Go to listing page

Cyware Daily Threat Intelligence, September 05, 2019

Cyware Daily Threat Intelligence, September 05, 2019

Share Blog Post

The past 24 hours saw the city of New Bredford winning over a ransomware attack that infected its 158 workstations. Threat actors had infected the City of New Bedford’s systems using Ryuk ransomware and demanded a sum of $5.3 million in order to restore the encrypted files and data. However, the city had rejected the demand and instead reinstated the affected systems using back up files.

A new Android trojan that includes both malware dropper and spyware capabilities was also uncovered in the past 24 hours. Dubbed ‘Joker’, the malware was delivered via 24 apps before they were removed Google’s Play Store. Among the other capabilities, the malware can collect victims’ device info, contact list, and text messages.

Coming to security patches, Google has released a series of security updated to fix 50 vulnerabilities affecting the Android platform. The flaws affect Android versions 8.0, 8.1,9 and 10. Eleven of these vulnerabilities are rated ‘High’ severity.

Top Breaches Reported in the Last 24 Hours

Facebook in soup
More than 419 million records linked to Facebook have been found in an unprotected server. This includes 133 million records belonging to users in the US, 18 million in the UK, and more than 50 million in Vietnam. Each record contained a user’s unique Facebook ID and the phone number listed on the account. Some of the records also had the user’s name, gender and geographical location.

New Bedford City attacked
The city of New Bedford was hit by Ryuk ransomware on July 4, 2019. Following the attack, the city’s IT network was affected and hackers had demanded a ransom of $5.3 million to decrypt the encrypted files. However, the city opted not to pay the ransom and reinstated the affected systems using backup files. It is said that the ransomware had encrypted files on 158 workstations.

UC Health discloses a breach
UC Health has disclosed a security breach that occurred due to unauthorized access between July 6 and July 12, 2019. The attackers behind the attack had targeted a limited number of employee email accounts. This had resulted in the compromise of patients’ names, birth dates, record numbers, and clinical information.

Top Malware Reported in the Last 24 Hours

DopplePaymer is the new BitPaymer
Threat actors from the INDRIK SPIDER cybercrime group have separated in order to create DopplePaymer. These are the same actors who created BitPaymer ransomware and research reveals that both share the same code, ransom note, and payment portal.

Glupteba malware variant
Security researchers have come across a new malvertising campaign that is distributing a new version of Glupteba malware. The malware was previously connected to a campaign called Operation Windigo carried out against Windows users. The new version includes an info-stealer component and an exploiter component targets Mikro Tik routers. The malware variant updates its C2 server using Bitcoin blockchain.

Joker Android trojan
Joker is a new Android trojan that includes both malware dropper and spyware capabilities. The trojan was delivered via 24 Google Play Store apps that had more than 472,000 downloads. The additional malicious components include simulating user interaction on ad sites, harvesting victims’ device info, contact list, and text messages.

Top Vulnerabilities Reported in the Last 24 Hours

Vulnerable Android phones
A newly discovered security flaw in Android phones from Samsung, Huawei, LG, and Sony can leave users open to advanced phishing attacks. This could enable attackers to steal users’ personal information. The flaw arises because the phones use over-the-air (OTA) provisioning. The attacker can make use of the OTA method to disguise their malicious SMS as an ‘update network settings’ text from the mobile network provider.

Google fixes 50 vulnerabilities
As a part of the September 2019 Patches, Google has released a new set of security patches that address nearly 50 vulnerabilities on the Android platform. The flaws impact Android versions 8.0, 8.1,9 and 10. 11 of these vulnerabilities are rated ‘High’ severity. Five of these impact Framework, while the remaining five are found in the System component of Android. In another incident, researchers have warned about a high-severity zero-day vulnerability in Google’s Android operating system. If exploited, the bugs could give a local attacker escalated privileges on a target’s device.

Vulnerable EZAutomation software
Security researchers have discovered vulnerabilities in two pieces of software made by EZAutomation, the U.S.-based industrial automation solutions provider. The potentially serious bugs - CVE-2019-13518 and CVE-2019-13522 - can be exploited for remote code execution. The vulnerabilities have been patched by EZAutomation in EZPLC Editor 1.9.0 and EZTouch Editor 2.2.0. The vendor has also advised users to only open project files from trusted sources.

Top Scams Reported in the Last 24 Hours

Scammers mimic SCA security check
Scammers are leveraging the new Strong Customer Authentication (SCA) regulation to trick users into sharing their personal details and banking credentials. They are mimicking the SCA-related messages and sending them through emails that appear to come from legitimate banks such as Santander, Royal Bank of Scotland (RBS) and HSBC. Each of these scam emails includes links to sites that are meant to capture personal details of users. The attacks are aimed at users in Europe. Users should be cautious about such emails and cross-check the links before providing their details.


ryuk ransomware
joker android trojan
strong customer authentication sca
glupteba malware
over the air ota provisioning

Posted on: September 05, 2019

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

The Virtual Cyber Fusion Suite