We use cookies to improve your experience. Do you accept?

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing Apr 17, 2023

A rising trend has been identified among cybercriminals; they are using Action1 remote access software for reconnaissance activity and to run code with system privileges on network hosts. In fact, it was observed in at least three ransomware attacks by different threat actors. In other news, Palo Alto Networks Unit 42 revealed that criminals associated with the Vice Society ransomware group are utilizing a specialized tool based on PowerShell to escape detection and automate the data extraction process.

Google Chrome’s first zero-day for 2023 has been addressed by the tech giant. While experts have found evidence of an exploit, the details of the high-severity type confusion flaw have not been made public yet.

Top Breaches Reported in the Last 24 Hours

Volvo data lay exposed for a year

The retailer of Swedish luxury vehicle manufacturer Volvo in Brazil, Dimas Volvo, exposed sensitive files to cyber criminals through its website for nearly a year. The unprotected data was hosted on a website of an independent Volvo retailer in the Santa Catarina region of Brazil. Furthermore, the exposed data includes MySQL and Redis database hosts, open ports, credentials, and the website’s Laravel application key.

Datacenter outage at NCR

U.S. payments giant NCR suffered a data center outage in the aftermath of a ransomware attack, allegedly, by the BlackCat ransomware group. The attackers, who quickly added the victim on their leak site and then quickly removed it, claimed to have stolen “a lot of credentials” that can be exploited to access NCR customer networks.

Europe-based data management firm targeted

A ransomware attack on Evide, a data management company in Europe, has affected the data of several charities and non-profits in Northern Ireland. Personal data, including email addresses and phone numbers, of thousands of individuals at One in Four, a Dublin-based charity, may have been accessed by criminals, stated CEO Maeve Lewis.

Top Malware Reported in the Last 24 Hours

Vice Society launches stealthy tool

The Vice Society ransomware group has been spotted leveraging a PowerShell-based tool (w1.ps1) and using built-in data exfiltration methods to evade detection. The malicious scripts work by identifying mounted drives on the system and then checking each of the root directories to facilitate data exfiltration over HTTP. According to experts, the tool displays a high level of coding expertise of threat actors.

LockBit’s never-before-seen encryptors

MalwareHunterTeam discovered a ZIP archive—belonging to the LockBit ransomware group— uploaded to VirusTotal containing previously unknown encryptors for macOS, ARM, FreeBSD, MIPS, and SPARC. Security analysts from BleepingComputer assert that the discovered builds could have been created for testing purpose.

Ransomware attacks via Action1 software

Action1 remote access software is being abused for two purposes: to maintain a presence on compromised networks, and to execute various commands, scripts, and binaries. Security researchers have observed at least three ransomware attack attempts by different groups. They have, however, attributed the activity to a group called Monti, probably related to the now-defunct Conti group.

Zarara: A Russian infection

The Uptycs security research team uncovered a new malware dubbed Zaraza. The bot uses Telegram for its C2 functions. It can pilfer login credentials from 38 web browsers and from different mediums, such as online bank accounts, email accounts, crypto wallets, and other websites. Notably, "Zaraza" is a term in the Russian language that translates to "infection."

Top Vulnerabilities Reported in the Last 24 Hours

Google’s first zero-day this year

Google has published an immediate Chrome security upgrade to patch its first zero-day bug of 2023. The bug, tracked as CVE-2023-2033, was being abused since the beginning of the year. Google also said it is aware of an exploit in the wild. The company won’t be sharing specific details on the bug until most users have installed the patch.

Related Threat Briefings