Go to listing page

Cyware Weekly Threat Intelligence, November 23 - 27, 2020

Cyware Weekly Threat Intelligence, November 23 - 27, 2020

Share Blog Post

The Good

Cybercrimes may be financially beneficial to adversaries, however, sometimes they pay a price for their criminal activities. Threat actors have been arrested on several occasions this week. Three Nigerian nationals were arrested for participating in BEC scams. Congress passed a significant cybersecurity bill regarding the safeguarding of 5G wireless networks.

  • A joint investigation by Interpol, Nigeria Police, and Group-IB led to the arrest of three Nigerian nationals suspected of participating in a huge BEC ring. The scam involved 26 different malware and around 50,000 victims have been identified so far.
  • The cyberworld witnessed a new development when the Government Accountability Office in the United States made recommendations that policymakers should consider the creation of cybersecurity standards to guarantee a safe rollout of 5G wireless networks.
  • Congress passed a cybersecurity bill aiming to enhance the safeguards of IoT devices. The bill encourages the notion of protecting federal agencies and leveraging the purchasing power of the federal government to encourage manufacturers to assume the same benchmarks.

The Bad

It is not all sunshine and rainbows in the cyberworld. This week threat actors launched several successful attacks on Peatix and Belden. Moreover, unprotected databases have become a huge issue since cyber criminals take every advantage of those, as the case with Spotify.

  • Baltimore County Public Schools suffered a ransomware attack, resulting in shutting down of all the schools. The attack crippled the school network system. However, the ransom money demanded has not been disclosed by the school authorities yet.
  • Security firm Sophos is contacting a small subset of its customers about a security breach that occurred due to a misconfiguration issue. The exposed information includes the first name, last name, email address, and contact phone number of customers.
  • Belden suffered a data breach that affected the data of some current and former employees, as well as limited company information. However, the firm revealed that the breach did not impact production in manufacturing plants, quality control, or shipping.
  • Another data breach at Peatix impacted the data of more than 4.2 million registered users. The user data was accessed by the threat actor via ads posted on Instagram stories, Telegram channels, and several other hacking forums.
  • Pickle Finance fell victim to a hack that resulted in the loss of about $20 million associated with users’ funds in DAI tokens. The attackers exploited the vulnerability in DAI PickleJar using fake swaps.
  • Over 380 million records belonging to Spotify service were leaked via an unprotected Elasticsearch database. However, the origin of the database is unknown.
  • Ransomware gangs are targeting tax software files in an attempt to harvest highly sensitive data. The most prominent ransomware families involved in this scam include Mount Locker and LockBit.
  • Louisiana State University medical centers underwent a cyberattack, exposing thousands of patient data. The exposed data is suspected to consist of patient names, medical record numbers, dates of birth, SSNs, account numbers, and insurance identification numbers, among others.
  • The personal and health information of more than 16 million Brazilian COVID-19 patients were leaked online. This was caused by a hospital employee who uploaded a spreadsheet on GitHub containing usernames, passwords, and access keys to sensitive government systems.

New Threats

New malware, namely WAPDropper grabbed the limelight this week. The TrickBot gang keeps on innovating and evolving with the launch of its hundredth version. Furthermore, multiple smart doorbells have been uncovered to have critical bugs.

  • The 100th version of the TrickBot malware was released with additional features to evade detection. With this release, TrickBot is now injecting DLL into the legitimate Windows executable, wermgr.exe, directly from memory using code from the MemoryModule project. Adding fuel to the fire, the gang released a new lightweight reconnaissance tool called LightBot.
  • The TA416 APT group has been launching spear-phishing attacks against entities linked with diplomatic relationships between the Chinese Communist Party and Vatican. In addition, the group was also witnessed launching attacks against diplomatic organizations in Africa.
  • A hacker has posted a list of one-line exploits to steal VPN credentials from almost 50,000 Fortinet VPN devices. The list of vulnerable targets include domains belonging to high-street banks and government organizations from around the world.
  • A new malware family called WAPDropper has been found stealthily targeting mobile phone users to subscribe to premium services. The multi-function dropper is delivered as second-stage malware and uses a machine learning solution to bypass image-based CAPTCHA challenges.
  • Around 11 video doorbells were discovered to have high-risk vulnerabilities. These relatively inexpensive devices are mostly on sale on eBay and Amazon.
  • Researchers have come across an SSH-backdoor botnet that affects Linux devices. The infection process starts by fetching a shell-script from an URL. The URL is used as a part of the obfuscation technique. Once installed, the backdoor removes logs and the bash history.
  • Researchers have unveiled more than 400,000 subdomains with misconfigured CNAME records. As per this evidence, around 139 among Alexa’s 1,000 domains have probably fallen victim to subdomain takeovers.
  • A new cybercrime gang has been found taking over vulnerable WordPress sites to install malicious e-commerce stores with the purpose of hijacking original sites’ search engine ranking and promoting online scams. The sites’ admin accounts are gained by leveraging brute-force attacks.
  • A new version of a Linux Proxy trojan related to the Stantinko group has been detected masquerading as an Apache HTTP Server. The malware is believed to be part of a broader campaign that takes advantage of compromised Linux servers.
  • A remote code execution flaw in MobileIron Core and Connector products is being exploited by a number of cybercriminals to intrude into networks across government, healthcare, and other sectors. The flaw, tracked as CVE-2020-15505, can allow attackers to execute arbitrary code on a vulnerable system.


pickle finance
wapdropper malware
baltimore county public schools
stantinko botnet
ta416 apt group
lsu health new orleans

Posted on: November 27, 2020

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.