Go to listing page

Cyware Weekly Threat Intelligence, May 18 - 22, 2020

Cyware Weekly Threat Intelligence, May 18 - 22, 2020

Share Blog Post

The Good
Enhancing users’ privacy and security while surfing online has been a primary focus of web browsers. Keeping this in mind, Google has introduced Enhanced Safe Browsing protection in Chrome to protect users from phishing attacks and malicious file downloads. On the other hand, security researchers managed to dissect the source code of the GhostDNS exploit kit after hackers uploaded the file on an unprotected file-sharing platform.

  • Security researchers obtained the source code of GhostDNS exploit kit which was left unprotected by hackers. This allowed the experts to analyze the functionalities of the router hijacking exploit kit.
  • The Security Service of Ukraine (SSU) took into custody a threat actor named Sanix, who is responsible for putting a massive database - named Collection1 - of 773 million email addresses and 21 million passwords up for sale last year.
  • French police cracked down on an international ATM jackpotting group by arresting two suspects. It is said that the criminal group worked across Europe to insert malware into ATMs.
  • Google added Enhanced Safe Browsing protection in Chrome to protect users from phishing sites, malicious file downloads, and cross-product alerts.
  • Tutanota is working with the L3S Research Institute of Leibniz University on a new project called PQmail that aims to keep email secure by using post-quantum cryptography for encryption.

The Bad
This week saw the leak of confidential data belonging to several organizations such as Toll Group, Fresenius Medical Care unit, and Covve. Most of the leaked data included personal details of either employees or customers.

  • After the Texas court system, the state transportation agency fell victim to a ransomware attack. Some of the features of the department’s website were unavailable due to the attack.
  • Confidential data belonging to the Toll Group made its way to dark web forums. This included personal data of some former and current employees.
  • More than 2,000 Israeli websites were defaced to show an anti-Israeli message. Attributed to a hacker group called ‘Hackers of Savior,’ the attacks were executed by exploiting a vulnerability in a WordPress plugin.
  • Snake ransomware operators shared a small batch of data stolen from the Fresenius Medical Care unit on a paste website. It contained less than 200 records that included first and last names, gender, birth dates, postal addresses, and phone numbers of patients.
  • Details of 40 million users registered on the Wishbone app were sold for a price of approximately $8000 on a dark web marketplace. The breached data included usernames, email addresses, and hashed passwords of users.
  • A flaw in the website of the Paycheck Protection Program exposed the personal data of several claimants in Arkansas and Chicago. The issue also impacted the business of Bank of America after information for some of its clients, who applied for loans, were leaked on the internet.
  • A database containing 129 million records of Russian car owners was offered for sale on the dark web. The dataset included model numbers, registration dates, and manufacturing dates of cars.
  • A cybercriminal group that hacked Grubman Shire Meiselas & Sacks last week, auctioned the sensitive documents of the international singer, Madonna, after claiming to have sold the data related to the US President.
  • Covve leaked 23 million email addresses and other personal information details due to an unprotected Elasticsearch database. In total, the database contained 90GB of personal information.
  • A threat actor leaked a trove of personal and electoral data belonging to 2.3 million Indonesian citizens. The data appeared to be stolen from the official website of the General Elections Commission of Indonesia.

New Threats
Talking of new threats reported this week, Netwalker operators improved the evasion capabilities of the ransomware by integrating a reflective dynamic-link library (DLL) injection technique. On the other hand, researchers uncovered a new attack method against networking chips that leverages a class of vulnerabilities called Spectra.

  • Security researchers disclosed an Iranian cyber espionage campaign directed against critical infrastructure facilities in Kuwait and Saudi Arabia. The campaign was launched by the Chafer APT group using several exploit kits including a tool that uses the ‘living off the land’ attack technique.
  • Hackers were found exploiting a three-year-old vulnerability in a Magento plugin to take over e-commerce sites. The purpose was to steal payment card details of shoppers.
  • Both Mirai and Hoaxcalls botnets exploited a post-authentication remote code execution vulnerability in legacy Symantec Web Gateway to gain access to enterprise systems.
  • New research showed that vulnerabilities in popular hardware-based cryptocurrency wallets could be exploited to obtain PIN numbers. The attack was demonstrated on products from Coinkite and Shapeshift.
  • Netwalker ransomware evolved to include a reflective dynamic-link library (DLL) injection as one of its evasion techniques. The technique allows the injection of a DLL from memory rather than from disk.
  • A new trojan - WolfRAT - targeted Thai users through WhatsApp, Facebook Messenger, and Line messaging apps. The trojan is a modified version of the DenDroid trojan.
  • Academics from Germany and Italy found a new method to break the separation between Wi-Fi and Bluetooth technologies. The attack relies on a new class of vulnerability called Spectra.
  • Fake Zoom installers were back in the threat landscape in a couple of campaigns that distributed a backdoor and the Devil Shadow botnet to target user devices.
  • A new variant of Zeus banking trojan, named ZLoader/Terdot Zbot, has popped up to capitalize on coronavirus fears to pilfer login credentials of customers of certain banks.
  • Winnti hacker group targeted video game companies with a new PipeMon backdoor to achieve persistence. PipeMon’s first stage consists of a password-protected RARSFX executable embedded in the .rsrc section of its launcher.
  • Microsoft issued a security advisory for the NXNSAttack vulnerability affecting its DNS servers. The vulnerability could allow attackers to launch a large-scale DDoS attack.
  • Microsoft also warned about a COVID-19 themed phishing campaign that distributed the NetSupport Manager RAT. The attack started with a phishing email that appeared to be from the Johns Hopkins Center.


hoaxcalls botnet
netwalker operators
ghost dns exploit kit
fresenius medical care unit
nxnsattack vulnerability
toll group

Posted on: May 22, 2020

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.