Cyware Daily Threat Intelligence

Daily Threat Briefing • Mar 30, 2020
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Daily Threat Briefing • Mar 30, 2020
With each passing day, security experts continue to see an uptick in Coronavirus-themed phishing attacks. In one incident, attackers used the virus as a leverage to spread the Zeus Sphinx malware, while another campaign distributed the Remcos RAT. The Zeus Sphinx (aka Zloader) resurfaced after nearly three years of absence to infect online banking users in the US, Canada, and Australia. The emails sent in these attacks used a malicious document named ‘COVID-19 relief’.
On the other hand, the Remcos RAT took the advantage of the financial problems experienced by SMBs during the COVID-19 pandemic and lured the victims into opening malicious attachments camouflaged as disaster assistance grants and testing center vouchers.
Reports of bad actors exploiting two zero-day vulnerabilities in DrayTek routers also surfaced in the last 24 hours. The two remote code execution vulnerabilities can be exploited for command injection and they are related to the rtick and keyPath fields.
Top Breaches Reported in the Last 24 Hours
Voter info of over 4.9 million leaked
Around 1.04 GB voter information for more than 4.9 million Georgians, including the deceased, has been published on a hacking forum over the weekend. The information included full names, home addresses, dates of birth, ID numbers, and mobile numbers. It is claimed that the data originated from voters.cec.gov.ge, an official government portal to store voter registration records of Georgians.
Top Malware Reported in the Last 24 Hours
Zoom domains targeted
Researchers have uncovered that threat actors are actively registering new domains, with names similar to ‘Zoom’, to target businesses and individuals across the globe. These domains are later used to send malicious files that lead to the installation of the potentially unwanted InstallCore application on the victim’s computer.
Zeus Sphinx malware
The Zeus Sphinx malware has made a comeback to help its authors capitalize on the Coronavirus pandemic. The malware operators are using bobby-trapped files named ‘COVID-19 relief’ to trick online banking users in the US, Canada, and Australia. These files are delivered via emails that rely on the same theme.
Attackers deliver Remcos RAT
Attackers are attempting to deliver Remcos RAT payloads on systems of small businesses via phishing emails. They are taking advantage of the financial problems experienced by SMBs during the current COVID-19 pandemic to lure them into opening malicious attachments disguised as assistance grants and test center vouchers.
Top Vulnerabilities Reported in the Last 24 Hours
Vulnerable DrayTek routers exploited
Threat actors have been exploiting two zero-day vulnerabilities affecting some DrayTek enterprise routers to perform a series of attacks. Both are remote code execution vulnerabilities, located in the /www/cgi-bin/mainfunction.cgi, and the corresponding Web Server program is /usr/sbin/lighttpd. DrayTek has fixed these bugs in its February 2020 update.
Top Scams Reported in the Last 24 Hours
Netflix phishing campaign
Netflix phishing campaign has seen a spike in Brazil, with users being asked to update their personal details to avoid suspension of accounts. Scammers use a legitimate-looking website of the online streaming service to make it more convincing.
Coronavirus-themed phishing
A new Coronavirus-themed-phishing campaign was discovered which sent messages purporting to be from a local hospital. The message informs victims that they need to be tested urgently as one of their colleagues, friends, or family members have tested positive for the virus. It urges the victims to download and print an attachment, which is actually a malicious payload.