Cookie Settings

This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing Aug 14, 2020

Cyberthreats are constantly evolving as malicious actors expand their attack bases with new and existing malware. In the last 24 hours, the National Security Agency (NSA) and Federal Bureau of Investigation (FBI) issued a joint statement about a new malware named Drovorub. Linked with the Fancy Bear threat actor group, the malware includes multi-component systems such as an implant, a kernel module rootkit, a file transfer tool, a port-forwarding module, and a C2 server.

A new variant of the Bisonal backdoor, associated with the CactusPete hacker group, was also found targeting financial and military organizations in Eastern Europe. The variant includes XOR encoding apart from data-stealing capabilities.

Moreover, the XCSSET malware family targeted Xcode projects with a purpose to perform Universal Cross-site Scripting (UXSS) attacks on Safari and other browsers. For this, the malware leveraged zero-day exploits in the behavior of Data Vaults and the development version of Safari.

Top Breaches Reported in the Last 24 Hours

Unsecured data bucket

Around seven gigabytes of unencrypted files were exposed to the internet on a publicly accessible AWS S3 bucket. The leaked files, which were available to the public for at least a period of 18 months, included over 300 million unique email addresses and voice recordings of several sales pitches.

Data leaked

Hundreds of thousands of user records associated with different Utah-based gun exchange sites have been leaked for free on a cybercrime forum. The affected sites include muleyfreak.com, deepjunglekratom.com, and utahgunexchange.com. The leaked data includes login names, hashed passwords, and email addresses.

Canon’s stolen data leaked

Maze ransomware gang has started publishing files stolen from Canon USA on its data leak website following a failed ransom negotiation. The attackers had hacked the firm on August 5, 2020, and demanded a ransom to prevent the leak of confidential data. However, the digital camera manufacturer decided not to pay the ransom and restored the systems via backup files.

Top Malware Reported in the Last 24 Hours

Drovorub malware

In a joint advisory, the FBI and NSA have warned that the Fancy Bear threat actor group is using a new strain of Linux malware named Drovorub. The malware comes with an implant, a kernel module rootkit, a file transfer tool, a port-forwarding module, and its own C2 servers. The authorities have urged the US organizations to update the Linux systems to a kernel version 3.7 or later to prevent attacks.

Bisonal backdoor upgraded

CactusPete hacker group is targeting banks and military organizations in Eastern Europe with an upgraded version of Bisonal backdoor. The new variant includes XOR encoding and support for proxy servers, among other features.

XCSSET malware

The XCSSET malware family has been found targeting Xcode projects with a purpose to perform Universal Cross-site Scripting (UXSS) attacks on Safari and other browsers. Once on a vulnerable system, the malware uses exploits to abuse Safari and other installed browsers and steal user data. It pilfers information from the users’ Evernote, Notes, Skype, Telegram, QQ, and WeChat apps. Additionally, it takes screenshots of users’ systems; uploads files to the attackers’ C2 server, encrypts them, and shows a ransom note.

Top Vulnerabilities Reported in the Last 24 Hours

Flawed TinyMCE

A high-severity cross-site scripting flaw has been identified in an open-source text editor TinyMCE. Tracked as CVE-2020-12648, the flaw allows attackers to bypass security controls via specially crafted HTML tags. The flaw exists in versions prior to 5.2.0 of the TinyMCE and is fixed in versions 4.9.11 to 5.4.1.

Related Threat Briefings