Go to listing page

Cyware Daily Threat Intelligence, April 26, 2019

Cyware Daily Threat Intelligence, April 26, 2019

Share Blog Post

The past 24 hours witnessed the return of two widely known malware - Emotet and GandCrab - in different cyber attack campaigns. While the prolific Emotet trojan reappeared in the form of Trojan.W97M.POWLOAD that leveraged a new POST-infection traffic technique, a GandCrab ransomware variant was found compromising patient records of at least 38 healthcare centers that received billing-related services from ‘Doctors’ Management Service’.

Security researchers have revealed new details regarding the infamous ‘Operation ShadowHammer’ supply chain attack. The attack, which was used last year to infect over one million ASUS users, has also infiltrated six different companies which are based in Asia. Three of these companies are game developers, namely, Electronics Extreme, Innovative Extremist and Zepetto. The backdoor malware used in the attack, collects system information and sends it to the C2 server of the attackers.

Top Breaches Reported in the Last 24 Hours

Doctors’ Management Service hit by ransomware
A ransomware attack at the medical billing service provider ‘Doctors’ Management Service’ has resulted in the compromise of patients’ data from 38 of its clients. Officials discovered the issue on December 24, 2018 and determined that it is a work of a GandCrab ransomware variant. The data impacted in the attack includes patients’ names, birthdates, Social Security numbers, driver’s license numbers, and medical data.

Cleveland Hopkins International airport attacked
The email, payroll and record-keeping systems at Cleveland Hopkins International Airport has been affected by a ransomware attack that occurred on April 22, 2019. The attackers behind the attack may have accessed airport employee payroll records and other personal information. While the FBI is investigating the matter, official report that there are no impacts to flight or safety operations.  

Hong Kong’s Amnesty International attacked
Hackers linked with the Chinese government have attacked the Hong Kong office of Amnesty International. The office has been under the attack since last year, although it detected the unauthorized access On March 15. The attack was discovered when the officials were updating the firm’s IT infrastructure as part of a scheduled upgrade.

Top Malware Reported in the Last 24 Hours

Emotet trojan evolves
A new variant of Emotet trojan tracked as Trojan.W97M.POWLOAD has been discovered by security researchers. The malware variant uses a new POST-infection traffic technique to compromise victims’ machine. It is distributed via spam email that comes attached with a password-protected ZIP file. As part of the infection process, the attackers of the variant are harvesting vulnerable internet-connected devices to use them as the first layer of C2 servers.

‘Operation ShadowHammer’ attack
New details about the infamous ‘Operation ShadowHammer’ attack has emerged. Security experts have found that six Asian companies have fallen victim to the attack that was primarily aimed at ASUS. Three of the victims are video game companies - Electronics Extreme, Zepetto, and Innovative Extremist - and are based in Thailand and South Korea.
Credential Stuffing attack rises
Several multinational companies such as Adobe, Dailymotion, Tumblr, Sony and LinkedIn have fallen victims to credential stuffing attacks in the past years. Cybercriminals are stealing the credentials with a purpose to use them for identity theft and other nefarious activities. Since the beginning of 2019, a number of campaigns have been observed to infiltrate sensitive information from TurboTax, Dunkin' Donuts, Basecamp, and Dailymotion. 

Top Vulnerabilities Reported in the Last 24 Hours

Vulnerable plugins
Threat actors are increasingly using vulnerable plugins to inject malicious scripts in cyberattack campaigns. Lately, a malicious version of WooCommerce and WP Inventory Manager plugins have been discovered infecting websites. The malicious versions are WP Inventory Manager 1.82 and WooCommerce User Email Verification 3.3.0. Experts recommend that users must add a WAF as a second layer of protection.

Vulnerable Sony Smart-TVs
Two vulnerabilities have been discovered in Android-based smart-TVs from Sony. The vulnerabilities are tracked as CVE-2019-11336 and CVE-2019-10886 and could allow attackers to access Wi-Fi passwords and images stored on the devices. The bugs existed in the Photo Sharing Plus application in Sony smart-TVs. 

Vulnerabilities in Sierra Wireless AirLink
Security researchers have discovered several vulnerabilities in the Sierra Wireless AirLink ES450. The bugs could allow attackers to remotely execute code on the victim machine, change the administrator’s password and expose user credentials, among other unauthorized activities. A majority of the bugs exist in ACEManager, including few in Sierra Wireless AirLink ES450 FW 4.9.3.

Top Scams Reported in the Last 24 Hours

‘Game of Thrones’ phishing scam
Scammers have created several fake phishing pages related to ‘Game of Thrones’ to trick fans into revealing their personal and financial information. Few fake websites were found promoting bogus competitions and claimed to present surprise gifts to the winners. In some cases, the sites pose an official Game of Thrones merchandise store and silently steal credit card details.  

Chase Bank phishing scam
A new phishing scam has been targeting Chase Bank customers’ to steal their personal information. Apart from pilfering personal data, the scammers also ask the victims to upload a selfie holding an ID card or driver license. The scam begins with users being redirected to a fake-looking login page of Chase Bank. It asks the victims to verify their accounts in order to proceed ahead with stealing personal information.  


operation shadowhammer attack
phishing pages
chase bank phishing scam
emotet trojan
credential stuffing attack

Posted on: April 26, 2019

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

The Virtual Cyber Fusion Suite