Cyware Daily Threat Intelligence

Daily Threat Briefing • Nov 5, 2020
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Daily Threat Briefing • Nov 5, 2020
The tale of ShinyHunters’ notoriety repeats. The group, responsible for leaking dozens of databases in past months, is back in the news for leaking a database belonging to Mashable, a media and entertainment company. The database, which contained 5.22 GB worth of data, was spilled on several hacking forums including Russian-speaking ones.
Attacks through phishing emails also grabbed headlines in the last 24 hours. In one incident, the attack vector was used to distribute QBot trojan, while in another, they were leveraged to send Google Forms pretending to be landing pages of top brands. These Google Forms were used to collect login information from unsuspecting users.
Top Breaches Reported in the Last 24 Hours
Capcom affected
Japanese game developer Capcom was hit by a cyberattack that impacted business operations including email systems. According to a notification, the attack took place due to unauthorized access on November 2. However, this has not affected online games or access to the company’s various websites.
Mashable data leaked
The ShinyHunters have leaked 5.22 GB data of Mashable on different hacking forums. The leaked data contains staff, users, and subscribers data such as full names, email addresses, country, gender, job description, online behavior related details, date of registration, IP addresses, social media profile links, and authentication tokens.
VoIP systems targeted
Hackers targeted Sangoma PBX and Asterisk VoIP phone systems at nearly 1,200 organizations in a hacking campaign. Carried out for the past 12 months, the main purpose of the campaign was to sell phone numbers, call plans, and live access to compromised VoIP services.
Top Malware Reported in the Last 24 Hours
QBot trojan returns
A malicious email campaign that uses the fear of election interference has been found spreading the QBot trojan. The body of the email does not mention the recipient’s name or other personal information. Instead, it asks the recipient to review an attached document titled ‘ElectionInterference_529259401.xls.’
Old malware resurfaces
The legacy Mauthtoken malware was found redirecting mobile users to various compromised websites. To accomplish this, it tests the browser’s user-agent string against a long list of known mobile user agents.
Top Vulnerabilities Reported in the Last 24 Hours
SMTP Multipass attack
A threat actor group specializing in BEC attacks exploited a vulnerability to spoof the domains of Rackspace as part of SMTP Multipass attack. The flaw allowed the attackers to send out emails on behalf of customers using the Rackspace’s hosted email services.
PoC for Cisco flaw released
Cisco has released PoC for a zero-day vulnerability in the Cisco AnyConnect Secure Mobility Client software. The flaw, tracked as CVE-2020-3556, exists in the Interprocess Communication (IPC) channel of the software. It can allow unauthenticated, local attackers to execute malicious scripts via a targeted user. It affects all AnyConnect client versions for Windows, Linux, and macOS. A patch for the vulnerability is expected to be released soon.
Insecure Deloitte site fixed
Deloitte has fixed a total of 11 vulnerabilities in ‘Test Your Hacker IQ’ site that exposed username and password for the site’s MySQL database. The firm revealed that the quiz was hosted on Ubuntu Linux 14.04 which stopped receiving security patches in April last year.
Top Scams Reported in the Last 24 Hours
New phishing campaign
In a new Office 365 phishing campaign, scammers are using inverted images for landing pages to avoid getting flagged as malicious by crawlers. This novel tactic aims to deceive scanning engines and redirect victims to fake login pages designed to steal their login credentials.
Google Forms misused
Researchers have uncovered that threat actors are using Google Forms as a landing page to collect victims’ credentials. So far, more than 200 forms impersonating top brands - such as Microsoft OneDrive, Office 365, and Wells Fargo - have been created to trick users.