Go to listing page

Cyware Daily Threat Intelligence, April 02, 2019

Cyware Daily Threat Intelligence, April 02, 2019

Share Blog Post

Ransomware has become the number one security risk to businesses and users. In situations where an organization does not have back up files, a decryption key is the only way to unscramble the encrypted files. Lately, security researchers were successful in figuring out the decryption key for Mira ransomware. This has been possible by retrieving the password, salt and the iteration count from the ransomware. The ransomware, which uses Rijndael algorithm for encryption process, appends a ‘header’ structure as an extension to the end of the file.

However, this is not the case with the newly discovered vxCrypter ransomware. It is a first of its kind ransomware that deletes duplicate files from the infected machines after encryption. The malware draws its basic code from an older ransomware named vxLock.

The past 24 hours also witnessed the evolution of a lesser-known paraphrasing attack. Security experts have uncovered that malicious actors can leverage the attack technique to modify the content of spam message and classify it as ‘not spam’.   

Top Breaches Reported in the Last 24 Hours

The city of Albany suffers a ransomware attack
The city of Albany has been hit by a ransomware attack. Although the security team is yet to estimate the extent of the attack, it has been found that the attack affected the city’s computers. The computers were down during the attack. However, there is no evidence of stealing or misuse of any personal information. The attack occurred on March 30, 2019. The city’s officials are working on restoring the affected systems. Meanwhile, most of the services - except those handling the birth certificates, death certificates, and marriage certificates - will be operating during normal business hours.

Over 13,000 iSCSI storage clusters exposed
A penTester who goes by the name ‘A Shadow’ has detected more than 13,000 iSCSI storage clusters that were left without any password protection. These open storage clusters could allow attackers to access the Internet-accessible hard drives such as storage disk arrays and NAS devices. The attackers can also replace legitimate files with malware or steal any sensitive information stored on unprotected devices.

Over 26,000 Kibana instances exposed
Misconfigured ElasticSearch databases have exposed more than 26,000 Kibana instances on the internet. The exposed instance contained a variety of information that ranges from e-learning platforms to banking systems and parking management to hospitals & universities. The US is highly affected by the incident, recording a total of 8,311 Kibana instances exposed due to misconfigured ElasticSearch databases.

Top Malware Reported in the Last 24 Hours

Paraphrasing attack evolves
A team of researchers found that bad actors can manipulate the behavior of text-classification algorithms by using paraphrasing attack. This can enable the attackers to modify the text of an email message and classify it as ‘spam’ or ‘not spam’. This, in turn, makes it difficult for the AI to determine whether or not an email is a spam message. Experts believe that such attacks are successful as they are invisible to humans since they preserve the context and meaning of the original text.  

A decryptor for Mira ransomware
Security researchers have discovered the decryption key for Mira ransomware by retrieving its password, salt and iteration count. The ransomware uses Rijndael algorithm to encrypt victims’ files. After encryption, it appends a ‘header’ structure - that includes the salt and the password hash - as an extension to the file. 

vxCrypter ransomware
Security experts have unearthed a new ransomware that deletes duplicate files after encrypting the original files. Dubbed as vxCrypter, the ransomware is a first of its kind. It is a .NET ransomware and is based on older ransomware called vxLock. After encryption, the ransomware keeps a track of the SHA256 hashes of each file it has encrypted.    

Top Vulnerabilities Reported in the Last 24 Hours

Bug in UDF-related codes fixed
Researchers have released a security update for the vulnerability in UDF-related codes in MdeModulePkg\Universal\Disk\PartitionDxe\Udf.c and MdeModulePkg\Universal\Disk\UdfDxe. Designated as CVE-2019-0160, the flaw can allow an unauthenticated user to potentially enable escalation of privilege and/or denial of service via network access. Affected users are advised to use the SUSE recommended installation methods like YaST online_update or 'zypper patch'.

XSS bug in Google patched
Google has patched an XSS vulnerability found in Google Search. The bug can be abused by attackers to carry out phishing and other types of attacks. It was apparently introduced in September 2018, when a sanitization mechanism was reportedly removed due to some user interface design issues. The bug is said to have been patched in February 2019.

Security update released for Dovecot email server
Debian has released a security update to address a vulnerability in the Dovecot email server. Designated as CVE-2019-7524, the vulnerability affects all the installations using FTS plugins and Dovecot build before 2.3.x. 

Top Scams Reported in the Last 24 Hours

New mobile scam
Clearwater Police Department has issued an alert about a new cybercrime that lures users into purchasing new phones at a Verizon store on their accounts. Here, the scammers pose as Verizon’s customer service and tell their victims that they want to check if they've been a victim of fraud. These scammers either cold call people or get their numbers and email addresses through the dark web or from a phishing email. They tell the customer they've sent them a verification code and ask the customer to read the code sent to them. Once the scammers have that PIN, they can reset the password and make themselves a "master account user" on victim’s account.


paraphrasing attacks
mira ransomware
rijndael algorithm
vxcrypter ransomware
xss bug
ransomware attack

Posted on: April 02, 2019

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

The Virtual Cyber Fusion Suite