Cyware Daily Threat Intelligence

Daily Threat Briefing • Dec 2, 2020
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Daily Threat Briefing • Dec 2, 2020
Two interesting cases of botnets exploiting vulnerable Oracle WebLogic servers have come under researchers’ lens. The vulnerability is related to a remote code execution flaw and is used by the Tsunami and DarkIRC botnets to propagate into systems. While the first botnet is primarily used for mining Monero cryptocurrencies, the latter is used for a multitude of malicious purposes.
An undocumented malware toolset used by the notorious Turla threat actor has also been spotted by researchers. Named Crutch, the toolset was actively used in different cyber espionage campaigns to target high-profile personalities from 2015 to at least early 2020.
Meanwhile, a new evasion tactic that involves the use of auto-forwarding rules is also gaining popularity among BEC scammers. The inclusion of the auto-forwarding rule can enable attackers to send copies of all incoming messages to an account under their control.
Top Breaches Reported in the Last 24 Hours
Huntsville City Schools affected
The Huntsville City Schools district in Alabama has been forced to shut down schools following a ransomware attack. To prevent the spread of the ransomware, the district has shut down all devices and continues to remain in the same state until further notice.
Cayman Islands’ data leak incident
A Cayman Islands-based investment fund has exposed its entire backup to the Internet due to a misconfigured Microsoft Azure blob. The exposed data includes passport scans, who its shareholders are, how many shares they hold, and the value of these holdings.
Top Malware Reported in the Last 24 Hours
Turla’s Crutch malware
Russian hacking group, Turla, used a previously undocumented malware framework named Crutch to target high-profile personalities from 2015 to at least early 2020. The malware was designed to harvest and exfiltrate sensitive documents and various other files of interest to Dropbox accounts controlled by the group.
Bladabindi trojan spotted
Two malicious npm packages that installed Bladabindi RAT were removed from the npm library. The malicious packages were tracked as jdb.js and db-json.js. Both packages were downloaded more than 100 times before they were discarded.
DarkIRC botnet emerges
A botnet known as DarkIRC is actively targeting thousands of exposed Oracle WebLogic servers in attacks designed to exploit the CVE-2020-14882 remote code execution (RCE) vulnerability. Almost 3,000 WebLogic servers are reachable over the internet and can allow attackers to execute remote code on targeted servers. In another incident, researchers have tracked the Tsunami botnet, distributed along with a Monero miner, exploiting the same Oracle WebLogic vulnerability.
Top Vulnerabilities Reported in the Last 24 Hours
Vulnerable Docker Hub images
According to a study, over half of publicly available Docker Hub container images have been found containing one or more critical vulnerabilities that can allow attackers to distribute malware or cause data breaches. Additionally, over 6,000 are rated harmful or malicious, containing coin miners, malicious npm packages, or hacking tools.
Vulnerabilities in Schneider Electric
Six zero-day vulnerabilities have been found affecting Schneider Electric StruxureWare. The flaws range from the improper restriction of XML External Entity Reference and the Windows unquoted search path to the improper neutralization of input during web page generation, among others. They are tracked as CVE-2020-7569, CVE-2020-7572, CVE-2020-28209, CVE-2020-7570, CVE-2020-7571, and CVE-2020-7573.
Zero-Click exploit released
Google Project Zero researchers have disclosed the details of an iOS exploit that allows attackers to hack iPhones remotely over Wi-Fi and steal sensitive data without any user interaction. The exploit abuses Apple Wireless Direct Link (AWDL), a Wi-Fi-based mesh networking protocol designed for connecting Apple devices in ad-hoc peer-to-peer networks.
Go SMS Pro fixing a flaw
A week after researchers disclosed a flaw in the Go SMS Pro app, it appears that the developers are taking steps to fix the issue that can expose their users’ sensitive data. The behavior was observed in version 7.91 of the app for Android.
Vulnerable OpenClinic application
Four vulnerabilities have been discovered in the OpenClinic application that can allow a remote, unauthenticated attacker to read patients’ Personal Health Information (PHI) from the application. The four bugs involve missing authentication; insecure file upload; cross-site scripting (XSS); and path-traversal.
Top Scams Reported in the Last 24 Hours
New method added to BEC
The U.S. law enforcement has learned that email attackers are using auto-forwarding rules to perpetrate BEC scams. The FBI explained that the tactic is predicated on the hope that administrators did not actively sync the web and desktop email clients of the victim organization, thereby limiting visibility into malicious activity. The inclusion of the auto-forwarding rule can enable attackers to send copies of all incoming messages to an account under their control.
New Zoom scam
A new Zoom-themed phishing attack is circulating through email, text, and social media messages with an aim to steal credentials for the video conferencing service. The messages alert recipients either about having missed a meeting or about a suspended account.
Quickbooks impersonated
Scammers are impersonating Quickbooks on the Microsoft 365 platform to compel their victims to pay for fake invoices from a legitimate vendor. So far, 900 phishing attacks using fake Quickbooks have been observed.