Go to listing page

Cyware Daily Threat Intelligence, August 06, 2019

Cyware Daily Threat Intelligence, August 06, 2019

Share Blog Post

Several major industrial and automation solution providers have issued security advisories to mitigate the newly discovered ‘URGENT/11’ vulnerabilities that impact their devices. These organizations include Siemens, ABB, Rockwell Automation, Schneider Electric, and Woodward among others. 

The notorious Trickbot trojan has evolved to include a new strategy to evade detection by antivirus software. The latest variant detected as ‘TrojanSpy.Win32.TRICKBOT.TIGOCDC’ has been found leveraging a heavily obfuscated JavaScript file as a propagation method. This new malware variant is capable of stealing a wide range of information from the affected systems. 

Qualcomm chips have been found to be impacted by a newly discovered QualPwn vulnerability. QualPwn is a collection of two flaws that can allow attackers to compromise the WLAN and Android kernel over-the-air. 

A newly discovered Gwmndy botnet has been discovered using the SSH tunneling method to target Fiberhome routers. The infected devices are located in two countries, Thailand and the Philippines.  

Top Breaches Reported in the Last 24 Hours

Monzo resets PINs
Mobile-only bank Monzo, has asked its 480,000 customers to change their PINs following a security issue that could have left customer accounts compromised. On August 2, 2019, the firm determined that some customers’ PINs were stored incorrectly within the company’s internal systems. This security lapse allowed Monzo staff to access the PINs stored in encrypted log files. 

NZ government site shut down
The NZ Institute of Directors (IoD) has taken its website offline after it was defaced by a hacker. The Institute has warned its members to change their passwords in case they were compromised. The attack is believed to be a part of a global spray attack which also hit websites in the US and the UK.

E3 leaks journalists’ data
Personal data of more than 2000 journalists and content creators were left exposed on the website of the popular Electronic Entertainment Expo (E3). The information was present in a spreadsheet that could be downloaded from a link on the site. Employees from various news outlets were impacted. Entertainment Software Association (ESA), the organizer of E3, took down the link after it was informed of the incident. 

Top Malware Reported in the Last 24 Hours

Trickbot evolves
A new variant of Trickbot trojan named TrojanSpy.Win32.TRICKBOT.TIGOCDC has been discovered recently. The variant leverages a heavily obfuscated JavaScript file for propagation. The malware variant is capable of stealing various system information. Apart from this, the malware also collects credentials from Filezilla, Microsoft Outlook, PuTTy, RDP, VNC, and WinSCP. 

Gwmndy botnet
Gwmndy is a newly discovered botnet that uses the SSH tunneling attack method to target Fiberhome routers. These devices are mainly located in Thailand and the Philippines. Once a device is compromised, the botnet will add credentials to the device’s shadow file and later reports to the C2 server to execute a version of the Dropbear SSH server, vpnip and rinetd.  

Decryptor for eCh0raix ransomware
A decryption key for eCh0raix ransomware has been released lately. The malware encrypts files on victims’ QNAP NAS devices. The ransomware, also called QNAPCrypt, is distributed by exploiting vulnerabilities or through brute force attacks. 

Malicious ‘WP Security’ plugin
Security researchers have come across a malicious WordPress plugin named ‘WP Security’. The plugin encrypts the content in the blog posts with AES-256-CBC algorithm. It uses a ‘openssl_encrypt’ function in order to encrypt with AES-256-CBC. 

Top Vulnerabilities Reported in the Last 24 Hours 

QualPwn vulnerability
QualPwn is a set of two vulnerabilities that affect devices using Qualcomm chipset. The two flaws are CVE-2019-10538 and CVE-2019-10540. While the former is a high-severity bug, the latter has received a critical severity rating. Both flaws have been fixed in the latest security update by Qualcomm and Android. 

Companies affected by URGENT11
Siemens, ABB, Rockwell Automation, Schneider Electric, and Woodward have reported being affected by the URGENT11 vulnerabilities. The set of 11 vulnerabilities reside in IPnet, TCP/IP networking stack of VxWorks operating system used in over two billion IoT devices. 

Top Scams Reported in the Last 24 Hours

Online scam
The FBI’s internet crime division has issued a warning about a new trend of online scam that uses online dating sites. The scammers are searching and recruiting the so-called romance/confidence scammers from these sites in order to expand their scam. These recruited crooks, in turn, befriend and establish a romantic relationship with a man or woman and then take advantage to steal money from them. They use various pretenses such as airfare, bail, legal fees and other reasons to trick the victims.  

City of Naples loses $700K
City of Naples has lost $700,000 in a spear-phishing attack. Threat actors disguised themselves as a representative from the Wright Construction Group and targeted a specific department through a phishing email. It is the fourth city in Florida to have been hit by attackers.


ech0raix ransomware
gwmndy botnet
trickbot trojan
qualpwn vulnerability

Posted on: August 06, 2019

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

The Virtual Cyber Fusion Suite