Go to listing page

Cyware Daily Threat Intelligence, October 17, 2019

Cyware Daily Threat Intelligence, October 17, 2019

Share Blog Post

In 2017, a serious flaw named KRACK was found impacting the WPA2 protocol. However, even after the continuous efforts by vendors to protect IoT devices, researchers have found that Amazon Echo 1st generation and Amazon Kindle 8th generation devices are still susceptible to this two-year-old flaw. KRACK, a set of two vulnerabilities, can allow attackers to perform both MITM and DoS attacks.

The past 24 hours also saw attackers using a new channel that conceals their malicious payloads from being detected. This new channel in question is the WAV (Audio) file. This audio file format was used to deliver XMRig/Monero CPU cryptominer and Metasploit code in one of the recent campaigns.

Two new malware strains used by TA505 threat actor group have also been uncovered in the past 24 hours. The two newly discovered malware are Get2 malware downloader and SDBbot RAT. The malware were actively used by the attackers in several cyber espionage campaigns carried out during the past two months.

Top Breaches Reported in the Last 24 Hours

Pouring Pounds data leak
Personal data of around 2 terabytes has been exposed following an unprotected Elasticsearch database belonging to Pouring Pounds Ltd. The affected organizations are the cashback and voucher websites Cashkaro.com and Pouringpounds.com. The compromised data includes full names, phone numbers, email addresses, and bank details of users. The database was left exposed to the internet since August 9, 2019, and was only closed on September 21, 2019.  

Top Malware Reported in the Last 24 Hours

Graboid Monero miner
A new Monero miner named Graboid with wormable capabilities has been found targeting new systems. The malware spreads using unsecured Docker engines. Researchers have found that there are more than 2,000 insecure Docker services exposed to the public web. The malware receives commands from 15 compromised hosts, 14 of which have been listed as vulnerable IPs.

New Phorpiex botnet version
Phorpiex botnet, also known as Trik, has added a new payload that acts as a spam bot to distribute sextortion emails. Security experts have found that the botnet currently operates on more than 500,000 infected hosts. Each of the infected devices has been found sending up to 30,000 sextortion emails per hour.

Get2 and SDBbot
TA505 hacking group has been found distributing two new malware strains in phishing campaigns carried out during the last two months. The two new malware strains are Get2 malware downloader and SDBbot RAT. Attackers are using this new downloader to deliver payloads like FlawedGrace and FlawedAmmyy.

WAV files used to hide malware
WAV audio files are the latest hiding place for obfuscated malicious code. Researchers have found that such files were used in a campaign lately to deliver XMRig/Monero CPU cryptominer and Metasploit code used to establish a reverse shell.

Corporate phishing attack
Scammers are sending phishing emails mimicking the performance appraisal processes to trick employees into giving away their credentials. The email appears to come from the human resources department and includes a link that redirects recipients to a fake HR portal. The portal instructs the victims to provide their login credentials.

Top Vulnerabilities Reported in the Last 24 Hours

KRACK vulnerability
Millions of Amazon Echo 1st generation and Amazon Kindle 8th generation are susceptible to an old WiFi vulnerability called KRACK. The vulnerability allows attackers to perform Man-in-the-Middle and DoS attacks against a WPA2 protected network. The vulnerabilities detected are CVE-2017-13077 and CVE-2017-13078. Amazon has issued a new version of the wpa_supplicant-a software application to address the issue.

WordPress 5.2.4 released
WordPress version 5.2.4 has been released with fixes to six vulnerabilities. The vulnerabilities include cross-site scripting, unauthorized access, server-side request forgery, and cache poisoning issues. These flaws impact the versions prior to 5.2.3.

Cisco issues a warning
Cisco has warned its customers that its Aironet industrial and business Wi-Fi access points have flawed URL access controls. The flaw is tracked as CVE-2019-15260 and has a CVSS score of 9.8 out of 10. The bug can be exploited by remote attackers to manipulate device settings or view sensitive corporate information.

Top Scams Reported in the Last 24 Hours

LinkedIn members targeted
Digital fraudsters are using compromised servers and bogus links in an ongoing campaign in an effort to target LinkedIn members with scams. The scam involves recipients receiving an unexceptional email from someone they know in real life and are connected on LinkedIn. The body of the LinkedIn message informs the recipient that they have a document hosted through OneDrive. In order to make it look legitimate, the text uses ‘www.businessingith’ at the start of the embedded link.

Phishing scam
A phishing email that impersonates Telstra is tricking users into claiming a $500 gift card reward. However, the sole purpose of the scam is to harvest credentials from victims. The email includes a link that redirects recipients to a fake Telstra login page.


wordpress 524
krack vulnerability
phorpiex botnet
graboid monero miner

Posted on: October 17, 2019

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

The Virtual Cyber Fusion Suite