Go to listing page

Cyware Daily Threat Intelligence, January 21, 2020

Cyware Daily Threat Intelligence, January 21, 2020

Share Blog Post

Ransomware continues to dominate the cyber threat ecosystem, with attackers wanting fast cash. Lately, security researchers have detected two new ransomware that are wreaking havoc across the globe. The first one is a new variant of FTCODE ransomware that targets Italian-language users. This latest version, dubbed as FTCODE 1117.1, has been evolved to include different infection methods and password-stealing capabilities.

The second is a newly discovered BitPyLock ransomware that targets individual workstations to compromise networks. When first launched, the ransomware makes an attempt to terminate specific processes, security software, and files associated with backup software, web server daemons, virtual machines, and databases.

The last 24 hours also saw a new spam campaign being carried out to distribute the notorious Emotet trojan. The phishing email used in this campaign appears to be an extortion demand from a ‘Hacker’. It states that the hackers have hacked the recipient’s computer and stolen all valuable data.

Top Breaches Reported in the Last 24 Hours

600 computers taken down
600 staff and public access computers were taken down at Volusia County Public Library (VCPL) branches in Daytona Beach, Florida, following a cyberattack on January 9, 2020. The county’s technology staff were immediately notified who then coordinated recovery efforts with library staff. Approximately 50 computers are back online, enabling library staff to perform their regular business.

Hanna Andersson hacked
US children's apparel maker and online retailer Hanna Andersson disclosed that its online purchasing platform was hacked and malicious code was deployed to steal customers’ payment information. This activity of stealing payment information was being carried out for the last two months. The firm claims that the stolen credit details have been put up for sale on a dark web site.

Turk Telekom attacked
Turk Telekom has restored its internet access after a cyber attack that caused connectivity problems. It is unclear which threat actor group is behind the attack. However, the company has confirmed that the strike had targeted its DNS addresses.  
Top Malware Reported in the Last 24 Hours

Emotet found in a spam template
The operators of Emotet malware have started using a spam template that pretends to be an extortion demand from a ‘Hacker’. The email states that the recipient’s computer has been hacked to steal their valuable data. The goal of all these emails is to trick recipients into opening an attached Word document that will attempt to download and install the Emotet malware onto the computer.

New variant of FTCODE ransomware
A new version of FTCODE ransomware has been found containing different infection methods and password-stealing capabilities. Dubbed version 1117.1, the ransomware variant spreads through spam emails that contain macro documents. These documents include links to a VBScript code which further downloads the PowerShell script for FTCODE.

BitPyLock ransomware
New ransomware called BitPyLock has been uncovered targeting individual workstations to compromise networks and steal files before encrypting devices. Once installed, the malware terminates security software and closes files being used by backup software, web server daemons, virtual machines, and databases. The ransomware uses .bitpy extension to append the encrypted files.

PoC EFS-based ransomware attacks revealed 
Researchers have developed a proof-of-concept code on the encryption activities of EFS-based ransomware that takes place in the kernel and as the NTFS driver is in play. This process of encryption goes unnoticed by file system filter drivers. The PoC has been shared with 17 security vendors along with a possible workaround.

Top Vulnerabilities Reported in the Last 24 Hours

Vulnerable FortiSIEM Supervisor
A hardcoded SSH public key in Fortinet’s Security Information and Event Management (FortiSIEM) can be abused to access the FortiSIEM Supervisor. The vulnerability tracked as CVE-2019-17659 could lead to denial of service. It impacts FortiSIEM version 5.2.6 and below and has been addressed last week with the release of FortiSIEM version 5.2.7. Fortinet has also advised its customers to disable SSH on port 19999 when not using the reverse tunnel feature.


bitpylock ransomware
turk telekom
hanna andersson
ftcode ransomware

Posted on: January 21, 2020

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

The Virtual Cyber Fusion Suite