Cyware Daily Threat Intelligence, September 23, 2019

See All
Fake and malicious apps have become the latest channel for cybercriminals to drop malware and conduct malicious activities. Four VPN apps, named HotSpotVPN, Free VPN Master, Secure VPN, and CM Security Applock AntiVirus, have been found pushing unwanted ads to commit ad fraud while generating revenue for bad actors. These apps have more than 500 million downloads and all app developers are said to be from China.  

In another incident, a new Mac trojan called ‘Trojan.MacOS.GMERA’ has been found to be distributed via a legitimate-looking fake app Stockfolio. Once the malware is executed, it collects several types of system information such as username, IP address, OS installation date, wireless network information, file system disk space usage and more.

New details related to Magecart’s malicious script have surfaced in the past 24 hours. Researchers have uncovered that threat actors have been purchasing existing malicious domains used in old Magecart attacks to conduct new malvertising campaigns.

Top Breaches Reported in the Last 24 Hours

YouTube accounts hijacked
Several high-profile accounts of YouTube creators have been targeted in a massive wave of account hijacks. These accounts especially belong to auto and car community. Some of the affected YouTube channels include Built, Troy Sowers, MaxtChekVids, PURE Function, and Musafir, among others.

Travis Central Appraisal District targeted
On September 11, 2019, the Travis Central Appraisal District became aware that their computer systems were impacted by a cyberattack. The attack affected website property search, phone, email, and Computer Assisted Mass Appraisal systems. The District has restored the core systems and they are currently working in normal conditions.

Faulty Tesco’s parking web app
Tens of millions of unsecured ANPR images from the Tesco parking validation web app were found exposed in a Microsoft Azure blob. The app was used to compare the store-generated code with the ANPR images to decide whom to issue parking charges. This happened during a planned data migration exercise to an AWS data lake, which left the access to the Azure blob open. Although it has been shut off, Tesco hasn’t confirmed the duration for which the information was left exposed.

Top Malware Reported in the Last 24 Hours

Malicious VPN apps
Four VPN apps for Android have been found to be committing ad fraud. The malicious apps are HotSpotVPN, Free VPN Master, Secure VPN, and CM Security Applock AntiVirus. Unwanted ads are pushed by these apps, causing the invasion of user privacy. This also caused the CPU to heat up fast and phone battery to drain out because of the constant HTTP requests.

Repurposing Magecart domains
Researchers have noted that bad actors are purchasing existing malicious domains used in old Magecart attacks to conduct new malvertising campaigns. While some of the malicious domains have been sinkholed and seized, there are a few which are released back into the pool of available domains. It is these domains that are being purchased by bad actors for malicious purposes.

New Mac trojan
A new Mac trojan named ‘Trojan.MacOS.GMERA’ has been detected by security researchers. The malware masquerades as a legitimate trading application named Stockfolio. Once the malware is executed, it collects several types of system information such as username, IP address, OS installation date, wireless network information, file system disk space usage, and more.

Phishing attack
Threat actors are impersonating employees of a private equity firm in a new phishing campaign. They are sending emails in a simple format that includes information about non-disclosure agreements. This NDA is actually a phishing page designed to steal Office 365 credentials from users.

Top Vulnerabilities Reported in the Last 24 Hours

Critical bugs in Jira
Atlassian has released advisories for two critical bugs impacting Jira Service Desk and Jira Service Desk Data Center. The vulnerabilities are tracked as CVE-2019-14994 and CVE-2019-15001. The former is an information disclosure vulnerability and the later can enable attackers to remotely execute malicious code. It is recommended that users should update to the latest versions of the software available.

Top Scams Reported in the Last 24 Hours

ATO scam
Australians are targeted through a new email scam that was first observed on September 16, 2019. The email appears to come from the Australian Taxation Office and includes a link named ‘Information on your TAX records update’. Recipients who click the link are led to an identity verification page that includes the logo of Microsoft. It asks the victims to enter their email addresses. The scam has been designed to harvest ATO login credentials from unsuspecting users. Thus, users are advised to be cautious while clicking emails from untrusted senders.


See Our Products In Action




  • Share this blog:
Previous
Cyware Daily Threat Intelligence, September 24, 2019
Next
Cyware Daily Threat Intelligence, September 20, 2019
To enhance your experience on our website, we use cookies to help us understand how you interact with our website. By continuing navigating through Cyware’s website and its products, you are accepting the placement and use of cookies. You can also choose to disable your web browser’s ability to accept cookies and how they are set. For more information, please see our Privacy Policy.