Go to listing page

Cyware Daily Threat Intelligence, September 03, 2019

Cyware Daily Threat Intelligence, September 03, 2019

Share Blog Post

Evading detection while continuing with the infection process is one of the primary goals of all malware attacks. Lately, threat actors have come up with sophisticated propagation processes to distribute different malware. While a fake BleachBit website that claims to clean up your disk space is used to spread AZORult trojan, fake Q&A posts on hacked WordPress sites are leveraged to distribute the notorious Sodinokibi ransomware.

Talking about vulnerabilities, security researchers have uncovered several vulnerabilities impacting the baseboard management controllers (BMCs) of Supermicro X9-X11 servers. Collectively called USBAnywhere, these vulnerabilities can allow an attacker to exfiltrate data from workstations and servers, running on Supermicro motherboards.

In an interesting cyber incident, cybercriminals have managed to steal more than $1.65 million from a German bank by cloning customers' debit cards. The theft had occurred last week and involved around 2000 customers of German bank Oldenburgische Landesbank (OLB). 

A new form of vishing attack that makes use of AI-based voice-generating software has been discovered in the past 24 hours. The attack has enabled fraudsters to wire around $243,000 from an energy firm, thus leaving no chance for recovery of the lost amount.

Top Breaches Reported in the Last 24 Hours

XKCD forum suffers a breach
XKCD forum has been taken offline following a security breach that occurred two months ago. The incident has affected the personal information of more than 562,000 members. The exposed information includes usernames, email addresses, hashed passwords, and in some cases an IP address of users.

Yves Rocher’s data exposed
An unprotected Elasticsearch database belonging to Aliznet has exposed the personal data of over 2.5 million Yves Rocher customers. The compromised data includes first and last names, phone numbers, email addresses, birth dates and zipcode of customers. In addition to this, the database has also exposed internal data related to the cosmetic firm which includes store traffic, turnover, and order volumes.  

Option Way’s data breached
A leaky database associated with Option Way, a France-based flight booking website, was found leaking over 100GB of data. This included customers’ names, birth dates, gender, email addresses, phone numbers, home addresses, destinations, flight prices, and other sensitive details.

Foxit software suffers a data breach
PDF software provider Foxit Software suffered a data breach after unauthorized third parties gained access to its data systems including ‘My Account’ user data. The compromised ‘My Account’ user data includes usernames, email addresses, company names, phone numbers, user account passwords, and user IP addresses.

Top Malware Reported in the Last 24 Hours

Sodinokibi ransomware
A hacker has been found hacking WordPress sites with an intent to distribute Sodinokibi ransomware. The hacked websites are injected with malicious JavaScripts that overlay the actual content and display a fake Q&A forum post to visitors. These fake ‘answer’ posts contain a link to the ransomware installer.

Nemty ransomware
The newly discovered Nemty ransomware, which appeared on the radar towards the end of August, is now distributed in malvertising campaigns using the RIG exploit kit. The malware uses the .nemty extension to append the encrypted files. Later, it displays a ransom note which provides instructions on how to pay to recover the data.

New Astaroth trojan variant
Security researchers have uncovered a new variant of Astaroth trojan that is distributed by abusing the Cloudflare Workers' serverless computing platform. This enables the attackers to avoid detection while spreading its infection process. The variant is delivered in JSON format depending on the target’s location.

AZORult trojan 
Cybercriminals have created a fake BleachBit website in order to spread the AZORult information stealing trojan. Once installed, the trojan contacts the C2 server for instructions and collects browser history, login credentials, cookies and files in specific locations.

Top Vulnerabilities Reported in the Last 24 Hours

USBAnywhere vulnerability
A new set of vulnerabilities named USBAnywhere has been found impacting the baseboard management controller (BMC) firmware of Supermicro motherboards. This has opened more than 47,000 workstations and servers running on Supermicro motherboards to cyberattacks. Patches are available to fix the vulnerabilities which include plaintext authentication, unencrypted network traffic, weak encryption, and authentication bypass.

Cisco releases security patches
Cisco has released security patches to fix vulnerabilities impacting its Adaptive Security Appliance (ASA) and NX-OS software. Both the software are affected by authentication bypass vulnerability (CVE-2019-1714) and arbitrary file overwrite vulnerability (CVE-2019-1729) respectively.

Top Scams Reported in the Last 24 Hours

New form of vishing attack
Fraudsters have found a new form of vishing attack that enabled them to drain out around $243,000 from an energy firm. They leveraged an AI-based software to fake the voice of the CEO of a UK-Based energy firm and tricked the targeted employees. The fraudsters had asked the employees to transfer the money to a Hungary-based supplier in an hour and promised to refund it soon. However, the money was never refunded and another money transfer demand was placed using the same tactic. 

 Tags

nemty ransomware
astaroth trojan
foxit software
xkcd forum
usbanywhere

Posted on: September 03, 2019


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

The Virtual Cyber Fusion Suite