Go to listing page

Cyware Daily Threat Intelligence, January 28, 2020

Cyware Daily Threat Intelligence, January 28, 2020

Share Blog Post

Intel is still struggling with the truth about its processors’ security and to add more woes to it, security researchers have uncovered two more issues related to the speculative functionality of its processors. Lately, the firm has released a security advisory for the two flaws- referred to as CacheOut and an information disclosure vulnerability. It plans to release patches for the disclosed vulnerabilities in the coming weeks.

Coming to malware attacks, two new malware families that are capable of disrupting target devices have been detected in the last 24 hours. The newly discovered malware are the Ragnarok ransomware and a new variant of Android.Xiny trojan. While Ragnarok ransomware leverages the recently discovered Citrix ADC bug to spread across networks, the new Android-Xiny version propagates by exploiting unpatched vulnerabilities in Android versions prior to 5.1.

Top Breaches Reported in the Last 24 Hours

Bird Construction attacked
Canada-based Bird Construction company was targeted in a Maze ransomware attack launched in December 2019. The ransomware operators have claimed to have stolen 60GB data from the company. According to Emsisoft, the operators have now published the stolen data on its website after the company denied to pay the ransom. The published files contain employees’ personal data and information relating to Canadian company Suncor Energy.

Royal Yachting Association’s data breached
Royal Yachting Association is forcing a password reset for all users following a data breach. The incident occurred after an unauthorized party accessed a database created in 2015 containing personal data associated with a number of RYA user accounts.

Top Malware Reported in the Last 24 Hours

Necurs botnet returns
Researchers have discovered a new spam campaign wherein millions of emails are being sent from the Necurs botnet within a matter of hours. The top distributing IPs in this campaign come from Chile, Lithuania, and India. As a part of the campaign, victims receive an email linking to a website that peddles a get-rich-quick scam. The victims are exposed to ‘Bitcoin Era’, a Bitcoin trading platform that tells victims they can make money by trading cryptocurrency.

Ragnarok ransomware
A new ransomware called Ragnarok has been detected in use in recent targeted attacks. The attacks leverage the recently disclosed Citrix ADC bug CVE-2019-19781 to distribute the ransomware. The ransomware does not encrypt the systems that have languages set to Russian, Belarus, Turkmen, Ukrainian, Latvian, Kazakh, and Azerbaijani.

New malicious samples belonging to Android-Xiny have been found replacing pre-installed apps and system files on older Android devices with malicious applications. The trojan specifically targets phones running Android versions 5.1 or older. Once installed, the trojan gains root access to the target device and them replaces system files.

New XHunt campaign
Researchers have detected a new XHunt campaign that used a Kuwait organization’s webpage to harvest credentials from website visitors. The webpage was injected with HTML code to collect the sensitive data. The activity was observed between June and December 2019.

Top Vulnerabilities Reported in the Last 24 Hours

New ZombieLoad flaws
Researchers have discovered and published information about a new CacheOut vulnerability that affects most Intel CPUs. The vulnerability, tracked as CVE-2020-0549, can allow an attacker to target more specific data, even stored within Intel’s secured SGX enclave. Another variant of ZombieLoad flaw tracked as CVE-2020-0548 has also been detected in addition to CacheOut vulnerability.

Fortinet releases patches
Fortinet has released security updates to remove two backdoor accounts from FortiSIEM. The patches are for the CVE-2019-17659 and CVE-2019-16153 vulnerabilities. Any threat actor who gains access to a SIEM product can use it to carry out reconnaissance on a target’s internal network and later delete signs of a successful compromise.

PoC for RCE bugs released
Proofs-of-Concept for CVE-2020-0609 and CVE-2020-0610 bugs found in the Remote Desktop Gateway component on devices running Windows Server have been released recently. The flaws affect Windows Server 2012, 2012 R2, 2016, and 2019. The vulnerabilities, collectively known as BlueGate, were patched by Microsoft on January 14, 2020.

RHEL 8 vulnerable to Magellan 2.0
Red Hat has admitted that its flagship Red Hat Enterprise Linux (RHEL) 8 remains vulnerable to one of the Magellan 2.0 vulnerabilities. Magellan 2.0 is a new set of five SQLite vulnerabilities affecting Chrome versions prior to 79.03945.79. Following the discovery, Red Hat has rolled out a security update to secure the version.

Top Scams Reported in the Last 24 Hours

Scary Netflix scam
Netflix users are being warned about a new ongoing scam wherein unsuspecting users are asked to complete an online verification process to initiate an incomplete billing process. The email looks less suspicious and appears to come from Netflix. It tells the recipients that their billing information has been modified and for this, they are required to fill in the missing information. The email subject line states ‘Account Informations Update’ and notably doesn’t greet the recipient by name.


androidxiny trojan
cacheout vulnerability
information disclosure vulnerability
ragnarok ransomware

Posted on: January 28, 2020

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

The Virtual Cyber Fusion Suite