Cyware Daily Threat Intelligence, October 14, 2019

Share Blog Post

An Iranian hacker group named Silent Librarian (or Cobalt Dickens) has updated its tactics and techniques to steal intellectual property from universities across the globe. Security researchers highlight that the cybercrime group has leveraged fake login phishing pages, fake information, and alerts, to launch campaigns between June and October. The affected universities are particularly from the United States and Europe.

The past 24 hours also saw the emergence of a new macOS malware and a new variant of Nemty ransomware. Both the malware are distributed via online malvertising campaigns. While the Tarmac malware redirects potential victims to sites displaying fake software updates, the new Nemty v1.6 ransomware targets users who are still utilizing Internet Explorer and Flash Player.

Top Breaches Reported in the Last 24 Hours

Click2mail hacked
Popular Email service provider Click2mail has suffered a massive data breach. This caused the leak of personal information of customers. The attackers used the stolen email addresses to send spam emails. The stolen information includes name, organization name, account mailing addresses, email addresses, and phone numbers of customers.

Hunt Memorial Hospital data breach
The Hunt Memorial Hospital District has released an update regarding a cyber attack that was discovered last year. According to reports, the cyberattack occurred in May 2018 after hackers gained access to information in its computer network. The information included personal information of a subset of the hospital’s patients.

Website leaks data
Philadephia Department of Public Health’s website has leaked health records of its individuals. The leaked information compromised of names, addresses, social security numbers, and medical records of people. It is not known if the data has been misused by hackers.

Top Malware Reported in the Last 24 Hours

Tarmac malware
A new piece of malware named Tarmac is targeting macOS users via online malvertising campaigns. The malware redirects potential victims to sites displaying fake software updates. The campaign targets macOS users in Japan, Italy, and the US.

Nemty 1.6 released
Nemty 1.6 ransomware has been found to be pushed via the RIG exploit kit in a malvertising campaign. The campaign targets users who are still utilizing Internet Explorer and Flash Player. It uses Windows cryptographic libraries to encrypt victims’ files. A decryptor released by Tesorion can decrypt files encrypted by Nemty 1.6.

TA407 updates its TTPs
TA407, also known as Cobalt Dickens, has updated its tactics and techniques to steal intellectual property from universities across the globe. The threat actor group conducted most of its phishing campaigns from June through October. It primarily targeted universities in North America, many of them in the United States and Europe.

Sodinokibi operators make a fortune
Researchers estimate that Sodinokibi creators have earned bitcoins equivalent to $287,499 in just 72 hours. Furthermore, the researchers have also observed a large number of transactions from affiliates to a wallet that contained 443 bitcoins, which is around $4.5 million at the time of writing.

Malicious ‘Study the Great Nation’ app
Experts claim the Chinese communist party’s app, Study the Great Nation, has ‘superuser’ access to over 100 million Android devices. The app has a backdoor through which the government accesses messages, photos, contacts, and internet browsing history of the handsets. 

Malicious scheme
Attackers have created an elaborate scheme to distribute a cryptocurrency trading program called JMT Trader that installs a backdoor on a victim’s Mac or Windows PC. When this program is installed, it will infect the target machine with a backdoor Trojan. The program is distributed through a Twitter account with the same name.

Top Vulnerabilities Reported in the Last 24 Hours

Buggy Nitro PDF
A fix for a vulnerability in the current version fo Nitro PDF Pro is on its way. The vulnerability could be abused to attempt remote code execution on the victim host. Tracked as CVE-2019-5050, the bug resides in the PDF parsing functionality of the software. It can be exploited with a specially crafted PDF file opened with a vulnerable version of the software. The bug is part of a set of 6 bugs present in Nitro PDF Pro and A micropatch released by Acros Security blocks the exploitation of CVE-2019-5050.


silent librarian
nemty v16 ransomware
tarmac malware

Posted on: October 14, 2019

Get the Daily Threat Briefing delivered to your email!

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

Join Thousands of Other Cyware Followers!