Cyware Daily Threat Intelligence
Daily Threat Briefing • Apr 1, 2022
We use cookies to improve your experience. Do you accept?
Daily Threat Briefing • Apr 1, 2022
Yet another wiper malware has been uncovered in the cyber threat landscape. Dubbed AcidRain, it is the seventh in the wiper malware list to be discovered in the last two months. The malware has been linked to the recent attacks on Viasat’s modems. Meanwhile, the Deep Panda APT group returned with a Log4Shell exploit to deploy a new rootkit named Fire Chili. The attacks were targeted at organizations in the finance, travel, and cosmetic industries.
Besides these, security experts also spotted a new info-stealer on various hacking forums. Named BlackGuard, it is capable of harvesting credentials from a broad range of applications, including web browsers, cryptocurrency wallets, and emails.
New Fire Chili rootkit
A Chinese hacking group Deep Panda targeted VMware Horizon servers to deploy a new rootkit called Fire Chili. The attack exploited the Log4Shell vulnerability to gain initial access to networks. The rootkit enabled the attackers to evade detection on compromised systems.
New BlackGuard malware
A new information-stealing malware, named BlackGuard, is being sold on the hacking forum for a lifetime price of $700 or a subscription of $200 per month. The stealer can pilfer sensitive information from a broad range of applications, including web browsers, cryptocurrency wallets, messengers, and emails. The collected information is bundled in a ZIP file and sent to the C2 server via a POST request.
AcidRain data wiping malware
Researchers uncovered a new wiper malware that targets modems and routers. Dubbed AcidRain, the malware was first spotted on February 24 after a cyberattack rendered Viasat KA-SAT satellite broadband modems inoperable in Ukraine. The malware shares similarities with VPNFilter.
Apple issues patches
Apple has rolled out emergency patches to address two zero-day flaws that may have been exploited in the wild. The issues have been fixed in iOS and iPadOS 15.4.1, macOS Monterey 12.3.1, tvOS 15.4.1, and watchOS 8.5.1. They are tracked as CVE-2022-22675 and CVE-2022-22674.
Zyxel pushes security updates
Networking equipment maker Zyxel has pushed security updates for a critical vulnerability affecting some of its business firewall and VPN products. The flaw could enable an attacker to take control of devices. It has been assigned the identifier CVE-2022-0342 and is rated 9.8 out of 10 on the CVSS scale.
CISA adds new flaws to its list
The CISA has added eight new vulnerabilities to its Known Exploited Vulnerabilities Catalog. This includes the recently disclosed authentication bypass flaw (CVE-2022-1040) in the Sophos firewall. Organizations are advised to address the flaws to prevent falling into attacks.
Vulnerabilities in Rockwell PLC
Two vulnerabilities have been found affecting Rockwell Programmable Logic Controllers. They are tracked as CVE-2022-1161 and CVE-2022-1159. While the former affects numerous versions of Rockwell’s Logix Controllers, the latter impacts several versions of its Studio 5000 Logix Designer application. The flaws can allow attackers to launch Stuxnet-style attacks on PLCs.
Trend Micro patches zero-day flaw
Trend Micro has patched a high-severity arbitrary file upload vulnerability in Apex Central that was exploited widely. The flaw (CVE-2022-26871) impacts both on-premises and software-as-a-service versions of the centralized management console. It has a CVSS score of 8.6.
Azure static web pages impersonated
Phishers are abusing Microsoft Azure’s Static Web Apps service to steal Microsoft, Office 365, Outlook, and OneDrive credentials. Researchers noticed that threat actors leveraged custom branding and web hosting features to host static landing phishing pages. Each landing page automatically gets its own secure page padlock in the address bar due to the *.1.azurestaticapps.net wildcard TLS certificate.