Cyware Daily Threat Intelligence

Daily Threat Briefing • Oct 1, 2019
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Daily Threat Briefing • Oct 1, 2019
Security researchers have come across a new highly-destructive botnet that is capable of launching a variety of DDoS attacks such as UDP flood, SYN flood, ACK flood, GRE IP flood, and Value Source Engine specific flood. Dubbed Gucci, the botnet is targeting IoT devices in Europe.
The past 24 hours also saw multiple cybercriminals operations targeting English and Arabic-speaking users. The campaigns leverage OpenDocument Text (ODT) files to distribute malware such as RevengeRAT, njRAT and AZORult. The purpose of using ODT files is to avoid detection by antivirus engines while infecting systems.
Coming to vulnerabilities, Ghidra, a free and open-source software reverse-engineering tool from the National Security Agency, has been found to be affected by a medium severity flaw. It impacts the versions up to 9.0.4 and can allow a remote attacker to compromise exposed systems.
Top Breaches Reported in the Last 24 Hours
20 million Russian tax records exposed
An unprotected database containing more than 20 million Russian tax records was found exposed to the internet. The records included personally identifiable information on Russian citizens dated between 2009 and 2016. The records included names, addresses, residency statuses, passport numbers, phone numbers, Tax ID numbers, employer names, and tax amounts. The database was taken offline after researchers notified the owner.
Comodo admits a data breach
Comodo has published a security notice informing users that an intruder may have gained access to its forums database. The incident may have affected over 170,000 Comodo Forum’s users and was carried out by exploiting the recently disclosed vulnerability in vBulletin. The Comodo Forum was powered by vBulletin.
Victorian hospitals attacked
Surgeries and outpatient care got delayed after regional Victorian hospital computer networks were hacked in a ransomware attack. However, this has not affected the personal information of patients. Hospitals that are a part of the Gippsland Health Alliance and the South West Alliance of Rural Health have been impacted due to the attack.
Asics suffers an attack
Major sportswear brand Asics in Auckland, NewZealand suffered a cyberattack. This caused the shop to run adult-themed video material for nearly nine hours until the shop staff reported for work at 10 am. The incident occurred on September 29, 2019.
Top Malware Reported in the Last 24 Hours
‘Gucci’ IoT botnet
A new piece of botnet named ‘Gucci’ has been identified targeting IoT devices in Europe in an attempt to conduct a variety of DDoS attacks. These include HTTP null scan, UDP flood, SYN flood, ACK flood, UDP flood with less protocol options, GRE IP flood, and Value Source Engine specific flood. The botnet targets multiple architectures including ARM, x86, MIPS, PPC, and M68K.
Malvertising campaign
Researchers have identified a new malvertising campaign carried out by a threat actor group dubbed eGobbler. The malicious group has hijacked roughly 1.16 billion ad impressions to redirect victims to websites hosting malicious payloads. The campaign was observed between August 1 and September 23, 2019, and affected Windows, Linux, and macOS desktop devices.
ODT files used to spread malware
Multiple cybercriminal operations using OpenDocument Text (ODT) files as a channel to distribute malware have come to light recently. The campaigns are used to target English and Arabic-speaking users. The ODT files are archives that can hold text, images, and objects. The malware is concealed as these entities to spread across systems.
Decryption key released
A decryptor for Ouroboros ransomware, also known as Zeropadypt NextGen, has been released. The decryption keys are available for the variants that append the encrypted files with Lazarus, Lazarus+ or Kronos extensions. The researchers have managed to crack the keys due to a bug in the encryption algorithm of Ouroboros version 3.
Top Vulnerabilities Reported in the Last 24 Hours
PHP releases fixes
The Center for Internet Security’s Multi-State Information Sharing and Analysis Center (MS-ISAC) has issued a security advisory urging developers to upgrade to the latest version of PHP. The new version fixes 10 bugs that include heap-based overflow vulnerability and arbitrary code execution vulnerability.
**Flaws in Tridium’s Niagara product **
The U.S. Department of Homeland Security’s CISA is warning of two vulnerabilities in Tridium’s Niagara product that resides in the BlacBerry’s ONX operating system for embedded devices. The flaws could be exploited by a local user to escalate their privileges. The security flaws are tracked as CVE-2019-8998 and CVE-2019-13528. Tridium has released updates to address these vulnerabilities.
A bug in NSA’s Ghidra tool
A medium severity bug has been found impacting the National Security Agency’s Ghidra tool. The flaw, identified as CVE-2019-16941, can allow a remote attacker to compromise exposed systems. It exists within NSA Ghidra versions through 9.0.4. No fix is currently available for the vulnerability.
Top Scams Reported in the Last 24 Hours
Bitcoin fraud
A new Bitcoin scam email that purports to be from the Queen’s private office within Buckingham Palace is tricking users to make donations. The scammers are asking recipients for a Bitcoin donation to help the U.K. fund its Brexit process. The email asks a victim somewhere between $585,000 and $2,600,000 with a promise of 30% interest for a three-month loan and membership for the Royal Warrant Holders Association.