Go to listing page

Cyware Daily Threat Intelligence, September 30, 2020

Cyware Daily Threat Intelligence, September 30, 2020

Share Blog Post

Failing to apply security patches on time can create unwanted problems for organizations. In a similar vein, researchers have found that at least 61% of Microsoft Exchange Servers are still vulnerable to a remote code execution vulnerability that was fixed in February this year. This indicates that organizations using Exchange 2010, 2013, 2016, and 2019 servers are vulnerable to different remote attacks.

Reports on different versions of LodaRAT and an Exorcist 2.0 ransomware have also emerged in the last 24 hours. While the LodaRAT variants are primarily being distributed via a malicious RAR archive attached to phishing emails, the Exorcist 2.0 ransomware uses fake software crack sites for propagation.

Top Breaches Reported in the Last 24 Hours

Arthur J. Gallagher impacted
The U.S.-based Arthur J.Gallagher & Co. has disclosed a ransomware attack that occurred on September 26. It is not clear how the attackers breached the company’s network and which malware family was used to infect systems. However, Arthur J. Gallager mentioned that it has taken the necessary steps to contain the spread of the malware.

Medical Center hit by ransomware
The Ashtabula County Medical Center took its computer systems offline after being hit by an apparent ransomware attack on September 21. Following the attack, the hackers had encrypted files and demanded a ransom to restore the systems.

Swatch becomes the latest victim
Swiss watchmaker Swatch Group was forced to shut its IT systems after being attacked during the weekend. This immediate security measure enabled the firm to prevent the spread of the attack.

Top Malware Reported in the Last 24 Hours

New versions of LodaRAT detected
Researchers have observed new variants of LodaRAT that include additional obfuscation techniques and new capabilities. In one version tracked as v1.1.7,  a hex-encoded PowerShell keylogger script has been added, along with a new VB script. Some of these variants are distributed via a malicious RAR archive attached to phishing emails. The overall functionality of the different versions is quite similar to one another, with some key differences.

Exorcist 2.0 ransomware
In a new discovery, threat actors are using fake software crack sites to push Exorcist 2.0 ransomware onto the victims’ machines. The crack sites pretend to offer download links for popular programs, such as Windows 10, for free. Furthermore, the program archives contain a password-protected zip file that allows the download to occur in the background without being detected by Google Safe Browsing, Microsoft SmartScreen, or installed security software.

Top Vulnerabilities Reported in the Last 24 Hours

Exchange servers open to exploitation
Over 247,000 Microsoft Exchange Servers vulnerable to CVE-2020-0688, a remote code execution vulnerability, are exposed to attacks. A patch for the flaw that exists in the control panel of the Exchange Server was issued in February. However, several firms have failed to apply the update on time, making them a potential target for cyber attacks.

Cisco fixes two DoS flaws
Cisco has addressed two high-severity DoS vulnerabilities that reside in the IOS XR Network OS. The vulnerabilities, tracked as CVE-2020-3566 and CVE-2020-3569, are touted to be actively exploited in the wild.

Faulty wireless routers
Synopsys has issued an advisory about authentication bypass vulnerabilities in multiple wireless routers manufactured by Qualcomm, MediaTek, and Realtek. The flaws are tracked as CVE-2019-18989, CVE-2019-18990, and CVE-2019-18991. They can allow an attacker to inject packets into a WPA-2 protected network without any knowledge of the preshared key.

Top Scams Reported in the Last 24 Hours

Unique phishing attack
A unique phishing attack that made use of sign-in timestamps was revealed by a researcher. The attack method involved sending multiple emails from a compromised email account with a link to a phishing page to capture more credentials. Sending a reply-all email from the compromised account gave the phishers more opportunity to collect credentials of almost all employees working in an organization.


ashtabula county medical center
exorcist 20 ransomware
arthur jgallagher co

Posted on: September 30, 2020

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.