Cyware Daily Threat Intelligence September 6, 2018

Top Vulnerabilities Reported in the Last 24 Hours

Ubuntu flaws
Ubuntu discovered and fixed multiple vulnerabilities in its libtirpc. Security researchers discovered that libtirpc incorrectly handled certain inputs. One of the flaws is a stack-based buffer overflow, while the other is a null-pointer dereference vulnerability The flaws if exploited, could allow attackers to cause a denial of service (DoS) condition. Users are advised to update their system to the latest releases.

Cisco vulnerabilities
Cisco discovered multiple vulnerabilities and published 30 advisories about them. Around half of these vulnerabilities are either high or critical severity flaws. Among others, the flaws discovered a buffer overflow bug, a privilege escalation bug, and command injection bugs. A critical vulnerability in the Cisco Umbrella API  could allow an authenticated, remote attacker to view and modify data across the targeted organization and other organizations. The advisories also addressed the recently disclosed remote code execution vulnerability in Apache Struts.

Top Malware Reported in the Last 24 Hours

Occamy
A new Monero-mining malware called Trojan.Occamy has been discovered infecting victims via spearphishing or malvertising. The latest miner is a self-extracting executable (SFX). It extracts its components at ‘C:\Program Files\Windriverhost.’ A db.rar file unpacks to extract another VBScript, another batch file to start driverhost.exe, the driverhost.exe file, and a config.json file that contains the ID and password required for mining.

CroniX malware
Threat actors were found exploiting the Apache Struts 2 vulnerability in a new cryptomining campaign that delivers a new Monero mining malware called CroniX. The malware uses three cron jobs for malware persistence. Two of them download and execute a new update file every day. The malware also kills competing cryptominers in the system. 

PowerPool
A new threat group called PowerPool has been discovered exploiting the unpatched Windows zero-day flaw to deliver first and second stage backdoors. The malicious code opens a reconnaissance backdoor. Screenshots are taken to be sent to the C&C server. A second-stage backdoor is opened to execute arbitrary commands and upload and download malicious files. PowerShell tools are deployed to retrieve usernames and login hashes from the Security Account Manager. 




  • Share this blog:
To enhance your experience on our website, we use cookies to help us understand how you interact with our website. By continuing navigating through Cyware’s website and its products, you are accepting the placement and use of cookies. You can also choose to disable your web browser’s ability to accept cookies and how they are set. For more information, please see our Privacy Policy.