Go to listing page

Cyware Daily Threat Intelligence, October 18, 2019

Cyware Daily Threat Intelligence, October 18, 2019

Share Blog Post

Multiple instances of cryptojacking attacks have come to notice in the past 24 hours. In one incident, security researchers uncovered a massive cryptomining campaign that infected more than 50% of computers at a European international airport. In another incident, a fake ‘WordPress Framework’ plugin was found providing attackers with unauthorized access to WordPress sites to mine cryptocurrencies.

In other developments, the Android apps of UC Browser and its Mini variant were found violating a major Google Play Store rule. This exposed over 500 million Android users to MITM attacks. It was found that UC Browser downloaded additional APK from a third party store through an unprotected channel. Upon learning about this, UCWeb took immediate action and fixed the issue across its apps.

Top Breaches Reported in the Last 24 Hours

Over 250,000 CVs exposed
Unsecured AWS servers belonging to two online recruitment firms have exposed more than 250,000 CVs of job candidates. The two victim companies are Authentic Jobs and Sonic Jobs in the UK. The potentially exposed information includes names, addresses, job histories, and phone numbers of individuals.

Mission Health’s store attacked
The website of Mission Health was under malware attack for three long years. This allowed hackers to gain unauthorized access to payment information of customers from store.mission-health.org and shopmissionhealth.org. According to reports, the theft was conducted using malware that was first installed in March 2016. It remained undetected till June 2019.

CPSC leaks data
The Consumer Product Safety Commission (CPSC) had accidentally disclosed the personal details of around 30,000 customers to 29 entities. The incident had occurred between December 2017 and March 2019. The disclosed information included street addresses, age, and gender, along with information on 10,900 manufacturers.

Top Malware Reported in the Last 24 Hours

Fake WordPress plugin
Researchers have uncovered a fake version of the ‘WordPress Framework’ plugin that was used by attackers to gain unauthorized access to sites and mine cryptocurrencies. Despite being removed from the WordPress public repository, the plugin still has more than 400 active installations.

Stripe users targeted
A phishing campaign using fake and invalid account Stripe support alert targeted customers in an attempt to steal account info and login credentials. The attackers behind the campaign used an HTML-based trick to redirect Stripe customers to their phishing page designed to collect users’ credentials, bank account numbers, and phone numbers.

Cryptominer detected
More than 50% of all computing systems at a European international airport were recently found to be infected with a Monero cryptominer. The cryptominer is linked to the Anti-CoinMiner campaign which was spotted during August 2018. Researchers were able to detect the infection because the threat actors repeatedly launched PAExec, a redistributable version of the legitimate Microsoft tool PsExec.

Top Vulnerabilities Reported in the Last 24 Hours

UC Browser’s vulnerable users
UC Browser and UC Browser Mini Android apps had exposed over 500 million Android users to MITM attacks. This was because the browser violated Google Play Store policy and downloaded additional APK from a third party store through an unprotected channel. Upon being informed, UCWeb had updated and fixed the issue in both apps.

VMware patches a critical bug
VMware has issued a security advisory for a critical ‘broken access control’ vulnerability found in its Cloud Foundation and Harbor Container Registry for Pivotal Cloud Foundry (PCF). The vulnerability is designated with an ID of CVE-2019-16919 and impacts versions 1.8x of the Harbor product. The issue has been fixed with the release of v1.8.4. However, a patch is still pending for VMware Cloud Foundation.

Faulty RTLWIFI driver
A potentially serious vulnerability in RTLWIFI driver can trigger an overflow in Linux kernel when a machine with a Realtek Wi-Fi chip is within the radio range of a malicious device. The vulnerability is tracked as CVE-2019-17666.

Two newly patched Kubernetes flaws
The Kubernetes team has released new builds that patch Kubernetes vulnerabilities CVE-2019-16276 and CVE-2019-11253. The vulnerabilities posed a risk under some of the Kubernetes configurations. It is recommended to upgrade to Kubernetes builds 1.14.8, 1.15.5, or 1.16.2 to address the issues.


uc browser
mitm attacks
kubernetes flaws
rtlwifi driver
consumer product safety commission cpsc

Posted on: October 18, 2019

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.