Cyware Daily Threat Intelligence, September 09, 2019

See All
Phishing attacks are a common way of stealing someone’s personal information, credentials or money without them knowing about it. In two different incidents, phishers have managed to trick Toyota Boshoku Corporation and the City of Unalaska into wiring money into their fraudulent bank account. While Toyota Boshoku Corporation announced a loss of over $37 million, the City of Unalaska reportedly lost over $2.9 million following the Business Email Compromise (BEC) attacks.

In a new finding, NERC has revealed that a cyber-security incident that impacted a US power grid in March 2019 was due to unpatched firewalls. The attackers had used a DoS flaw to reboot firewalls for about ten hours.

In another major incident, U.S. Cyber Command has shared 11 malware samples that are linked with North Korean government hacker groups. Most of these samples are tied to the notorious Lazarus threat actor group.

Months after the discovery of the ‘Return of the Wizard’ vulnerability, the popular Exim servers have been found to be impacted by a new security bug that can allow attackers to run malicious code with root privileges. The newly discovered vulnerability affects Exim versions prior to 4.92.1.

Top Breaches Reported in the Last 24 Hours

Wikipedia suffers a DDoS attack
Wikipedia has suffered a massive DDoS attack, impacting its website across various countries. The attack occurred between September 6 and September 7, 2019. The impacted countries include the UK, France, Germany, Italy, the Netherlands, Poland, and parts of the Middle East.

Monster.com’s data breach
An exposed web server containing resumes of job seekers has been found online. The exposed information includes data from the recruitment site Monster.com. The leaked resumes span from 2014 to 2017 and include private information like phone numbers, home addresses, and person’s work experience.

Boshoku loses $37 million
Toyota Boshoku Corporation has lost over $37 million following a business email compromise attack. The incident occurred due to a malicious third party. Upon discovery, the organization has reported the matter to professional legal teams and is taking appropriate steps to recover the lost funds. 

Faulty power grid
New details about cybersecurity incidents impacting a US power grid entity earlier this year have emerged recently. In a report, the North American Electric Reliability Corporation (NERC) has highlighted that the incident occurred due to a DoS flaw in firewalls. This caused the attackers to reboot the firewall for about ten hours.     

The City of Unalaska recovering 
The City of Unalaska has recovered around $2.3 million which was lost in a phishing attack. The recovered amount is part of the $2,985,406.10 which the City lost to scammers. The attack was conducted between May 15 and July 9, 2019. The scammers had posed themselves as a known vendor to trick the officials.

Oklahoma City attacked
Hackers have managed to steal about $4.2 million from a pension system for retired Oklahoma Highway Patrol troopers and other state law enforcement officers. The theft occurred on August 26, 2019, after an employee’s email account was hacked. The city has managed to recover about $477,000 of the stolen funds.

Top Malware Reported in the Last 24 Hours

Win32/StealthFalcon
Researchers have uncovered that PowerShell-based backdoor used by the Project Raven threat actor group is similar to the Win32/StealthFalcon backdoor of the Stealth Falcon group. The PowerShell-based backdoor is delivered via a weaponized document included in a malicious email.

A new version of Nemty
A web page pretending to offer an official application from PayPal is currently spreading a new variant of Nemty ransomware to unsuspecting users. The malicious executable is named 'cashback.exe'. According to researchers, Nemty ransomware is now at version 1.4, which comes with minor bug fixes.

Lilocked ransomware
A new ransomware strain tracked as Lilocked has been found actively targeting vulnerable Linux servers and encrypting the data stored on them. The malware leverages an Exim exploit to target servers. Once installed, it appends the encrypted files with .lilocked extension and later drops a ransom note named #README.lilocked.

HOPLIGHT malware
U.S.Cyber Command has shared 11 malware samples on VirusTotal, which are believed to be linked with North Korean threat actor groups. Most of the samples share similarities with HOPLIGHT malware and are tied with the Lazarus threat actor group. HOPLIGHT is a trojan that is primarily involved in gathering information from victims’ systems.   

Top Vulnerabilities Reported in the Last 24 Hours

Second bug discovered in Exim servers
All Exim servers running versions prior to 4.92.1 are vulnerable to a security flaw that can grant attackers the ability to run malicious code with root privileges. The vulnerability has been tracked as CVE-2019-15846 and can be mitigated with the latest 4.92.2 version.

Vulnerable Digital GmbH IoT devices
Two critical vulnerabilities have been found impacting Telestar Digital GmbH IoT radio devices. The vulnerabilities have been assigned CVE IDs, CVE-2019-13473 and CVE-2019-13474. These flaws can allow attackers to remotely hijack systems.

Top Scams Reported in the Last 24 Hours

iPhone giveaway scam
In a new giveaway scam, a celebrity’s Twitter was hacked in an attempt to conduct fake giveaways for Apple products. It is unclear how the hackers managed to take control of the account, but the followers of the account could see an enticing announcement. The post included a short URL that was meant for collecting victims’ personal information. Apart from iPhone, the scam offered users free Tesla cars, Apple Watch, MacBook Pro computers, and gift cards.


See Our Products In Action




  • Share this blog:
Previous
Cyware Daily Threat Intelligence, September 10, 2019
Next
Cyware Daily Threat Intelligence, September 06, 2019
To enhance your experience on our website, we use cookies to help us understand how you interact with our website. By continuing navigating through Cyware’s website and its products, you are accepting the placement and use of cookies. You can also choose to disable your web browser’s ability to accept cookies and how they are set. For more information, please see our Privacy Policy.