Cyware Daily Threat Intelligence

Daily Threat Briefing • Dec 18, 2018
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Daily Threat Briefing • Dec 18, 2018
University of Vermont Health Network breached
The University of Vermont Health Network – Elizabethtown Community Hospital recently suffered a data breach as one of their employee’s email account was remotely accessed by an unauthorized user. 32,000 potentially affected patients are being notified. The breach didn’t involve the hospital’s computer networks or electronic medical records. PIIs and limited medical data, including the Social Security Numbers, were compromised.
Twitter data breach
Another Twitter data leak occurred recently. Experts are suspecting that the Twitter’s support form was targeted by state-sponsored actors. The bug that caused the breach was immediately fixed the following day the attack was revealed. The leaked data contained country codes of the phone numbers linked to the user’s accounts.
WSJ site defaced
Recently, a page on the popular Wall Street Journal’s website was hacked and replaced with a message appearing in support of the entertainer and his quest to achieve the largest subscriber count on YouTube. Experts are not sure if PewDiePie personally endorsed the hack, or if it was merely supporters of his.
URSNIF, EMOTER, DRIDEX, and BitPaymer related
Security researchers recently found out that URSNIF, EMOTER, DRIDEX, and BitPaymer banking Trojans are linked by a similar loader. Shared loaders were found to be associated with these malware families. The overview of the payload decryption procedure and the loaders’ internal data structure were also strikingly similar among the families.
Fileless GandCrab
The fileless variant of the GandCrab ransomware is found using default Windows tools, such as PowerShell and WMI, and uses them for malicious activities. This involves moving laterally to other machines without writing any artifacts or history on the disk. Attackers using this were able to log in remotely into machines which had their RDP ports open and publicly accessible. PowerShell is used to download raw text from Pastebin[.]com and execute it. Moreover, shadow file backups of Windows are deleted after the encryption.
SEO spam campaign
Researchers have recently unearthed an SEO spam injection technique. Here, the site’s source code attaches the SEO spam right after the closing HTML tag. It is expected to have already hacked 173 sites. The malware associated with this campaign adds hidden links for indexing by search engines and intercept requests to the site. Site visitors are redirected to spam content. Fake backup tables are created on the database to store spam posts and data about logged in visitors.
Flaws in Electric Vehicle Charging stations
Electric Vehicle charging stations are found to be vulnerable to an attack that could allow an attacker to hack the station remotely and prevent a car from charging. The flaws are found to be present in the chargers that are supplied by the majority of electric vehicles vendor. It can bypass authentication and connect to victim’s smartphone via Bluetooth. The Wi-Fi parameters are set for an internet connection to finish the registration by sending created user ID and GPS coordinates.
‘Three Questions Quiz’ scam
Recently, the ‘three questions Quiz’ scam is being used in many phishing campaigns. The fake quizzes are customized according to the brands. The quiz starts with the use of free questions pertaining to the brand itself. The scam also tends to use language that incites a sense of urgency among the users. Even phoney social media profiles are employed to lend credence to the scam.
Galveson County data theft
Scammers are found to have stolen $500,000 from Galveson county. 2 officials are called to resign after being held responsible for the theft. As of now, the scammers have not been caught and the stolen funds have not been recovered. A fake email address is used to pose as both a county employee and a representative for the Lucas construction company. A form is also used, obtained through the county’s website, to request a change on the bank account information for the road contractor. The company is requested to make the payment via electronic transfer, instead of paying with a paper check.