Cyware Daily Threat Intelligence

Daily Threat Briefing • Apr 16, 2020
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Daily Threat Briefing • Apr 16, 2020
It was only last week that security researchers had come across a new and sophisticated Dark Nexus botnet that shared similarities with the notorious Mirai botnet. Now, following the same pattern, a new botnet, dubbed Mozi, has been discovered that borrows source code from Mirai, Gafgyt, and IoT Reaper botnets. The newly found Mozi botnet is capable of targeting unpatched home routers and DVRs, among other IoT devices.
A new variant of NetWire RAT that uses a legacy Microsoft Excel 4.0 macro to avoid detection by security solutions, has also been spotted in the last 24 hours. The variant is used in a new malspam campaign that targets US taxpayers.
Meanwhile, the wireless router maker, Linksys, was forced to reset the passwords of all its customers due to a COVID-19-themed malware attack. It was found that some of its customers were redirected to a fake website that prompted them to download an app that provided the latest instructions and information about the disease.
Top Breaches Reported in the Last 24 Hours
Wappalyzer discloses breach
Wappalyzer, a website analyzer platform, has disclosed a security breach that affected nearly 16,000 users. The incident came to light after the firm found that a hacker had offered to sell a Wappalyzer’s database containing critical details of users for $2,000. The breach had occurred on January 20, 2020, when an intruder gained access to one of the company’s databases that was left exposed online due to a misconfiguration.
Palm Beach county attacked
Palm Beach county was struck with the REvil ransomware on March 21, 2020. Following the attack, the town’s computer systems were down for three weeks. Residents were unable to make their utility payments using online services and the town’s online plan-submission system was also knocked offline.
Linksys resets passwords
Wireless router provider, Linksys, has reset passwords for all its customers after a bunch of users fell victim to a COVID-19-themed malware. The malware was delivered via a fake website that prompted users to download and install an application that offered instructions and information about COVID-19.
Top Malware Reported in the Last 24 Hours
New Mozi botnet
Researchers have uncovered a new Mozi botnet that borrows its source code from Gafgyt, Mirai, and IoT Reaper botnets. The new botnet is capable of targeting home routers and DVRs that are either unpatched or have weak or default telnet passwords.
Fake Valorant key
Attackers are disguising malicious software that looks like a product licensing key for the beta version of ‘Valorant’ game with an aim to steal gamers’ credentials. However, in reality, the product license is a keylogger that could allow hackers to track the words and phrases typed by a user.
New NetWire RAT variant
Taxpayers are being targeted by a new variant of NetWire RAT in a recent malspam campaign. The purpose of the campaign is to steal credentials and tax information from users. This new variant of RAT is distributed via IRS-themed phishing emails that carry an attachment with a legacy Microsoft Excel 4.0 macro to evade detection.
Top Vulnerabilities Reported in the Last 24 Hours
SAP fixes 23 flaws
SAP has addressed 23 flaws as part of the April 2020 Patch Tuesday. The most severe of these is a missing XML validation vulnerability in SAP Commerce. Tracked as CVE-2020-6238, the flaw can be exploited remotely and does not require authentication.
Vulnerable WordPress plugin
A cross-site scripting (XSS) vulnerability in the OneTone WordPress plugin is being exploited by attackers to redirect users to malicious domains like ischeck[.]xyz. The flaw exists in OneTone’s “ ./wp-content/themes/onetone/includes/theme-functions.php” file. The plugin vulnerability allows attackers to inject only HTML code on certain places on the web page.