Go to listing page

Cyware Daily Threat Intelligence, May 01, 2019

Cyware Daily Threat Intelligence, May 01, 2019

Share Blog Post

Attackers are closely looking out at vulnerable Oracle WebLogic Servers to distribute malware and infiltrate systems. The past 24 hours saw two different incidents in which cybercriminals were found exploiting a well-known vulnerability in the server to spread two new malware variants.

The two new malware variants belong to Muhstik botnet and Sodinokibi ransomware families. Both the cyberespionage campaigns are leveraging the remote code execution flaw which is tracked as CVE-2019-2725. The vulnerability affects versions and of WebLogic Server.

In a major data breach incident, threat actors hacked German-based CITYCOMP to steal private and financial details of dozens of IT giants. The stolen data belong to companies like Oracle, Airbus, Toshiba, Ericsson, Leica, MAN, Toshiba, UniCredit, British Telecom (BT) and Volkswagen. CITYCOMP provided internet services to these firms. The attackers behind the hack had launched the attack with an intent to gain profit.

Top Breaches Reported in the Last 24 Hours

Extortionist hacks CITYCOMP
Cybercriminals have stolen financial data from German-based CITYCOMP that provides internet infrastructure for dozens of IT giants. The threat actors have released the stolen data following the non-payment of ransom by CITYCOMP. The affected organizations are Oracle, Airbus, Toshiba, Ericsson, Leica, MAN, Toshiba, UniCredit, British Telecom (BT) and Volkswagen. CITYCOMP has notified all its clients about the hack. The firm is also working with the State Criminal Police Office of Baden-Württemberg to mitigate the attack and improve security measures.

Tommy Hilfiger Japan website exposes personal data
Tommy Hilfiger Japan website has exposed the personal information of tens of thousands of customers online due to a misconfigured ElasticSearch database. The unprotected database contained full names, addresses, phone numbers, email addresses and birth dates of customers. The passwords were also stored in an unencrypted format. The database also includes details about dates of purchase, total order placed and membership ID numbers.

Energy grid disrupted
According to a recent report from the Department of Energy, some parts of California, Utah and Wyoming had suffered major power cuts in March, 2019 due to a cyber attack. The attack caused disruption in energy grip operations. It is unclear as to which utility company suffered the incident.    

Cartoon Network websites hacked
Cartoon Network websites in at least 16 countries have been hacked to play videos of Arabic memes and a Brazilian male stripper. The hack has been perpetrated by two Brazilian hackers. The two claimed that they exploited a vulnerability to gain access to the website management platform of Cartoon Network.

Top Malware Reported in the Last 24 Hours

Malvertising campaign
A new malvertising campaign targeting Russian organizations, has been discovered by security researchers. So far six malware programs have been linked to the campaign. It distributed two well-known backdoors - Buhtrap and RTM - along with ransomware and cryptocurrency stealers. The campaign leverages Yandex[.]Direct to post malicious ads which later redirect potential targets to a website that drop malicious payloads.

A new variant of Muhstik botnet
A new variant of the Linux botnet Muhstik has been found leveraging the latest WebLogic server vulnerability to spread across vulnerable systems. The vulnerability is tracked as CVE-2019-2725. The variant downloads its command from the IP address 165.227.78[.]159. The same IP address was previously used by Muhstik botnet as a reporting server to collect information on bots.

Sodinokibi ransomware
Another new malware variant has also been discovered leveraging the same Weblogic Server vulnerability used by Muhstik botnet variant. The malware in question is a variant of ransomware called Sodinokibi. The ransomware variant attempts to encrypt data in a user's directory and deletes backups to make data recovery more difficult. The ransomware is downloaded from attacker-controlled addresses 188.166.74[.]218 and 45.55.211[.]79.

Dark market places targeted
A series of DDoS attacks have been launched on dark market forums for the past three months. The targeted markets are the Dream Market, Empire Market, and Nightmare Market. These underground market places are known for selling illegal products such as drugs, guns, malware and hacked data. Following the repeated attacks, the operators of some dark web marketplaces have been forced to shut down their operations. 

Top Vulnerabilities Reported in the Last 24 Hours

Chrome version 74.0.3729.131 updated
Google has fixed two vulnerabilities in Chrome version 74.0.3729.131 for Windows, Mac, and Linux. One of the flaws is assigned as CVE-2019-5824. The other flaw is yet assigned with a CVE identifier. However, it has been marked as ‘high’ on the severity scale. CVE-2019-5824 is rated as ‘ medium’ on the severity scale and is a parameter passing error. 

Vulnerable email-clients
Security researchers have discovered multiple vulnerabilities in various implementations of OpenPGP and S/MIME email signature verification. The bugs could allow attackers to spoof signatures on a dozen of popular email clients. The vulnerabilities affect 25 widely-used email clients. The affected email clients include Thunderbird, Microsoft Outlook, Apple Mail with GPGTools, iOS Mail, GpgOL, KMail, Evolution, MailMate, Airmail, K-9 Mail, Roundcube and Mailpile.

Sophos UTM 9.602 updated
Sophos has resolved three vulnerabilities in the UTM version 9.602. Two of these vulnerabilities are related to bundled open source software and the third one is related to inbound email processing. The updated version of the UTM is currently available via FTP and will be rolled out in the future via Sophos’ Up2Date servers.   

Top Scams Reported in the Last 24 Hours

Romantic email scam
Gangs of internet scammers are using scripted romantic emails to scam people out of thousands of dollars. The scammers are targeting individuals through dating apps. Better Business Bureau’s Steve Baker discovered that these gangs work together to distribute different tasks among them. This includes organizing banking information, identifying vulnerable targets and setting up profiles. The scripted emails used by the scammers include poetry, love notes, and requests for money. It is also found that gangs have their exclusive groups on social media platforms where they discuss their tactics, scripts and more.

Phishing scam
Scott County Schools in Kentucky has fallen victim to a phishing scam that resulted in the loss of $3.7 million. The incident came to light when a vendor informed that it had not received the payment. Upon investigation, it was found that the scammers had disguised the vendor and sent a fraudulent email to steal money. 


malvertising campaign
weblogic server vulnerability
sodinokibi ransomware
muhstik botnets

Posted on: May 01, 2019

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

The Virtual Cyber Fusion Suite