Go to listing page

Cyware Daily Threat Intelligence, January 29, 2021

Cyware Daily Threat Intelligence, January 29, 2021

Share Blog Post

Another day, another set of newly discovered malware attack campaigns. The malware used in these campaigns are Oscorp and Pro-Ocean. While Oscorp is an Android malware that can steal user credentials and record user audio and video, Pro-Ocean is a cryptojacking malware in the Rocke threat actor group’s arsenal.

A massive cyberespionage campaign targeting telecom companies and internet service providers has also been launched by the Lebanese Cedar APT group. The attacks appear to target internet service providers in the U.S., the U.K, Egypt, Israel, Lebanon, Jordan, Palestine, Saudi Arabia, and the UAE.

Top Breaches Reported in the Last 24 Hours

USCellular hit
Mobile network operator USCellular has suffered a data breach that enabled hackers to gain access to its CRM and view customers’ accounts. The attack occurred on January 4. However, it is unclear how many customers are affected by the incident. The data viewed by threat actors include names, addresses, PINs, cell phone numbers, service plans, and billing statements.

Bykea leaks data
Bykea has exposed over 400 million files due to a misconfigured Elasticsearch database. The files included internal logs that contained user details for both customers and contracted employees.

Telco and ISPs targeted
The Lebanese Cedar group has been linked with a worldwide cyber espionage campaign targeting telecom companies, internet service providers, hosting providers, and managed hosting and applications companies. The attacks began in early 2020 and threat actors breached internet service providers in the U.S., the U.K, Egypt, Israel, Lebanon, Jordan, Palestine, Saudi Arabia, and the UAE.

Charity affected
The U.K’s Woodland Trust has confirmed a cyberattack that resulted in the takedown of many services. It is believed that the attack took place on December 14, 2020. Currently, law enforcement authorities are investigating if any data has been compromised.

Top Malware Reported in the Last 24 Hours

Oscorp malware
A new family of Android malware called Oscorp has been spotted by researchers. The malware abuses accessibility services in Android devices to hijack user credentials and record audio and video. Distributed via a domain named ‘supportapp[.]com, the malware requests intrusive permission to establish communications with the C2 server.

Pro-Ocean malware
Pro-Ocean is Rocke group’s new cryptojacking malware that mines Monero cryptocurrency. The malware has been recently upgraded and uses known vulnerabilities in Apache ActiveMQ, Redis, and Oracle WebLogic to target cloud applications. It is written in Go language and compiled to an x64 architecture binary.

Top Vulnerabilities Reported in the Last 24 Hours

Vulnerable Node.js app
A vulnerability in Node.js web application framework can be exploited to achieve remote code execution. The flaw also affects Express.js and Handlebars due to similarities in the code.

Flawed Popup Builder plugin
Multiple vulnerabilities patched recently in the popular WordPress plugin Popup Builder can be exploited to perform various malicious actions on affected websites. The recently addressed issues were related to the lack of authorization on most AJAX methods.


cedar apt group
cryptojacking malware
pro ocean

Posted on: January 29, 2021

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

The Virtual Cyber Fusion Suite