Cyware Daily Threat Intelligence, September 26, 2019

Share Blog Post

A widespread spam campaign that leverages a variety of message templates to evade detection has been noticed in the past 24 hours. Dubbed Chameleon, the campaign is conducted using a botnet. The spam emails that are sent by botnet include fake job alerts, fake airline booking invoices, fake FedEx delivery notification, and fake email account security alerts. The victim countries are the United States, Germany, Vietnam, Singapore, the United Kingdom, the Netherlands, and more.

The past 24 hours also witnessed a new phishing attack that makes use of the URL Encoding technique to bypass secure email gateways. The purpose of the attack is to steal Microsoft Office 365 credentials from users.

In a major development, security researchers have managed to crack decryption keys for three ransomware, namely Yatron, WannaCryFake, and FortuneCrypt. The researchers were able to develop the decryptors due to weakness in ransomware algorithms.

Top Breaches Reported in the Last 24 Hours

Second data leak for Ecuador
Another unprotected server leaking personal details of 20 million Ecuadorians was secured recently. The server was used by a company named Databook. The exposed information included names, phone numbers, vehicle information, family member details, and emails. Presently, the leaky server has been secured.

Vodafone app leaks data
Vodafone customers in New Zealand using the mobile carrier’s app could see the details of other customers. The issue arose during a planned upgrade of the app. As a result, users got logged into someone else’s account. It is unclear how many users were impacted by the security breach.

Airbus hit by four major attacks
European aerospace giant Airbus has been hit by a series of attacks in the last 12 months. Out of these, four are major attacks. The purpose of the attacks was to steal commercial secrets and technical documents from its suppliers. Experts believe that it is the work of China-based hackers.

Top Malware Reported in the Last 24 Hours
Decryptor for ransomware
Multiple security vendors have released decryption keys for various ransomware. This includes Yatron, WannaCryFake, and FortuneCrypt. While Kaspersky has published decryption keys for Yatron and FortuneCrypt, Emsisoft has issued decryptor for WannaCryFake ransomware. 

Chameleon spam campaign
Security researchers have uncovered a botnet that is involved in sending a wide range of spam emails. The variants of spam emails include fake FedEx delivery notification, fake job alerts, fake LinkedIn messages, Fake airline booking invoices, and fake email account security alerts. The affected countries are the United States, Germany, Vietnam, Singapore, the United Kingdom, the Netherlands and more.

Magecart 5 targets Wi-Fi routers
New research reveals that Magecart Group 5 is testing malicious code on L7 routers which are used for providing commercial Wi-Fi connectivity. The threat actor group 5 has constructed an attack scenario that can potentially infect and steal the data of mobile device users who install malicious apps to shop online.

Windows Narrator abused
A suspected Chinese APT group is replacing Windows Narrator with a malicious variant to gain remote access to computers. The campaign is focused on infiltrating systems belonging to companies in Southeast Asia.

Phishing attack
Threat actors are using the URL Encoding technique to trick users into sharing their Microsoft Office 365 credentials in a new phishing campaign. This technique allows the attackers to hide their phishing page URLs from the secure email gateway. The email is sent from a compromised email account of a relatively well-known American brand.

Malicious apps
A total of 25 APKs, mostly masquerading as photo utility apps and a fashion app published under 22 different developer accounts, were found in the Google Play Store. Downloaded more than 2.1 million times, the apps shared a similar code structure and app content. The purpose of these apps was to generate revenue by displaying unwanted ads.

Top Vulnerabilities Reported in the Last 24 Hours

vBulletin zero-day flaw exploited
Attackers are mass-exploiting a zero-day flaw in vBulletin to take control of servers running the software. The exploit allows unauthenticated attackers to remotely execute malicious code on just about any vBulletin server running versions 5.0.0 up to 5.5.4. The vulnerability is so severe and easy to exploit that some critics have described it as a backdoor. According to researchers, attackers are using botnets to actively exploit vulnerable servers. The vulnerability exists in default installations of the affected versions.


chameleon spam campaign
windows narrator
magecart 5
yatron ransomware
url encoding technique

Posted on: September 26, 2019

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

Join Thousands of Other Cyware Followers!