Go to listing page

Cyware Daily Threat Intelligence, May 20, 2019

Cyware Daily Threat Intelligence, May 20, 2019

Share Blog Post

Distributing malware through legitimate-looking fake websites has always been a go-to attack vector for threat actors. In a recent cybersecurity incident, malicious attackers have been found propagating two new backdoor malware named Mac.BackDoor.Siggen.20, and BackDoor.Wirenet.517 to infect macOS and Windows systems respectively. Upon successful execution, these two backdoor malware download a well-known remote access trojan from a server controlled by the attackers. The trojan is capable of hijacking the camera and microphone on the victim’s device.  

Some major data breaches were also observed in the past 24 hours. In one incident, more than 20,000 Linksys smart Wi-Fi routers have been found to be vulnerable to an information disclosure bug. As a result, these smart routers are regularly leaking past records of devices to which they were connected. The leaked information includes devices' unique identifiers, names, and operating systems.

New details about the Stack Overflow systems’ hack have also surfaced in the past 24 hours. The company has rectified its previous statement and confirmed that hackers may have gained access to personal information of some Stack Exchange users. Initially, Stack Overflow had claimed no loss in data or system compromise in the hack.  

Top Breaches Reported in the Last 24 Hours

Over 20,000 Linksys routers leak data
More than 20,000 Linksys Wi-Fi routers are regularly leaking past records of every device that has ever been connected to it. This is due to an information disclosure vulnerability that was tracked in 2014. The flaw is detected as CVE-2014-824. Exposed information includes devices' unique identifiers, names, and operating systems. The data can be used by hackers in targeted attacks.

New updates on Stack Overflow hack
New details about the Stack Overflow systems’ hack have emerged recently. Initially, the firm had revealed that no customer or user data was compromised in the hack. However, in a recent update, Stack Overflow has acknowledged that the attackers had gained access to the development tier of ‘stackoverflow.com’ by exploiting a zero-day bug. This enabled the attackers to gain privileged access and retrieve data such as names, email addresses and IP addresses of some Stack Exchange users.

OGUsers breached
A hacker forum named OGUsers had its servers breached through a custom plugin in the forum software. Attackers were able to get access to an old backup file dating December 26, 2018. Later, they had published the stolen information in another hacker forum. The stolen data includes OGUsers’ usernames, passwords hashed with the MD5 algorithm, emails, IP addresses, source code, website data, and private messages. 

TeamViewer breached in 2016
Remote desktop and web conferencing software maker TeamViewer has told a German newspaper, Der Spiegel, that it had fallen victim to a cyber attack in 2016. Although there was no evidence of data loss or disruption of systems, researchers believe it to be the activity of a Chinese state-sponsored threat actor group. The group had used Winnti backdoor malware to launch the attack. 

Top Malware Reported in the Last 24 Hours

Fake WhatsApp website installs malware
A fake WhatsApp website is being used by hackers to infect Mac and Windows operating systems with two new backdoor malware. The two backdoor malware - Mac.BackDoor.Siggen.20, and BackDoor.Wirenet.517 - help the attackers to execute malicious code, written in Python language, from a remote server. The malicious code is identified as a Remote Access Trojan and is capable of hijacking camera & microphone on the victim’s device.

New Winnti variant
Researchers have uncovered a new Linux variant of Winnti backdoor malware. The malware variant is linked with the cyber attacks made on Bayer in April, 2019 and a Vietnamese gaming company in 2015. Further analysis reveals that the variant shares similarities with the Winnti 2.0 Windows version. This includes the source code and command-and-control server - which is a mixture of multiple protocols such as ICMP, HTTP, custom TCP, and UDP.

Top Vulnerabilities Reported in the Last 24 Hours

Vulnerable aircraft ILS
Researchers have lately demonstrated that an Instrument Landing System’s (ILS) radio signal could be spoofed by using a commercially available Software Defined Radio (SDR). The SDR can be used to trigger a range of phony message such as false SOS, fake Closest Point of Approach (CPA) alert and false collision warnings. The cost of the SDR is $600 and can be used as a potential tool to compromise instrumentation-based landing systems by attackers.

Unpatched Ethereum clients
A large number of nodes using Ethereum clients such as Parity and Geth are at risk due to several unpatched vulnerabilities in Ethereum network. Hackers can abuse these flaws to take control of more than 51% of the computational power in the Ethereum network. They can also allow attackers to crash a large number of nodes. Parity users running Ethereum node versions prior to 2.2.10 are vulnerable to such attacks. In order to stay safe, the users are advised to apply updates at the earliest.

Cisco fixes a bug
Cisco has released security updates to address a vulnerability - CVE-2019-1778 - in the CLI of its NX-OS software. The bug could allow an authenticated, local attacker to execute arbitrary commands on the underlying Linux operating system with the privilege level of root. The vulnerability is due to insufficient validation of arguments passed to a specific CLI command on the affected device.

Top Scams Reported in the Last 24 Hours

Airbnb’s fake rental scam
Scammers have duped some Airbnb customers in a fake reservation scam. The account holders have been charged with non-refundable money for fictitious rental homes. Airbnb has confirmed the matter by adding that the platform is safe & secure and has not been accessed by hackers. Meanwhile, the firm is also helping affected individuals in securing their accounts and providing refunds. Airbnb claims that the affected users’ accounts were accessed either through phishing email or malware. Additionally, the company has also provided other security measures to its users to prevent such cybercrimes in the future.    


winnti backdoor malware
fake reservation scam
fake whatsapp website

Posted on: May 20, 2019

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

The Virtual Cyber Fusion Suite