCH health system is one of the three hospitals in Alabama that was forced to shut down its operations and business following the attacks on October 1, 2019. While some systems have been restored from backups, there are few that need the Ryuk decryption key in order to restore access to other encrypted systems.

UAB Medicine data breach
UAB Medical has fallen victim to a phishing attack on August 7, 2019. The attackers gained access to numerous employee emails that contained the health information for 19,557 patients. The compromised information included patient names, birthdates, diagnosis, treatment information, and for some patients, their social security numbers as well.

EA Sports leaks data
The registration site for the FIFA 2020 Global Series had to be taken offline after it was discovered that it was leaking the private data of all the registered participants. According to the EA Sports FIFA, players were able to freely see the details of around 1600 participants who had submitted entries into the tournament.

New Zealanders’ data leaked
In New Zealand, an investigation by the National Cyber Security Centre (NCSC) has unearthed a sophisticated 2016 cyberattack that exposed people's personal data back to 2002. The hack successfully targeted systems at T? Ora Compass Health, which provides data services to Think Hauora and patient services to Cosine, Te Awakairangi Health Network, and Ora Toa. The attack has jeopardized the details of about one million New Zealanders.

Top Malware Reported in the Last 24 Hours

HildaCrypt ransomware key released
The developer of HildaCrypt has released the decryption keys of the ransomware. With these keys, a decryptor can be made that would allow any potential victims to recover their files for free.

APT hacker groups exploit vulnerable VPN
National Cyber Security Center (NCSC) has found that APT groups are actively exploiting vulnerabilities in popular enterprise VPN products to retrieve arbitrary files. The malicious activities include stealing login credentials, changing configuration settings or connecting to internal infrastructure. The affected VPN products are from Pulse secure, Palo Alto, and Fortinet.

Magecart’s telemetry data
A study has revealed that the Magecart threat group may have impacted millions of users since its first appearance in 2010. The group has impacted over 17,000 domains and stolen payment card details of many users. Nearly 2,058 domains were accessed due to unprotected AWS bucket. Around 9,688 compromised websites used vulnerable Magento platform.

Top Vulnerabilities Reported in the Last 24 Hours

Druppalgeddon2 exploited
A year-old Druppalgeddon2 vulnerability is being actively exploited through malicious GIF files. The flaw impacts Drupal CMS versions from 7.58 to 8.5.1. The malicious files are hosted on a Brazilian bodysurfing website which appears to have been hijacked.

Bug in D-Link routers
Researchers have publicly disclosed the existence of a severe remote code execution vulnerability in a range of D-Link routers. Classified as unauthenticated command injection, the vulnerability impacts D-Link firmware in the DIR-655, DIR-866L, DIR-652, and DHP-1565 product lines. The bug could allow attackers to perform a login action remotely which is poorly authenticated.

Signal patches a flaw
Popular encrypted messaging app Signal has fixed a crucial flaw in its Android app. Discovered by Google’s Project Zero Team, the bug could allow bad actors to answer calls on behalf of users. The flaw affects only the audio calls. Signal has patched the issue in its latest update of the app - version 4.47.7.

Unpatched Android flaw
A privilege escalation vulnerability affecting phones running Android 8.x is being widely exploited by attackers. The flaw - detected as CVE-2019-2215 - affects Huawei P20, Xiaomi Redmi 5A, Xiaomi Redmi Note 5, Xiaomi A1, Oppo A3, Moto Z3, Oreo LG phones, and Samsung Galaxy S7, S8, S9. The Android team has rated the flaw as ‘High’ severity and has issued patched for some devices.




  • Share this blog:
Previous
Cyware Daily Threat Intelligence, October 08, 2019
Next
Cyware Daily Threat Intelligence, October 04, 2019
To enhance your experience on our website, we use cookies to help us understand how you interact with our website. By continuing navigating through Cyware’s website and its products, you are accepting the placement and use of cookies. You can also choose to disable your web browser’s ability to accept cookies and how they are set. For more information, please see our Privacy Policy.