Cookie Settings

This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing Apr 2, 2020

The surge in the use of remote communication and collaboration tools amid the ongoing quarantine scenario has brought attention to existing security flaws in such tools. Now, the video conferencing app, Zoom, has come under the scanner due to the discovery of two zero-day vulnerabilities in its macOS client. These flaws could allow attackers to gain admin privileges and access the user’s microphone and camera. On top of this, security experts have also found a Universal Naming Convention (UNC) path injection vulnerability in the Zoom Windows client that could allow attackers to steal user credentials.

Meanwhile, cybercriminals have also been developing new strains of malware to destroy the data stored on targeted systems. Researchers have spotted COVID-19 themed data wiping malware that steals sensitive data such as users’ passwords and erases the Master Boot Record (MBR), preventing users from recovering their infected devices.

Top Breaches Reported in the Last 24 Hours

MakeFrame skimmer attack

Security researchers uncovered a new ongoing Magecart skimmer campaign that has compromised 19 different e-commerce websites so far. The new skimmer, dubbed "MakeFrame," injects HTML iframes into webpages to steal customers’ payment data. The researchers have attributed the MakeFrame attacks to Magecart Group 7 due to its use of compromised sites to host the skimming code, load the skimmer on other websites, and siphon off the stolen data.

Watering hole campaign

An extensive attack campaign has been reported that targets Windows users from a certain Asian religious and ethnic group. The campaign uses a series of watering-hole websites that trick users by displaying fake Flash updates to initiate drive-by downloads. The malicious scripts ultimately install the “Godlike12” backdoor written in Go language and two versions of the open-source Stitch Python backdoor.

Top Malware Reported in the Last 24 Hours

New COVID-19 wiper malware

Researchers have discovered several new strains of COVID-19 themed malware that are designed to destroy the data stored on infected systems. One of the new malware poses as a "CoronaVirus ransomware” to distract users while it steals sensitive data, such as user credentials, in the background. Consequently, the malware rewrites the Master Boot Record (MBR) to prevent users from recovering their infected devices.

Vollgar botnet campaign

Researchers spotted an active Vollgar botnet campaign that has been hijacking Microsoft SQL (MSSQL) database servers for nearly two years. The botnet campaign has been launching brute-force attacks against MSSQL databases to gain admin access and install Monero cryptocurrency mining scripts. The campaign is reportedly targeting nearly 3,000 new MSSQL databases each day.

Trojanized Zoom app

Security researchers at Bitdefender spotted trojanized versions of the Zoom video conferencing app being distributed via third-party marketplaces. The Zoom clone apps infect users’ devices with adware and trojan payloads to generate revenue and steal their information.

Top Vulnerabilities Reported in the Last 24 Hours

Zero-day flaws in Zoom

Two different zero-day flaws were discovered in the macOS version of the Zoom video conferencing application. The zero-day flaws could allow local, unprivileged attackers to gain root privileges and access victims’ microphone and camera. Besides, researchers discovered a Universal Naming Convention (UNC) path injection vulnerability in the Zoom Windows client that could allow attackers to steal user credentials.

Linux kernel patch

A patch has been released to address a Linux kernel vulnerability that can allow attackers to escalate privileges on Ubuntu Desktop. The vulnerability, tracked as CVE-2020-8835, is classified under high severity. The flaw originates from the lack of proper validation of user-supplied eBPF programs.

Exploits for Windows SMBGhost flaw

Security experts have released proof-of-concept (PoC) exploits for the CVE-2020-0796 Windows flaw, also known as SMBGhost, that can allow hackers to escalate local privileges. The issue stems from a pre-remote code execution flaw that resides in the Server Message Block 3.0 (SMBv3) network communication protocol. The vulnerability affects systems running Windows 10 Version 1903, Windows Server Version 1903 (Server Core installation), Windows 10 Version 1909, and Windows Server Version 1909 (Server Core installation).

Top Scams Reported in the Last 24 Hours

FInancial relief scams

Security researchers have reported an increase in phishing scams that promise victims financial relief during the coronavirus pandemic. These campaigns leverage current news headlines and updates from governments regarding COVID-19 relief funds to trick users into clicking on malicious links or downloading attachments laced with malware payloads. In many cases, these campaigns also impersonate healthcare or government organizations to appear legitimate.

Phishing kit targets credit union

Researchers from the security firm Sucuri discovered a new phishing page targeting the customers of Randolph-Brooks Federal Credit Union (RBFCU), a large financial institution located in Texas with over 850,000 members. The phishing campaign uses spoofed pages to steal user information, including email address, username, passwords, user-agent, IP address, and secret questions for account recovery.

Related Threat Briefings