Cyware Daily Threat Intelligence, October 11, 2019

Share Blog Post

Cybercrime groups make continuous improvements in their tools and techniques to launch advanced and devastating attacks. The infamous FIN7 is one such threat actor group that has rolled out new malware to target Aloha Command Center client used in payment card processing environments. Dubbed as RDFSNIFFER and BOOSTWRITE, the two malware feature several new evasion techniques.

In other developments, Apple has fixed a total of 16 vulnerabilities in its latest desktop operating system iteration macOS Catalina 10.15. The flaws impacted components such as CoreAudio, Crash Reporter, IOGraphics, Kernel, Notes, PDFKit, and WebKit, among others.

Apart from fixes, the past 24 hours also saw researchers releasing decryption keys for the notorious Nemty ransomware. The decryptors are available for versions 1.4 and 1.6 of the ransomware.

Top Breaches Reported in the Last 24 Hours

Data on sale
Personal details of 250,000 users of a forum Hookers[.]nl. were accessed by hackers by exploiting a vBulletin vulnerability in the forum software. The email addresses of the users were then posted for sale online. The hacked data includes user names, IP addresses, and passwords that are encrypted but could still be cracked.

Leafly suffers a breach
Leafly, one of the largest cannabis websites, suffered a breach impacting some of its customers. The incident has affected users’ email addresses, usernames, and passwords. However, no credit card information or national identification number has been impacted by the breach.

Top Malware Reported in the Last 24 Hours

Decryptor for Nemty released
Decryptors for Nemty versions 1.4 and 1.6 are now available. The decryptor can be used to decrypt files with certain file extensions. Victims affected by the ransomware are required to upload their encrypted files on Tesorian’s (the creator of decryptors) servers to get the right combination.

FIN7’s new arsenal
Several new tools have been discovered in the malware arsenal of the criminal organization FIN7. Researchers from FireEye disclosed two such tools named BOOSTWRITE and RDFSNIFFER. The RDFSNIFFER module is loaded by BOOSTWRITE, and it enables attackers to monitor and interfere with connections of NCR Corporation’s ‘Aloha Command Center Client’ (RDFClient).

New Credential stealing campaign
People in Nordic countries are being targeted in a new credential stealing campaign that works through malicious emails. The emails purport to be a part of a previously agreed upon conversation and include a link, without much explanation. The link redirects the victims to fraudulent pages that ask them to login with Yahoo, Office 365, or Gmail accounts.

New CASHY200 backdoor
A new analysis on xHunt campaign has revealed that attackers used a new PowerShell based backdoor named CASHY200. The malware used DNS tunneling to communicate with its C2 server. Word documents were used to deliver PowerShell payloads using firewallsupports[.]com.

Top Vulnerabilities Reported in the Last 24 Hours

Apple’s macOS Catalina 10.15 released
Apple has addressed 16 vulnerabilities in its latest desktop operating system iteration macOS Catalina 10.15. The flaws impacted components such as CoreAudio, Crash Reporter, IOGraphics, Kernel, Notes, PDFKit, and WebKit, among others. The fixed bugs include multiple memory corruption issues, a race condition, a logic issue and an issue with the handling of links in encrypted PDFs.

Vulnerable Satcom EXPLORER 710
Researchers have uncovered multiple vulnerabilities in Satcom terminal Cobham EXPLORER 710. The flaw could allow hackers to perform several attacks such as intercept the traffic, remotely execute the command, implant and hide a backdoor, DoS attack, exfiltrate the sensitive data and more.

Sophos fixes an issue
Sophos has issued a security patch for a vulnerability in its CyberoamOS (CROS) firewalls. The flaw could be potentially exploited by an attacker to gain access to a company’s internal network without providing a password. The flaw affects CROS versions prior to 10.6.6 MR-5.


nemty ransomware
cashy200 backdoor
fin7 threat actor group

Posted on: October 11, 2019

Get the Daily Threat Briefing delivered to your email!

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

Join Thousands of Other Cyware Followers!