Cookie Settings

This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing Apr 14, 2021

Malicious cryptomining remains prevalent and continues to grow in scope. In the past 24 hours, security experts have detected two different incidents where threat actors are making use of the recently discovered ProxyLogon vulnerabilities and cracked software to deploy Monero miners.

Besides this, malicious actors have switched QBot with IceID trojan to deliver more malicious payloads. This indicates attackers’ intention to keep the campaign active for a long time.

Meanwhile, security patches released by Microsoft and Adobe as part of April 2021 Patch Tuesday are sure to bring a sigh of relief for their customers using vulnerable products.

Top Breaches Reported in the Last 24 Hours

Casinos affected

Two Tasmanian casinos have been forced to shut down following a ransomware attack. The attack occurred on April 3 and affected hotel booking systems. The slot machines, known as pokies in Tasmania, are also out of service since the attack.

Top Malware Reported in the Last 24 Hours

Malicious web pages

More than 100,000 web pages hosted by Google sites are being used to trick netizens into opening booby-trapped business documents containing RAT. The site pages include common business terms like ‘template’, ‘invoice’, ‘receipt’, ‘questionnaire’, and ‘resume’ to lure online users into clicking on them.

QakBot returns

Researchers have spotted campaigns where attackers switched IceID with QakBot trojan to deliver malicious payloads. The campaign relied on updated XLM macros to distribute the trojan.

New malicious package

A new malicious package, dubbed web-browserify, that targets NodeJS developers has been spotted on the npm registry. The package once executed, uses another legitimate npm component, systeminformation, to collect information from the infected systems.

Another cryptomining incident

Cracked copies of Microsoft Office and Adobe Photoshop are being used to steal browser session cookies and Monero cryptocurrency wallets from users who install the pirated software. The cracked software are distributed via BitTorrent.

Top Vulnerabilities Reported in the Last 24 Hours

Microsoft patches 114 CVEs

Microsoft has issued fixes for 114 vulnerabilities as part of April 2021 Patch Tuesday. The flaws affect Microsoft Windows, Edge browser, Microsoft Office, Azure and Azure DevOps Server, Exchange Server, SharePoint Server, Hyper-V, Visual Studio, and Team Foundation Server. Nineteen of these flaws are critical, four of which are related to Microsoft Exchange Server bugs.

**New attacks against ProxyLogon **

An unknown threat actor is attempting to use the recently discovered ProxyLogon vulnerabilities to deliver Monero cryptominers onto other vulnerable Microsoft Exchange servers. The attack begins with a PowerShell command to retrieve a file named win_r.zip from compromised servers’ Outlook Web Access logon path.

Google patches zero-day vulnerabilities

Google has issued updates for two zero-day vulnerabilities affecting Windows, macOS, and Linux users. The flaws, tracked as CVE-2021-21206 and CVE-2021-21220, are being exploited in the wild.

Adobe fixes critical flaws

Adobe has announced patches for two critical buffer overflow vulnerabilities found in four of its products. These flaws could lead to the execution of arbitrary codes onto the victims’ systems. Adobe says none of these vulnerabilities has been exploited in malicious attacks.

PoC for QNAP NAS vulnerabilities released

A PoC for a remote code execution vulnerability (CVE-2020-2501) affecting QNAP NAS devices is now publicly available. The flaw, related to the memory corruption issue, affects QNAP NAS devices running Surveillance Station versions 5.1.5.4.2 and 5.1.5.3.2.

Zero-day exploited

A zero-day vulnerability in Desktop Window Manager is being exploited in the wild by several threat actors. It is an escalation of privilege exploit and assigned with CVE number CVE-2021-28310.

Related Threat Briefings