Go to listing page

Cyware Daily Threat Intelligence, September 18, 2019

Cyware Daily Threat Intelligence, September 18, 2019

Share Blog Post

A major security lapse by cybercriminals has come to light in the past 24 hours. Two unprotected databases that belonged to a threat actor group operating Gootkit trojan has been uncovered by a security researcher. The database contained data that was collected from three Gootkit sub-botnets and a total of 38,653 infected hosts. The databases contained different folders like ‘Luhnform’ and ‘Windowscredentials’ that included information related to configuration details, credit card details, passwords of Windows users, and more.

New details about Smominru botnet have also emerged in the past 24 hours. Security researchers have identified that the botnet which had first appeared in early 2018, has infected around 90,000 new victims just in August 2019. Most of the infected systems run Windows 7 and Windows Server 2008 which are affected by the EternalBlue exploit.

In patches, Cisco has issued an extended patch for a high-severity DoS vulnerability. The flaw exists in the IPv6 packet processing functions of multiple Cisco products such as its IOS XR Software, IOS Software, IOS XE Software, NX-OS Software, ASA Software, and StarOS Software.

Top Breaches Reported in the Last 24 Hours

Details of 24.3 million patients exposed
Health and personal records of nearly 24.3 million patients have been found in almost 600 unprotected servers located in 52 countries. The exposed health information includes information retrieved from X-Ray, CT and MRI machines. Similarly, the compromised personal information includes first name and surname, birth dates, the scope of the investigation, and more.

Robstown Police Department attacked
Robstown Police Department has announced a data breach that resulted in an unknown amount of data loss between 2018 and 2019. The data was characterized as evidence and reports related to pending investigations. The incident occurred after the RDP servers were hacked or compromised by a virus.

Top Malware Reported in the Last 24 Hours

Gootkit databases exposed
Two MongoDB databases containing data aggregated from three Gootkit sub-botnets has been uncovered by security researchers. The databases include details on a total of 38,653 infected hosts and a folder named ‘Luhnform’ which contains plain text passwords, configuration details, bank account details, email account logins, and credit card details. Almost 15,000 entries related to payment card data have also been found in the databases.

Tflower ransomware
Tflower is a newly discovered ransomware that is distributed via exposed Remote Desktop services. While encrypting the data on the computer, Tflower skips any files in the Windows or Sample Music folders. After encrypting the files, it will delete the Shadow Volume Copies and execute commands that disable the Windows 10 repair environment. It prepends the encrypted files with *tflower marker instead of appending them with an extension.

Venmo users targeted
Dighton police department in Massachusetts, US, has warned the users of Venmo mobile payment service about a new SMS phishing campaign. The SMS phishing campaign targets users with phishing text messages that direct to a fake website. The fake website has been designed to collect personal and banking information of Venmo users.

Smominru botnet
According to a report, Smominru botnet is still heavily active with 90k new victims in August 2019 and 4.7k new infections per day. It has been found that around 25% of infected victims were reinfected more than once. After infecting a machine, the botnet downloads a worm component, an MBR rootkit and a trojan named PcShare.
Ramnit trojan evolves
The Ramnit trojan has evolved to steal credentials via a web injection attack. The operators are using the trojan variant to target Japanese entities. It is distributed via malspam.

Top Vulnerabilities Reported in the Last 24 Hours

CSRF flaw in phpMyAdmin
A researcher has published details and proof-of-concept for an unpatched CSRF flaw in phpMyAdmin. Identified as CVE-2019-12922, the flaw has been given a medium rating and can allow an attacker to delete ant server configured in the setup page of a phpMyAdmin panel on a victim’s server. The flaw affects all versions up to of phpMyAdmin.

Cisco extends a patch
Cisco has extended its patch for a high-severity DoS vulnerability, tracked as CVE-2016-1409, present in the IPv6 packet processing functions of multiple Cisco products. The bug could allow an unauthenticated remote attacker to cause an affected device to stop processing IPv6 traffic, leading to a DoS condition on the device. The affected products are Cisco IOS XR Software, Cisco IOS Software, Cisco IOS XE Software, Cisco NX-OS Software, Cisco ASA Software, and Cisco StarOS Software.

Google Calendar configuration issue
A configuration issue in Google Calendar can possibly leak an employee or an organization’s sensitive information such as internal presentation links, email addresses, event names, and more. Researchers note that employees whose calendars are set to ‘Public’ can be accessed by anyone if they get indexed on Google.


gootkit trojan
smominru botnet
ramnit trojan
tflower ransomware
eternalblue exploit

Posted on: September 18, 2019

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

The Virtual Cyber Fusion Suite