Go to listing page

Cyware Daily Threat Intelligence, September 06, 2019

Cyware Daily Threat Intelligence, September 06, 2019

Share Blog Post

Launching a cyber attack by exploiting known vulnerabilities has always been a go-to approach for malicious actors. In a new cyber espionage campaign, security experts have uncovered that the Chinese state-sponsored APT5 threat actor group is actively looking for two vulnerabilities to target enterprise VPN servers from Fortinet and Pulse Secure. The vulnerabilities in question are arbitrary file read vulnerability in Fortigate SSL VPN and information disclosure vulnerability in Pulse Secure SSL VPN.

The past 24 hours also saw the emergence of a new Android malware named FunkyBot. The malware is used by FakeSpy malware operators to target users in Japan. It is distributed through legitimate-looking fake apps.

In a major data leak incident, Nacho Analytics has been found collecting and selling the personal data of millions of users. The data leak has affected several Swedish companies such as Volvo, SAS, Ericsson, Husqvarna, and SKF. It was conducted using a spyware installed in extensions of Chrome and Firefox.

A major security update related to the newly discovered USBAnywhere vulnerability was also issued in the past 24 hours. The vulnerability affects X9, X10, X11, H11, and H12 models of Supermicro server boards and can allow an attacker to take control of them.

Top Breaches Reported in the Last 24 Hours

Sweden companies’ data breached
A spy code installed in Chrome and Firefox add-ons has affected the sensitive data of several Swedish companies such as Volvo, SAS, Ericsson, Husqvarna, and SKF. The data spill has affected millions of people worldwide, including 40,000 from Sweden. The stolen data was found to be collected and sold by Nacho Analytics.   

Faulty GPS trackers
At least 600,000 GPS trackers manufactured by Shenzhen i365-Tech have been found using a default password ‘123456’. Researchers say that hackers can abuse this password to hijack users’ accounts and spy on their conversation. This can also enable hackers to spoof the tracker’s real location or get access to the tracker’s attached SIM card phone number.

CircleCI suffers a breach
CircleCI, a San Francisco-based company, revealed a security breach that occurred after an attacker gained unauthorized access to some user data in its vendor account. The exposed data included usernames and email addresses associated with Bitbucket and GitHub, user IP addresses, and user agent strings. CircleCI further added that organization names, repository names and URLs, branch names, and repository owners may have also been exposed in the incident.

DKLOK data breach
A misconfigured Elasticsearch database associated with South Korean company DKLOK has exposed the organization’s internal and external communication. This includes the email communications between DKLOK staff, their clients and some customers. Many of the exposed emails were marked private & confidential and revealed sensitive information about DKLOK operations, products, and client operations.

Top Malware Reported in the Last 24 Hours

Malicious VHD and VHDX files marked safe
Researchers have found that attackers can slip malware inside VHD and VHDX files to bypass detection in Windows and by antivirus software. Windows marks these types of files with a ‘Mark of the Web (MOTW)’ label, thus increasing the risk. Similarly, antivirus software flags these files as ‘Safe’, thus opening doors for several potential malware. It is recommended that organizations should implement proper defense mechanisms to block malicious VHD, VHDX, ISO, and IMG containers at email gateways.

FunkyBot malware
A new Android malware dubbed ‘FunkyBot’ has been found targeting Japanese users. The malware masquerades as a legitimate Android application and consists of two .dex files. The malware is operated by the same attackers responsible for the FakeSpy malware. FunkyBot is capable of harvesting victims’ contact lists, which it later uses for propagation purposes.

APT5 targets VPN servers
Chinese state-sponsored APT5 threat actor group is actively scanning for CVE-2018-13379 and CVE-2019-11510 vulnerabilities to target Fortinet's FortiGate SSL and Pulse Secure's SSL VPNs respectively. The vulnerabilities can allow an attacker to retrieve files from the VPN server without any authentication.

Salesforce account compromised
A new phishing attack that involved hackers using an organization’s compromised Salesforce account and public website has been discovered recently. The compromised website was injected with malicious code and was distributed to targets through Email Studio available within the compromised Salesforce account.

Top Vulnerabilities Reported in the Last 24 Hours

USBAnywhere patched
Supermicro has issued an update to patch the newly discovered USBAnywhere vulnerability affecting its X9, X10, X11, H11, and H12 models of the server. USBAnywhere, which is a set of multiple vulnerabilities, could allow an attacker to easily gain access to a server.  

WordPress 5.2.3 released
WordPress has released its new version 5.2.3 that includes fixes for six vulnerabilities. Out of the six, five are cross-site scripting vulnerabilities and the remaining one is an open redirect vulnerability. All these vulnerabilities were uncovered by third-party researchers. 

Bugs fixed in Firefox 69
Mozilla has fixed a total of 20 security issues affecting Firefox 69 as well as Firefox Extended Support Release version 68.1 and 60.9. Out of these, CVE-2019-11751 is a critical severity bug and is caused by improper sanitization of logging-related command line parameters. While Firefox 69 was affected by all 20 vulnerabilities, ESR versions 68.1 and 60.9 were impacted by 16 and 8 bugs respectively.

Cisco releases updates
Cisco has issued advisories for vulnerabilities in seven of its products. Two of the vulnerabilities have been rated ‘High’ severity and impacts Cisco’s Webex Teams client for Windows (CVE-2019-1939) and Industrial Network Director (CVE-2019-1976). Other affected products include Unified Contact Center Express, Content Security Management Appliance, Jabber Client Framework for Mac, Identity Services Engine, and Finesse.

Samba fixes a bug
A security bug CVE-2019-10197 that allows clients to escape the share root directory has been fixed by Samba developers. The vulnerability affects all versions of the SMB networking protocol implementation. The vulnerability can be patched by downloading Samba 4.9.13, 4.10.8 or 4.11.0rc3.


funkybot malware
fakespy malware
firefox 69

Posted on: September 06, 2019

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

The Virtual Cyber Fusion Suite