Go to listing page

Cyware Daily Threat Intelligence, May 10, 2019

Cyware Daily Threat Intelligence, May 10, 2019

Share Blog Post

Malicious actors have come up with a new way to earn profits. They are now selling source code of companies’ software to make more money. Lately, a Russian and English-speaking hacker group named ‘Fxmsp’ has breached three US-based anti-virus companies to steal source code related to antivirus software, AI and security plugins. They are selling the stolen source code along with other confidential information to different companies for a price of $300,000. The hacker group is believed to possess around 30 terabytes of data from these companies.

The prolific AZORult info-stealer trojan also made news in the past 24 hours. Attackers were found distributing the malware through a fake VPN software named Pirate Chick. The software is distributed through fake Adobe Flash Players and adware bundles.

Jokeroo RaaS has been found tricking its clients through exit scam. The Tor site used by Jokeroo had displayed a false notice claiming that its server has been seized by the Europol police and are no longer in service. However, later it was found that the service was active and the notice shared was a part of an exit scam.

Top Breaches Reported in the Last 24 Hours

Over 80 million records exposed
ApexSMS, a SMS marketing firm that is involved in SMS bombing campaigns, has leaked 80,055,125 records due to a misconfigured MongoDB database. The database contained a massive amount of data including one prominent folder called ‘leads’. The exposed records included MD5 hashed emails, first and last names, IP addresses and phone numbers of users.

US-based antivirus companies breached
Russian and English-speaking hacker group ‘Fxmsp’ has breached three US-based antivirus companies to steal source code and other crucial information. The group is selling the stolen data and network access to other companies at a price of $300,000. The stolen source code includes code for antivirus software, AI and security plugins. Fxmsp is believed to possess 30 terabytes of data from the three companies.     

Total Registration data breach
A misconfigured Amazon bucket has exposed both students’ and parents’ information of several schools that are in contract with a Colorado-based firm named Total Registration. The database contained hundreds of files, one of which included data of 13,000 students from over 117 different district schools. Some of the files contained students’ date of birth, demographic information on students and their parents.     

Top Malware Reported in the Last 24 Hours

Microsoft SharePoint vulnerability exploited
Saudi government cybersecurity agency has reported that hackers are exploiting a remote code execution flaw in Microsoft SharePoint to conduct reconnaissance on the networks of target organizations. The vulnerability in question, CVE-2019-0604, exists in the older versions of SharePoint. The attackers behind the attack are gathering information on Microsoft Exchange and SQL servers in the attack.

Jokeroo RaaS used in an exit scam
On May 7, 2019 Tor sites used by Jokeroo Ransomware as a Service(RaaS) displayed a notice on its website claiming that their server has been seized by law enforcement agencies. However, the Europol authorities have denied of such activities and have claimed that the RaaS is conducting an exit scam. Such scams aim to lock clients’ funds by falsely claiming that the business has been closed. 

AZORult returns
A fake VPN software named Pirate Chick has been found distributing AZORult info-stealing trojan. The software is distributed through fake Adobe Flash players and adware bundles. Once, the software is executed, it conducts several checks before installing malicious payloads. The software does not infect users belonging to Russia, Ukraine or Kazakhstan.

KPOT 2.0
A new variant of KPOT stealer malware has been uncovered by security researchers recently. The malware variant is distributed via email campaigns and exploit kits. It is being used against Jaxx cryptocurrency wallet users. It can steal information from various places like web browsers, instant messengers, email, VPN, RDP, FTP, cryptocurrency, and gaming software.

Top Vulnerabilities Reported in the Last 24 Hours

Cryptographic flaw
Experts believe that a Russia-designed encryption algorithm contains a flaw that could potentially damage the security of encrypted data. The vulnerability exists in the S-Box component of the algorithm. The matter came to light during a meeting of the International Organization for Standardization (ISO), which happened in Tel Aviv in April this year.
Phar flaw
A serious flaw has been detected in multiple content management systems - including Drupal, Joomla, and Typo3. The vulnerability is identified as CVE-2019-11831 and exists in the phar stream wrapper component used in PHP-driven projects. The vulnerability can lead to arbitrary remote code execution on some systems.

Heap-based buffer overflow flaw
Kaspersky Labs has addressed a heap-based buffer overflow vulnerability in its Antivirus Engine. The flaw is tracked as CVE-2019-8285 and could potentially allow attackers to execute arbitrary code remotely. The flaw has scored 8.0 on the CVSS rating.   

Top Scams Reported in the Last 24 Hours

‘Big Banks’ scam
Researchers have come across a new scam where people received phishing emails from St. George Bank. The email states that the bank detected an issue with the user’s account and say that it has blocked the internet banking facility of the user. The victims are then asked to contact the National Australia Bank (NAB) and sort out the issue. The subject line of the email goes as ‘Your Account Has Been Disabled’ and includes names and logos of the target bank. The scammers aim to take over the victims’ bank account by tricking them into providing their personal details for verification purpose. 


kpot 20
microsoft sharepoint vulnerability
jokeroo raas

Posted on: May 10, 2019

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

The Virtual Cyber Fusion Suite