Cyware Daily Threat Intelligence, September 01, 2020

Share Blog post

Failing to conduct due diligence for cybersecurity can prove costly and this is what has happened with Apple. The software giant had accidentally granted a malware to run on macOS as part of its security notarization process. Detected as OSX.Shlayer, the malware was distributed in the form of Adobe Flash Player on a fake Homebrew site.

A global COVID-19 phishing campaign that resulted in the distribution of AgentTesla trojan has also been discovered in the last 24 hours. The campaign relied on phishing emails that purported to be from chemical manufacturers and import/export businesses. These emails offered information about surgical masks and other personal protective equipment. Additionally, a new ransomware called Cyrat has been discovered by researchers. The ransomware, written in Python language, appends .CYRAT extension to encrypted files.

Top Breaches Reported in the Last 24 Hours

Drivers’ details exposed
Scans of 54,000 Australian driver’s licenses were left exposed online due to an unsecured Amazon S3 bucket. Some of these data dated back to 2018 and included birth dates, physical addresses, and driver’s license numbers. The data also includes completed documents called "statutory declarations" in either .jpg or .pdf files. 

Top Malware Reported in the Last 24 Hours

Cyrat ransomware
Researchers have uncovered new ransomware called Cyrat that uses an unusual symmetric Fernet encryption algorithm. It is written in Python and appends .CYRAT extension to encrypted files. The malware is disguised as DLL fixer 2.5 and upon execution, it displays a randomly created number of corrupted DLLs found on the system. 

macOS adware campaign
Apple accidentally approved OSX.Shlayer mac malware - disguised as Adobe Flash Player - as part of its security notarization process. The malware was hosted on a website (homebrew[.]sh) that spoofed the legitimate Homebrew site. When users visited the website, it redirected them several times before telling them that their Adobe Flash Player was outdated and needed an update.    

AgentTesla returns
A COVID-19 phishing campaign that purports to offer information about surgical masks and other personal protective equipment is infecting victims’ devices with the AgentTesla remote access trojan. The campaign appears to have started in May and leverages phishing emails that spoof messages from chemical manufacturers and import/export businesses.  

Top Vulnerabilities Reported in the Last 24 Hours

Vulnerable wolfSSL
A vulnerability in the wolfSSL library could be abused to allow attackers to intercept communications and read data. The flaw, tracked as CVE-2020-24613, arose due to the incorrect implementation of the TLS 1.3 client state machine. This could allow an adversary to mimic any TLS 1.3 server and read data communicated between wolfSSL library clients. The vendors have patched the flaw with the release of wolfSSL version 4.5.0.

Faulty Slack app updated
A critical remote code execution vulnerability affecting 4.2 and 4.32 versions of the Slack app was disclosed last week after the software maker fixed the issue. It could be exploited to run arbitrary code with a *.slack.com trusted page and access a victim’s private files, passwords, and other data.

OpenSIS patches flaws 
OpenSIS has fixed multiple vulnerabilities affecting its software products. All of these flaws are related to SQL injection and are tracked as CVE-2020-6123, CVE-2020-6126, CVE-2020-6127, CVE-2020-6128, CVE-2020-6129, and CVE-2020-6130. 
 
Top Scams Reported in the Last 24 Hours

Fake wallet update
A user lost 1400 BTC in a scam after downloading a fake version of the Electrum wallet. The scam relied on a popup message that asked the user to update the wallet security to initiate the transfer of funds. It is advised that users should check the signature of every new version of cryptocurrency wallets before installing them on their phone.  

 Tags

osxshlayer
cyrat ransomware
slack app
opensis
agenttesla trojan

Posted on: September 01, 2020

Get the Daily Threat Briefing delivered to your email!


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.


Join Thousands of Other Cyware Followers!