Cyware Daily Threat Intelligence, October 21, 2019

Share Blog post

The cyber risk landscape is rapidly evolving as threat actor groups continue to launch sophisticated cyberespionage campaigns with a myriad of malicious intentions. A new report from the National Cyber Security Center (NCSC) and the National Security Agency (NSA) has revealed that the notorious Turla (also known as Venomous Bear) group has targeted at least 35 countries in the past 18 months. The purpose of the attackers was to steal secrets, and documents from a number of targets, including governments.

In other developments, researchers have exposed the modus operandi of three Sodinokibi affiliate groups that leverage vulnerable RDP servers to spread laterally throughout the network. The three affiliate groups are named Group 1, affiliate #34, and affiliate #19. 

New details about the misuse of VirusTotal and similar products from Alphabet Inc. has also come to light in the past 24 hours. Researchers have uncovered that companies are exploiting the virus scanner to leak data and intellectual property online.

Top Breaches Reported in the Last 24 Hours

Avast detects a breach
Avast had detected an unauthorized intrusion on September 23 on its Microsoft security tool. The hackers had hacked an employee’s VPN to gain access to accounts that had no MFA solution. It is believed that the hack was conducted to target the latest version of the CCleaner software. 

CenturyLink data leak
Researchers discovered an open database on public internet of customers of the CenturyLink with more than 2.8 million records that contained their PII information. The database was left open for 10 months. The compromised data included customers’ names, addresses, email addresses, and phone numbers. The database was taken offline upon discovery.

Top Malware Reported in the Last 24 Hours

Turla targets firms in 35 countries
The UK’s National Cyber Security Center (NCSC) along with the US National Security Agency (NSA) has published a security advisory about an ongoing hacking campaign undertaken by the Turla group. The notice cites that the group has targeted firms across different sectors in at least 35 countries over the past 18 months. A majority of the attacks were carried out against organizations in the Middle East.

Affiliates group for REvil identified
McAfee has identified three affiliates known as Group 1, affiliate #34, and affiliate #19 using hacked RDP systems to spread Sodinokibi or REvil ransomware. Affiliate #34, and #19 are using more skilled tactics such as custom Mimikatz batch files to harvest network credentials, custom scripts to erase Windows event viewer logs and the creation of hidden users.

Trojanized Tor browser
Researchers have observed a trojanized version of the Tor browser that steals bitcoins from users of certain dark web markets. Using this malicious version, attackers have managed to steal over $40,000 worth of 4.8 bitcoin from three darknet markets.

Skip 2.0 backdoor
Researchers have uncovered a new Skip 2.0 backdoor that alters Microsoft SQL Server (MSSQL) functions that handle authentication. The backdoor hides a user session inside the database’s connection logs every time the attackers enter a ‘magic password’ inside any user authentication session.

Malvertising campaign
A new malvertising campaign that leverages Google ads on a legitimate site has been found distributing malware. The affected site is ‘The New York Times’. The ad looks legitimate and promotes the download of an online PDF converter.

Top Vulnerabilities Reported in the Last 24 Hours

Risky Alexa and Google Home apps
Amazon Alexa and Google Home smart assistants can be used to eavesdrop on user conversations, or trick users into handing over sensitive information. These attack vectors are exploitable via the backend interface provided to developers of Alexa or Google Home custom apps. The smart assistants can be exploited by adding the “U+D801, dot, space” character sequence inside the backend.

Exposure through VirusTotal
Researchers claim companies are misusing Alphabet Inc.’s virus scanner, VirusTotal, and similar products to leak data and intellectual properties online. They discovered thousands of unprotected files from companies in the pharmaceutical, industrial, automotive, and food industries.


revil ransomware
skip 20 backdoor
venomous bear

Posted on: October 21, 2019

Get the Daily Threat Briefing delivered to your email!

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

Join Thousands of Other Cyware Followers!