Cyware Daily Threat Intelligence September 26, 2018

Security experts have observed a recent surge in DanaBot banking malware campaigns. The cybercriminals behind the malware have shifted to targeting European nations, including Poland, Italy, Germany, Austria, and as of September 2018, Ukraine. DanaBot is capable of stealing credentials from several browsers. The malware has also been upgraded and now contains functionalities such as a Tor plugin that allows attackers to connect to .onion websites. 

Security researchers have discovered around 25 Android apps on the Google Play Store contain malicious code that mines for Monero. The Monero mining code was discovered to apps disguised as games, utilities and educational apps, among others. The malicious apps have been downloaded and installed over 120,000 times, hinting at the number of devices that may have been infected by the Monero miner. 

Monero developers recently patched a potentially dangerous vulnerability that was brought to light after a user posted a hypothetical question about stealth addresses on a Monero subreddit. The "burning" bug, if exploited, could have allowed attackers to steal massive amounts of cryptocurrencies from exchanges. 

Around 88 Cisco products were found containing a DoS vulnerability dubbed FragmentSmack. The vulnerability could allow an unauthenticated, remote attacker to cause a DoS condition on an affected device. Although the flaw was found on Linux, along with its sibling dubbed SegmentSmack, the bug can also impact Windows systems. Cisco has advised customers to check the product-specific documentation for possible workarounds until a patch is available.

Apple's latest OS Mojave was found to contain a zero-day vulnerability that could allow a remote attacker to bypass Apple's protections. The vulnerability could also allow attackers the ability to access a Mac user’s address book.

One of the United Nation's WordPress websites publicly exposed thousands of resumes of hopeful job seekers. The breach was caused by a path disclosure and an information disclosure bug. The organization was unable to plug the leak despite receiving a private report on this issue. It was found that the job applications sent to the UN were sent via an improperly configured web application. This oversight allowed attackers the ability to access a directory index of the documents. 

NewsNow was hit by a data breach that exposed users' encrypted passwords. The breach was caused by a backdoor on some of NewsNow's servers. The attackers allegedly exploited an eight-year-old code. After NewsNow discovered the breach, it shut down all affected servers. Although it's not clear as to how many users were impacted, those impacted by the breach, have been notified by email.