Cyware Daily Threat Intelligence

Daily Threat Briefing • Apr 22, 2020
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Daily Threat Briefing • Apr 22, 2020
Evading detection while spreading across the network has always been one of the primary objectives of malicious actors. In the past 24 hours, security researchers have come across a new variant of Emotet that includes additional modules designed to improve its evasion capabilities. One of these modules is hasbusting, which ensures that malware’s file hash looks different on every system.
A range of IoT hubs, commonly used in homes and offices, have also been found containing bugs. These flaws can be exploited to remote code execution, leak user data, and perform Man-in-the-Middle (MitM) attacks. The impacted hubs include the Fibaro Home Center Lite, eQ-3's Homematic Central Control Unit (CCU2), and ElkoEP's eLAN-RF-003.
A phishing email campaign that scares Office 365 users with a termination letter amid the COVID-19 crisis has also come to light in the last 24 hours. The purpose of the campaign was to steal Zoom credentials from users.
Top Breaches Reported in the Last 24 Hours
Kinomap leaks 42 million records
An unsecured database belonging to Kinomap had leaked 42 million records including PII. The records were of users from across the globe, including North America, Australia, Japan, the UK, and several European countries. PII exposed in the leak included full names, email addresses, home countries, usernames, and timestamps for exercises.
25,000 stolen credentials posted
Unknown activists have posted nearly 25,000 email addresses and passwords belonging to the National Institutes of Health (NIH), the World Health Organization (WHO), the Gates Foundation, and other groups working to combat the coronavirus pandemic. The lists, whose origins are unclear, have been posted on 4chan, Pastebin, Twitter, and Telegram.
Beaumont Health notifies patients
Beaumont Health has begun notifying about 114,000 patients that their personal data was breached in a phishing attack in 2019. The attackers have hacked several email accounts to access health and contact information of patients. Social Security numbers of some of the patients were also compromised in the incident.
SBA portal leaks data
An error in the official website of the Small Business Administration (SBA) had leaked personal information linked to 7900 businesses to other applicants that had applied for COVID-19 relief funds. This leaked data included Social Security numbers, income accounts, names, addresses, and contact information. Upon discovering the leak, the SBA immediately disabled the website to reduce the impact.
DoppelPaymer leaks files
Doppelpaymer ransomware operators have created a page titled ‘City of Torrance, CA’ on their ‘Dopple Leaks’ website to leak numerous file archives stolen from the city. Based on the names of the archives, the data includes the city’s budget financials, various accounting documents, document scans, and an archive of documents belonging to the City Manager.
Top Malware Reported in the Last 24 Hours
Emotet evolves
Researchers have found that Emotet trojan’s evasion capabilities have been improved with additional modules. Among the new techniques that have been embedded into the trojan includes hashbusting. These new updates in Emotet indicate that the attackers are likely getting ready to launch an attack campaign.
Phishing campaign
A phishing campaign, designed to steal Zoom credentials from Office 365 users, has been uncovered by researchers. The email appears to come from HR and tricks recipients into thinking that they are about to be laid off amid the pandemic. It prompts them to click on a phishing link that redirects to a fake Zoom meeting domain.
Top Vulnerabilities Reported in the Last 24 Hours
New Insomnia exploit
A new iOS exploit was used to spy on China’s oppressed Uyghur minority. Termed as Insomnia, the exploit works against iOS versions 12.3, 12.3.1, and 12.3.2. The exploit was used in the wild between January and March 2020. Apple had patched the flaw abused in this exploit in July 2019.
Vulnerable IoT hubs
A range of IoT hubs, commonly found in homes and offices, are vulnerable to several security flaws that can be exploited to launch remote code execution, leak user data, and perform Man-in-the-Middle (MitM) attacks. The impacted hubs include the Fibaro Home Center Lite, eQ-3's Homematic Central Control Unit (CCU2), and ElkoEP's eLAN-RF-003.
High-Severity vulnerability in OpenSSL
The OpenSSL team has patched a high-severity vulnerability tracked as CVE-2020-1967. The flaw can be exploited for denial of service (DoS) attacks. The vulnerability impacts OpenSSL versions 1.1.1d, 1.1.1e, and 1.1.1f.
Security bypass flaw in MSTSC
A DLL side loading vulnerability discovered in the Microsoft Terminal Services Client (MSTSC) can be exploited to bypass security controls. However, Microsoft has refused to release patches for the same. The attack has been successfully tested on Windows 10 and researchers believe that the flaw can also be exploited on other versions of the operating system.
Updates for MS Office Suite
Microsoft has released out-of-band security updates for its Office Suite to fix several vulnerabilities that could be exploited to achieve remote code execution. At the same, it has also issued updates to address flaws in its Paint 3D app.
Top Scams Reported in the Last 24 Hours
WhatsApp scam
Cybercriminals are capitalizing on the popularity of WhatsApp to conduct a new scam that promises free streaming services. The message circulating on WhatsApp asks users to enroll in a ‘limited quantity’ offer to get a free membership. Once the victims click on the offer button, they are redirected to a website that prompts them to answer a series of questions. It further asks them to share the message with 10 other people via WhatsApp to activate their subscriptions.
Impersonating streaming services
Over 700 suspicious domains impersonating Netflix and Disney+ brands have been registered in a week. The purpose of these spoofed websites is to lure users by offering fake free subscriptions to steal valuable data from them.