Go to listing page

Cyware Daily Threat Intelligence, September 19, 2019

Cyware Daily Threat Intelligence, September 19, 2019

Share Blog Post

Security researchers have raised an alarm about a new DDoS attack. They have warned that the WS-Discovery (WSD) protocol is currently being abused for massive DDoS attacks. The protocol is used by about 630,000 devices worldwide, which makes them quite vulnerable to attacks.

Several instances of phishing email attacks have been noticed in the past 24 hours. In one instance, the technique is being used to deliver Amadey botnet to taxpayers in the U.S, while in another incident, the attackers are stealing Microsoft login credentials from users by utilizing SmtpJS service.

The past 24 hours also saw a major evolution in Magecart card-skimming attack. The attackers behind the recent attacks have injected the card-skimming script on the websites of two hotel chains which are spread across 14 countries. The purpose of this malicious script is to steal data from payment forms including credit card details, names, email addresses, telephone numbers, and hotel room preferences.

Top Breaches Reported in the Last 24 Hours

1.7TB leaked data secured
An unprotected storage device containing 1.7 terabytes of information related to telecommunication installations throughout the Russian Federation has been secured recently. Of the 1.7 terabytes, 700GBs were photographs stored as JPG images and 245GBs included email archives. Around 197,343 PDFs appeared to contain contractual agreements between telcos and the companies contracted to install and maintain physical hardware.

Ramsey County updates on data breach
Ramsey County has lately revealed that the cybersecurity incident that took place in August 2018, has affected around 117,905 individuals. Earlier, it was estimated that the attack which occurred due to unauthorized access, had affected around 5,000 people. The attack took place after a hacker gained control of 26 employee email accounts.

Scotiabank data leak
Scotiabank leaked online a trove of its internal source code and some of its private login keys to backend systems. The Canadian financial giant has torn down GitHub repositories that were inadvertently left open to the public containing sensitive information. The repositories featured, among other things, software blueprints and access keys for a SQL database system of foreign exchange rate system, mobile application code, and login credentials for services and database instances.

Top Malware Reported in the Last 24 Hours

Magecart skimming attack
Mobile websites of two hotel chains have fallen victim to new Magecart card-skimming attacks. The attackers injected the malicious JavaScript into the ‘viewedHotels’ module of both the websites to steal data from payment forms including credit card details, names, email addresses, telephone numbers, and hotel room preferences. Both websites were developed by Roomleader, a company from Spain. 

New DDoS attack vector
Attackers have been found abusing WS-Discovery (WSD) protocol to launch a new type of DDoS attack. The protocol is found in a wide array of products and is included as a default feature set in service using Windows Vista. Researchers note that there are more than 630,000 devices that are vulnerable to WSD attacks.

WannaCry terror continues
Researchers have concluded that there are more than 12,000 variants of WannaCry ransomware since it was first discovered in 2017. These variants are still active and quite capable of spreading broken copies of themselves to Windows computers that have not been patched.

Amadey botnet
A new phishing campaign has been spotted delivering Amadey botnet to taxpayers in the U.S. The malware is distributed via fake income tax refund emails that pretend to be from the Internal Revenue Service (IRS). Instead of asking the victims to provide their login credentials, the email includes a temporary username and password to log into the fake IRS portal.

Microsoft account phishing scam
A new Microsoft account phishing scam has been discovered that utilizes the SmtpJS service to steal credentials from users. The scam is initiated through a phishing email that comes embedded with a fake Microsoft login page. When users submit their credentials, the page typically saves them to a database controlled by the attackers and tells that submitted credentials are incorrect.

Restaurant Depot phishing campaign
Customers of commercial foodservice wholesaler Restaurant Depot were targeted in phishing emails that asked them for payment of an outstanding invoice. The email further warned that failing to pay the amount would result in a deduction of balance from their accounts.
Top Vulnerabilities Reported in the Last 24 Hours

Vulnerable Harbor registry
Security researchers have identified a critical privilege escalation vulnerability, tracked as CVE-2019-16097, in a cloud-native registry called Harbor. The vulnerability allows attackers to take over Harbor registries by sending them a malicious request. It affects the versions from 1.7.0 to 1.8.2. The issue has been fixed in Versions 1.7.6 and 1.8.3.

Microsoft fixes a bug
Microsoft has released a fix for a bug that made its Windows Defender Antivirus fail after a few seconds when users opted for a Quick or Full scan of the system. The bug exists in the Defender antimalware engine version 4.18.1908.7. Users are advised to implement security intelligence update v1.301.1684.0 or later to get the software back on track.

Top Scams Reported in the Last 24 Hours

IT support scam
Federal authorities are investigating a massive IT support scam that affected more than 7,500 victims. These victims were convinced their computers needed fixing after being displayed a fake warning. The warning which appears as a pop-up, asks the victim to call on a number provided in order to get rid of their system infection. The scammers would then take control of the victim PCs and pretend to fix the non-existing problems by charging varying amounts. The scam has resulted in a loss of around $10 million for the victims.  


harbor registry
wannacry ransomware
amadey botnet
it support scam
ddos attack

Posted on: September 19, 2019

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.