Go to listing page

Cyware Daily Threat Intelligence, August 29, 2019

Cyware Daily Threat Intelligence, August 29, 2019

Share Blog Post

The cybercriminals behind the TrickBot trojan have once again upgraded the information stealer’s malicious capabilities. This time they have created a variant that can intercept login credentials and PIN codes for Sprint, T-Mobiles, and Verizon web accounts. This would allow the Trickbot gang to bypass multi-factor authentication solutions and reset passwords for a victim’s bank accounts, email accounts, or cryptocurrency exchange portals.

Security experts also came across an ongoing cyberespionage campaign that distributes two prominent malware - RevengeRAT and Orcus RAT. The campaign is used to target government entities, financial services, information technology service providers and consultancies worldwide. The malware are distributed via phishing emails that appear to come from law enforcement agencies.

Talking about security updates, Cisco has released a security patch for a critical vulnerability affecting its IOS XE operating system. The vulnerability could allow a remote attacker to bypass authentication on devices running an outdated version of virtual service containers.

Top Breaches Reported in the Last 24 Hours

Lumber Liquidators attacked
North American hard-surface flooring retailer Lumber Liquidators has disclosed that it fell victim to a malware attack. The incident affected a part of the firm’s network and was down for nearly a week. The attack was discovered on August 21, 2019, when its network and computer systems began behaving abnormally.

Wisconsin Diagnostic Laboratories’ data breached 
Wisconsin Diagnostic Laboratories has notified 114,000 patients that their data may have been exposed in a data breach at American Medical Collection Agency (AMCA). Customer data that may have been affected include names, dates of birth, dates of service, names of lab or medical service providers, referring physicians' names, the balance owed, and other medical information. It is the 23rd company to be affected by the AMCA data breach. 

Top Malware Reported in the Last 24 Hours

Trickbot trojan evolves
Trickbot has been modified to include a new web injection module. The module enables the trojan to manipulate web sessions by intercepting network traffic with malicious code. This has affected users of U.S.mobile carriers like Verizon, T-Mobile, and Sprint. The code injected on mobile carrier websites allows the attackers to steal visitors’ PIN codes and other credentials.

Magecart groups return
A new report reveals that more than 80 e-commerce sites are actively under the control of Magecart groups. Some of the targeted websites are the victim of more than one group. Researchers found that all the compromised websites used outdated versions (1.5, 1.7 or 1.9) of Magento CMS. This enabled the attackers to inject malicious JavaScript code in the checkout pages of the websites.

RevengeRAT and Orcus RAT
Researchers have detected a massive cyber-espionage campaign that is distributing RevengeRAT and Orcus RAT. These trojans are propagated via phishing emails that appear to come from different government law enforcement agencies such as Business Bureau (BBB), Australian Competition & Consumer Commission (ACCC), and Ministry of Business Innovation & Employee (MBIE). These emails include complaints against the organization being targeted.

Retired officials targeted
Retired South Korean diplomats and government & military officials have been targeted in a series of attacks that occurred between July and August 2019. The attacks were carried out by Kimsuky, a North Korean state-sponsored hacking group, using spear-phishing emails. These emails included links that redirected victims to fake login pages.

Top Vulnerabilities Reported in the Last 24 Hours

Cisco issues a security update
Cisco has released a security update for a critical vulnerability affecting its IOS XE operating system. The vulnerability could allow a remote attacker to bypass authentication on devices running an outdated version of virtual service containers. In another incident, an expert has released technical details of recently disclosed Cisco Unified Computing System (UCS) flaws, along with Metasploit modules for their exploitation.

Vulnerable WordPress plugins
Several WordPress plugins have been found to be vulnerable to nine SQL injection vulnerabilities. The vulnerable WordPress plugins are spread across a variety of categories such as advertisements, donations, gallery, forms, newsletter, and video player. All the issues have been fixed and published by their respective vendors.

Second flaw in Instagram patched
Facebook has patched a second account takeover flaw on Instagram. The flaw affected the platform’s password reset process. The hack involved generating mobile device passcodes dynamically in response to a challenge by Instagram during a password reset.

Apple’s additional updates
Apple has released updates for three of its operating systems apart from iOS. This includes updates for macOS Mojave (version 10.14.6), tvOS (version 12.4.1) and watchOS (5.3.1). The patches for macOS and tvOS address vulnerabilities that could be abused to execute arbitrary code on to the devices.


orcus rat
magecart groups
wordpress plugins
trickbot trojan

Posted on: August 29, 2019

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

The Virtual Cyber Fusion Suite