Go to listing page

Cyware Daily Threat Intelligence, June 10, 2019

Cyware Daily Threat Intelligence, June 10, 2019

Share Blog Post

The well-known Oracle WebLogic Server deserialization vulnerability - CVE-2019-2725 - is in headlines again. Hackers have been found abusing the vulnerability to distribute a Monero miner in systems. The malware used in the attack hides in certificate files as an obfuscation tactic. In another major development, a new variant of Mirai botnet that includes the deserialization vulnerability as one of its 18 exploits has been uncovered by security experts. The new Mirai variant is capable of targeting additional IoT devices that include wireless presentation systems, set-top-boxes, SD-WANs, and even smart home controllers.

Two major data breaches have also been reported in the past 24 hours. Gaming site Emuparadise has suffered a data breach that led to the exposure of account details of almost 1.1 million Emuparadise forum members. The incident occurred in April 2018. The compromised included email addresses, IP address, passwords and usernames of individuals.

Shanghai Jiao Tong University also had to face the brunt for leaking 8.4TB of email metadata due to a misconfigured Elasticsearch database. The exposed database contained 9.5 billion rows of email threads and metadata.

Top Breaches Reported in the Last 24 Hours

Emuparadise breached
Emuparadise, a retro gaming site has suffered a data breach in April 2018. This has exposed account information of approximately 1.1 million Emuparadise forum members. The incident came to light after ‘Haveibeenpwned.com’ received an unprotected database linked to the gaming site from DeHashed.com. The information found in the database included email addresses, IP addresses, passwords stored as salted MD5 hashes, and usernames.

Shanghai Jiao Tong University data leak
A misconfigured Elasticsearch database has exposed 8.4TB of email metadata belonging to Shanghai Jiao Tong University. The exposed database contained 9.5 billion rows of email threads and metadata. It also included the IP addresses and user agents of those checking their emails. Upon discovery, the university was quick at taking action and has secured the open server.

European mobile traffic rerouted
On June 6, 2019, a large chunk of European mobile traffic was rerouted through the infrastructure of China Telecom. The rerouting of the traffic went on for 2 hours until China Telecom operators realized the issue. The incident occurred because of a BGP route leak at Swiss data center colocation company Safe Host, which accidentally leaked over 70,000 routes from its internal routing table to the Chinese ISP. Affected users experienced slow connections or the inability to connect to some servers. 

Top Malware Reported in the Last 24 Hours

Spam campaign delivers trojan
Microsoft’s security researchers have issued a warning about an ongoing spam campaign that is being used to deliver a backdoor trojan. The campaign appears to target European users as the emails are sent in various European languages. For this, attackers are leveraging an old Office vulnerability tracked as CVE-2017-11882. The vulnerability can allow an attacker to automatically run malicious code without requiring user interaction. It affects an older version of Microsoft Office or Microsoft WordPad software.

WebLogic Server flaw delivers Monero miner
Hackers are again abusing the Oracle WebLogic Server deserialization vulnerability to deliver a Monero miner. The malware used in this attack hides in certificate files as an obfuscation tactic. The file is saved on the infected system under %APPDATA% using the file name cert.cer. Oracle has released an update to address the flaw. Thus, it is highly recommended for organizations to update their WebLogic Server with the latest version. 

New Mirai variant
A new variant of Mirai botnet that uses 18 exploits to target IoT devices has been uncovered recently. The variant includes 8 new exploits apart from the 10 existing exploits. It is capable of targeting devices ranging from wireless presentation systems to set-top-boxes, SD-WANs, and even smart home controllers. It also includes exploits targeting the Oracle WebLogic Server RCE vulnerability.

Triada adware variant
An analysis by Google Security has revealed that hackers in 2017 had cleverly loaded adware into Android devices by tampering the pre-installed software. A variant of Triada adware family, the malware was inserted through apps and programs built by third-party vendors. The adware was installed during the manufacturing process of Android phones. The affected mobile models are Leagoo M5 Plus, Leagoo M8, Nomu S10, and Nomu S20.

Top Vulnerabilities Reported in the Last 24 Hours

HSMs vulnerabilities
Several vulnerabilities have been detected in Hardware Security Modules (HSMs). The vulnerabilities can be exploited remotely to retrieve sensitive data stored inside the HSM. HSMs are hardware-isolated devices that are usually used in computers available in financial institutions, government agencies, data centers, cloud providers, and telecommunications operators. The security vendor has published firmware updated to fix the issues.

Updates released for vulnerable ATMs
A remote code execution vulnerability has been discovered in older Opteva model ATMs. The vulnerability could be remotely exploited with reverse shells to deploy malicious payloads. The operators have been advised to update to the latest version (4.1.22) of the ATM software to address the issue.

Bugs in IPM-721S cameras
Two critical severity bugs that impact Amcrest HDSeries model IPM-721S cameras have been publicly disclosed. These bugs are the part of six security flaws that were discovered in the camera back in 2017. Both the flaws - CVE-2017-8229 and CVE-2017-13719 - can allow attackers to completely take over the device. The vulnerabilities can be patched by updating IPM-721S’s firmware. 
Top Scams Reported in the Last 24 Hours

Extortion Scam
A new variant of extortion scam campaign has been found targeting websites’ owners in an attempt to steal money. The scammers are utilizing the website contact’s form to send messages to site owners with a subject line of “Abuse and lifetime blocking of the site - example.com. My requirements". In the message, the scammers warn the owners that they have been recorded while watching inappropriate sites. They further ask the victims to make a payment in order to protect their site’s from being blacklisted for spam. The scammers demand an amount of 0.3 Bitcoin as payment from each victim for not publicly exposing the video.


monero miner
extortion scam
mirai botnet
triada adware

Posted on: June 10, 2019

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

The Virtual Cyber Fusion Suite