Cyware Daily Threat Intelligence

Daily Threat Briefing • Sep 23, 2020
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Daily Threat Briefing • Sep 23, 2020
Sometimes security patches deployed to control an issue can open doors to a new problem and this is what happened with Citrix Workspace. A previously patched flaw in the Workspace app for Windows, is now an attack vector that can allow attackers to elevate privileges and remotely execute arbitrary commands under the SYSTEM account.
Meanwhile, the technique of hijacking legitimate email threads to spread Emotet trojan has gained significant traction among threat actors in recent weeks. The sophisticated malspam technique serves as an effective way to bypass security checks and trick the targeted user into believing that the email is from the original sender.
Apart from this, the CISA has issued a security advisory regarding the surge in LokiBot-related attacks since July 2020. The information stealing trojan, which uses a variety of methods for propagation, is capable of targeting browsers, email clients, FTP apps, and cryptocurrency wallets.
Top Breaches Reported in the Last 24 Hours
Shopify Inc. discloses data breach
A data breach at Shopify Inc has exposed customer data from some of the merchants hosted on its platform. The exposed data includes email addresses, names, as well as order details. However, it does not involve complete payment card number or financial information.
Top Malware Reported in the Last 24 Hours
Increase in LokiBot attacks
The CISA has issued a security advisory that warns federal agencies and the private sector about an increase in the number of LokiBot malware attacks since July 2020. The trojan, that uses a wide variety of propagation techniques, is capable of targeting browsers, email clients, FTP apps, and cryptocurrency wallets.
A rise in Emotet malspam campaign
There has been a significant increase in Emotet malspam using a technique called ‘thread hijacking’. Under this technique, threat actors utilize legitimate messages stolen from infected computers’ email clients to send them as phishing emails to victims. These emails include a malicious Word document with macros designed to infect a user with trojan.
Top Vulnerabilities Reported in the Last 24 Hours
Chrome’s new version released
Google has released the Chrome version 85.04183.121 for Windows, Mac and Linux, with fixes for 10 security flaws. The most severe of these can allow attackers to execute arbitrary code in the context of the browser. A couple of the high-severity vulnerabilities are tracked as CVE-2020-15960 through CVE-2020-15961.
Citrix workspace bug
A patch issued for a Citrix Workspace vulnerability in July has failed to do its job. According to Pent Test Partners, the bug, tracked as CVE-2020-8207, can now allow cybercriminals to elevate privileges and remotely execute arbitrary commands under the SYSTEM account. The flaw exists in the automatic update service of the Citrix Workspace app for Windows.
Samba server affected by Zerologon
Administrators running Samba are urged to apply the patch released for recently found Zerologon vulnerability. Researchers claim that the flaw, CVE-2020-1472, can be exploited to gain domain-level administrator access. It exists in the design of Microsoft’s Netlogon Remote Protocol which Samba inherits to support its technology.
Critical XSS bug
A critical Cross-Site Scripting (XSS) vulnerability in Instagram’s Spark AR Studio can be abused to redirect users to malicious pages. The flaw can be exploited by injecting the charset attribute with the modified UTF-7 charset to encode the XSS payload.
Top Scams Reported in the Last 24 Hours
AT &T phishing scam
A new phishing scam has been found targeting AT&T employees with an intention to steal their credentials. Though the propagation method is unknown, the scammers have created a phishing page that looks similar to AT&T login page. The fake page offers up to five separate forms of authentication options that the victim can choose from, out of which four target one-time passwords. Moreover, the phishing page uses a Telegram bot to send back stolen details to phishers.