Go to listing page

Cyware Daily Threat Intelligence, May 07, 2019

Cyware Daily Threat Intelligence, May 07, 2019

Share Blog Post

Malicious activity exploiting the recently disclosed Oracle WebLogic vulnerability shows no sign of abating. After spreading the variants of Muhstik botnet and Sodinokibi ransomware, malicious actors are now eyeing the same vulnerability to distribute XMRig cryptominer and GandCrab ransomware.

The vulnerability in question is a deserialization flaw tracked as CVE-2019-2725. In order to stay safe from such attacks, users are advised to apply security updates that are covered under Oracle’s Premier Support or Extended Support phases of the Lifetime Support Policy.

The past 24 hours also saw some major security updates from Cisco. The firm has released security patches for two high-severity flaws that can allow attackers to launch Denial of Service (DoS) attacks. The flaws are tracked as CVE-2019-1721 and CVE-2019-1694 and impact Cisco’s TelePresence Video Communication Server and ASA 5500-X Series Firewalls.

Top Breaches Reported in the Last 24 Hours

AIHS data breach
American Indian Health & Services Inc. (AIHS) is notifying patients, employees, and vendors of a data breach that occurred between February 26, 2019 and March 6, 2019. The incident occurred after an ex-employee forwarded certain AIHS emails to her personal email account. The compromised emails contained personal information of some patients such as names, billing details, health insurance data, provider’s location, dates of service and amounts paid to AIHS for services.

Protech Home Medical Corp phishing attack
Protech Home Medical Corp. has been subjected to a phishing attack that resulted in the loss of $9.2 million. The incident occurred after hackers gained unauthorized access to one employee’s account. The health firm discovered the incident on May 3, 2019. Upon learning the incident, the company notified the law enforcement agencies including the Royal Canadian Mounted Police ??(RCMP), the Canadian Centre for Cyber Security and local police in Canada. The Federal Bureau of ?Investigation (FBI) in the United States, and the Hong Kong Police Force and Hong Kong Joint Financial ?Intelligence Unit (JFIU) were also informed about this incident.

Wyzant data breach
An online tutoring marketplace, Wyzant has suffered a data breach resulting in the exposure of certain personal identification information of its customers. The firm revealed that an unknown attacker gained access to one of its database on April 27, 2019. The stolen information includes first name, last name, email address, zip code, and, for certain customers.   

Top Malware Reported in the Last 24 Hours

GandCrab returns with XMRig
Hackers are lately exploiting a well-known deserialization vulnerability in Oracle WebLogic Server to spread GandCrab ransomware and XMRig cryptominer. The vulnerability is tracked as CVE-2019-2725. Oracle has released a patch for the flaw on April 26, 2019. Users are advised to apply the update in order to stay safe from such attacks.

A bug in Mirai botnet
A researcher has demonstrated an exploit method which uses a trivial bug in the code of Mirai botnet. It was discovered that the C2 server of Mirai crashes when someone connects it using as a username a sequence of 1025+ ‘a’ characters. The function has a buffer size length of 1024. Therefore, extending the input would cause the module to crash.

Xwo malware
A new malware family named Xwo was targeting companies by using potential vulnerabilities found on the internet. Xwo has three basic functions which help it to exploit and carry out security breaches. The malware begins its infection process by actively scanning a large number of pages and online platforms in an intent to find out their vulnerabilities. 

Top Vulnerabilities Reported in the Last 24 Hours 

Cisco patches two critical flaws
Two critical vulnerabilities tracked as CVE-2019-1721 and CVE-2019-1694 have been patched by Cisco in its latest security update. CVE-2019-1721 is a flaw in the phone-book feature of Cisco Expressway Series and Cisco TelePresence Video Communication Server. Likewise, CVE-2019-1694 is the second critical flaw that exists in the TCP processing engine of Cisco Adaptive Security Appliance (ASA) software and Cisco Firepower Threat Defense (FTD) software.

Critical bug causes TRON to crash
A critical bug has caused an abrupt halt of the entire TRON blockchain. The bug has been assigned high severity going by the volume of the attack. At least 51 percent of nodes in a TRON network can be affected by DDoS attacks, due to the bug. The bug exists in TRON’s wallet.

Vulnerabilities in GE Power Meter software
Several vulnerabilities have been discovered in GE Communicator software. The flaws can allow an attacker to gain admin rights to a workstation running the software. Four of the five flaws have been assigned as ‘high severity’ on CVSS. GE has patched these vulnerabilities by releasing  GE Communicator 4.0.517.  

Top Scams Reported in the Last 24 Hours

‘One Ring’ phone scam
US Federal Communications Commission (FCC) is alerting users about the ongoing ‘One Ring’ phone scam. The scam intends to exploit people’s curiosity in order to trick them into paying exorbitant fees. The phone numbers used in the scam are masked in order to deceive the users. These phone calls appear to be from phone numbers that are based in the United States. If the victims call back to one of these numbers, then they may end up in paying a fee for availing premium services.

Tech Support scam
Scammers are sending emails and SMS messages that include links to services such as pharmacy, dating and tech support. The fake links are hosted on legitimate cloud services such as Amazon Web Services (AWS), Microsoft Azure, Alibaba Cloud.  
They are using this new technique to reach potential victims and steal their personal & credit card information.

‘Avengers: Endgame’ download scam
Scammers are stealing users’ credentials by offering full movie downloads of the Marvel blockbuster ‘Avengers: Endgame’. The potential victims are first asked to create an account by providing their email address and password. Later on, they are prompted to enter billing information saying they won’t be ‘charged’. Following which, scammers manage to collect both personal and financial information of users.


gandcrab ransomware
tech support scam
mirai botnet
xwo malware
tron blockchain
xmrig cryptominer

Posted on: May 07, 2019

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

The Virtual Cyber Fusion Suite