Cookie Settings

This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing Dec 4, 2019

With a destructive capability to erase data from computer drives, wiper malware poses a serious threat to organizations across the world. While such types of malicious operations were previously carried out using the notorious Shamoon malware, a new disk-wiping malware named ZeroCleare has come to notice of security researchers. It has been found that the malware is particularly used against the industrial and energy sector in the Middle East. Based on the characteristics of the malware and infection process, security researchers suspect the malware to be the work of Iran-based nation-state sponsored adversaries.

The past 24 hours also saw Mozilla and Python removing malicious extensions and libraries respectively from their sites. While Mozilla pulled out four extensions of Avast and AVG which were involved in collecting users’ personal data, Python discarded ‘python3-dateutil’ and ‘jeIlyfish’ that were designed to steal SSH and GPG keys from the projects of infected developers.

Top Breaches Reported in the Last 24 Hours

Ryuk ransomware attack

T-System, a provider for end-to-end solutions for emergency care facilities in the U.S., has been hit by Ryuk ransomware. The company is working to recover from the attack that has affected its systems. The attack occurred at the end of November. The company admitted to the ransomware infection after it discovered that the files in the company site index were appended with the .ryk extension. The attackers have dropped a ransom note that offers minimum information on how the organization can pay the ransom to get the decryption key.

Top Malware Reported in the Last 24 Hours

ZeroCleare wiper malware

Security researchers have unearthed a new destructive wiper malware named ZeroCleare. The malware is being used in the Middle East, particularly against organizations in the industrial and energy sectors. It is believed that the malware is operated by Iran-based nation-state adversaries. The malware bears some similarity to the Shamoon malware.

New macOS malware

A new macOS malware sample which is believed to be the work of the North Korean hacker group Lazarus**** has been detected by researchers. The new sample is packaged under the name UnionCryptoTrader and is hosted on a website called ‘unioncrypto.vip’ that advertises a ‘small cryptocurrency arbitrage trading platform’ but provides no download links.

Mozilla removes malicious extensions

Mozilla has removed four extensions from Avast and AVG from the Firefox site over concerns of spying users’ activities. The four extensions in questions are Avast Online Security, AVG Online Security, Avast SafePrice, and AVG SafePrice. These browser extensions were found collecting data with user consent.

Two trojanized Python libraries

The Python team has removed two trojanized Python libraries from the Python Package Index. These malicious libraries were found stealing SSH and GPG keys from the projects of infected developers. The two libraries were created and registered through a technique called typosquatting. The two malicious libraries are ‘python3-dateutil’ - imitates dateutil library - and ‘jeIlyfish’ - imitates jellyfish library.

Top Vulnerabilities Reported in the Last 24 Hours

Microsoft login issue

A serious vulnerability in Microsoft login systems can lead to account takeover. The bug affects the apps integrated with Microsoft accounts. The flaw can allow attackers to quietly steal authentication tokens, which websites and apps use to grant users access to their accounts without having them to constantly re-enter their passwords. A patch for the issue has been issued in November security updates.

Vulnerable GoAhead servers

Two new vulnerabilities along with a two-year-old RCE flaw have been discovered in GoAhead embedded web servers. The first vulnerability is tracked as CVE-2019-5096 and is related to how multi-part/form-data requests are processed. Meanwhile, the second vulnerability is designated with an ID number of CVE-2019-5097. The flaw can be exploited by attackers to cause a DoS condition by sending a specially crafted HTTP request.

Buggy Accusoft ImageGear patched

A series of vulnerabilities that could allow attackers to execute code remotely have been patched in the Accusoft ImageGear library. The flaws impact the version 19.3.0 and have received a CVSS score of 9.8.

Top Scams Reported in the Last 24 Hours

Scary terrorism allegation scam

FTC is warning users about an ongoing scam that has been designed to scare them with money laundering and terrorism allegations. The scammers send letters with a fake yet official-looking letterhead. The message further goes on to say that the victim’s activities will be under review’ because of suspicious online and financial activities that point at terrorism and money laundering. While the letter does not make any demands, the FTC says it is just the first stage of the scam. The second stage of the attack involves a direct phone call asking the target to send money to get rid of the fake charges and monitoring.

Related Threat Briefings