Cyware Daily Threat Intelligence, October 29, 2020

Share Blog Post

Unpatched systems are easy prey for malicious actors to launch sophisticated cyberespionage campaigns. One such vulnerability is the Windows SMBGhost flaw. Despite the release of the patch, researchers have found that over 100,000 Windows systems are still vulnerable to the critical remote code execution flaw. Furthermore, threat actors have begun scanning the internet for vulnerable Oracle WebLogic servers. The flaw in question can cause complete takeover of systems.

There has also been quite a buzz about ransomware threats in the last 24 hours. While it is speculated that the Maze ransomware is about to close its operation, in another development, it has been uncovered threat actors are using Buer Loader malware to deliver the Ryuk ransomware.

Top Breaches Reported in the Last 24 Hours

Home Depot inadvertently shares data
Home Depot in Canada inadvertently shared over 600 order details to strangers. The leaked information included name, order number, order items and partial payment card information of customers.

European organization hacked
Russian-speaking hacking group Turla has hacked into the systems of an undisclosed European government organization. To compromise the organization’s network, the attackers used a combination of RATs and backdoors such as HyperStack.

Gunnebo’s stolen data leaked
Data stolen from Swedish security firm, Gunnebo, has been leaked on the dark web. The hackers have uploaded 38,000 files to a public server after the management declined to pay the ransom. The leaked documents include security arrangements for the Swedish parliament, and alarm systems and detailed floor plans for bank vaults of two German banks.

Top Malware Reported in the Last 24 Hours

Buer Loader delivers Ryuk
Researchers have uncovered that Ryuk ransomware operators are heavily relying on Buer Loader malware, instead of Emotet and TrickBot, to deliver the ransomware. Buer is a malware-as-a-service tool that enables threat actors to establish a digital foothold within a network. In a campaign observed in September, the loader was found hidden within a malicious document that ultimately caused the delivery of the ransomware.

Emotet’s activity spikes
Since August 1, researchers have observed a spike in Emotet activity, roughly 1,800 detections in one day. The latest one was spotted on October 19, wherein victims were tricked with a fake update notification for Microsoft Word. In another incident, Emotet has been found using parked domains that redirect to Comcast and McAfee brands to expand its malicious campaign.

Maze ransomware likely to shut down
Speculations are that Maze ransomware operators will soon be shutting down its operations. As a part of the shut down process, threat actors have stopped encrypting new victims in September 2020 and are trying to extort the remaining victims. Furthermore, they have started cleaning up their data leak site, with just two victims’ data left to be removed.

Top Vulnerabilities Reported in the Last 24 Hours

Unpatched Windows systems
Despite the release of the patch for the SMBGhost vulnerability (CVE-2020-0796), it has been found that more than 100,000 Windows systems are still vulnerable to the flaw. Described as a remote code execution flaw, it affects Windows 10 and Windows 2019. It scores a rating of 10/10 on the CVSS scale.

QTS bugs
QNAP has listed two vulnerabilities affecting QTS in its latest advisory. Tracked as CVE-2020-2490 and CVE-2020-2492, the two flaws are classified as command injection vulnerabilities. It is unclear as to how an attacker could exploit the vulnerabilities. The flaw does not affect the QTS system to at least version QTS 4.4.3.1421 build 20200907.

Vulnerable WebLogic server
Threat actors have started hunting Oracle WebLogic servers vulnerable to CVE-2020-14882. The flaw, that can be exploited via a simple HTTP GET request, can allow attackers to take control of systems.

 Tags

ryuk ransomware campaign
gunnebo
buer loader malware
maze ransomware
smbghost flaw

Posted on: October 29, 2020

Get the Daily Threat Briefing delivered to your email!


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.


Join Thousands of Other Cyware Followers!