Go to listing page

Cyware Daily Threat Intelligence, September 25, 2019

Cyware Daily Threat Intelligence, September 25, 2019

Share Blog Post

The authors behind GandCrab ransomware had announced in June that they were scrapping the operations of the malware. However, a new study has revealed that these bad actors have now shifted their focus towards Sodinokibi ransomware. Researchers have found several patterns that are shared between the two malware. This includes string decoding functions and URL binding functionality.

The past 24 hours also saw two phishing attacks designed to collect users’ sensitive information. Both the attacks were carried out using two different fake websites - one disguised as Instagram and the other as HMH or Hire Military Heroes.

In vulnerabilities, several website administrators have been found using the unpatched Rich Reviews plugin for WordPress which could be lead to a variety of attacks. Attackers are leveraging the vulnerable plugin to perform tech support scams and to install malware.

Top Breaches Reported in the Last 24 Hours

Heyyo dating app leaks data
Online dating app Heyyo had exposed personal details for nearly 72,000 users due to an unprotected Elasticsearch server. The leaked data includes images, location data, phone numbers, Facebook IDs, Instagram IDs, and dating preferences of individuals. The leaky server has been taken down after contacting Turkey’s CERT.

SEPTA attacked
A malware attack has caused an American transport authority to permanently shut down its online store. The Southeastern Pennsylvania Transport Authority (SEPTA) shut down its Shop[.]SEPTA[.]org after discovering that the personal data of 761 customers had been stolen in a data-skimming Magecart attack. Following the attack, the attackers had managed to steal shoppers’ credit card numbers, names, and addresses. The attack has affected the users who shopped between June 21 to July 16, 2019.

Top Malware Reported in the Last 24 Hours

REvil is the new GandCrab
Researchers have identified similar code patterns between GandCrab and Sodinokibi ransomware. The two are also related in some way when it comes to URL building functionality used for producing the link for the C2 server. In addition to the similarities in the code, both REvil and GandCrab whitelist certain keyboard layouts so as to not infect Russia-based hosts.

Fake website used to spread malware
A fake site pretending to be an organization offering job opportunities for US veterans has been found distributing malware. The actual legitimate organization is known as HMH or Hire Military Heroes. The malware is taking control of victims’ systems and gathering sensitive information. It is believed to be a work of the Tortoiseshell threat actor group.

Instagram phishing attack
Cybercriminals have been found targeting Instagram users in a new phishing attack. The users are tricked into giving their credentials following a fake email alert related to copyright infringement. As a part of the campaign, the phishing emails include fake account suspension messages to create a sense of urgency. Later, the victims are asked to fill the ‘Copyright Objection Form' within 24 hours to prevent their accounts from being suspended.

Top Vulnerabilities Reported in the Last 24 Hours

Adobe fixes three flaws
Adobe has released security updates for three vulnerabilities in ColdFusion. Two of these flaws are rated as Critical. They allow code execution and can bypass access controls. On the other hand, the third vulnerability is related to information disclosure.

Vulnerable Rich Reviews plugin
Threat actors are exploiting the unpatched Rich Reviews plugin for WordPress to redirect users to dangerous destinations like tech support scams, malicious Android packages, fraudulent websites, or malware locations. Website administrators using the plugin have been advised to remove the plugin from their sites.

A bug in Apple devices
Apple has discovered a bug in iOS 13 and iPadOS that can result in keyboard extensions being granted full access without the knowledge of users. The issue exists in third-party keyboard extensions installed on iPhone, iPad, and iPod touch.

Top Scams Reported in the Last 24 Hours

Netflix scam
MailGuard has issued an alert, warning Netflix users about a new phishing scam. The scammers are impersonating Netflix in an attempt to collect users’ card details. The scam email warns Netflix users about the cancelation of their subscription due to a payment issue. They are prompted to reactive their subscription by clicking on a link designed to collect their personal and financial details. Users are advised to ignore such emails that ask them to share their details.


revil ransomware
netflix scam
heyyo dating app
rich reviews plugin
the gandcrab

Posted on: September 25, 2019

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

The Virtual Cyber Fusion Suite