Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing April 20, 2023

Google scrambles to address another high-severity zero-day in Chrome web browser, coming hot on the heels of Google releasing a patch for CVE-2023-2033 just last week. Furthermore, an investigation into incidents where attackers attempted to deactivate EDR clients led a cybersecurity group to AuKill, a defense evasion tool. The tool abuses expired versions of the Microsoft utility, Process Explorer, to deploy a backdoor or ransomware on the compromised system. It has reportedly been used in at least three ransomware incidents.

In another threat, adversaries were found abusing a security defect in the Windows Secondary Logon Service to infiltrate unprotected internet-exposed Microsoft SQL (MS-SQL) servers and infect those with Trigona ransomware.

Top Malware Reported in the Last 24 Hours

Trigona ransomware targets MS-SQL servers

Trigona ransomware operators are targeting unsecured and internet-exposed Microsoft SQL (MS-SQL) servers, discovered AhnLab. They breach servers via brute-force attacks to crack account credentials. After connecting to a server, the criminals deploy a malware dubbed CLR Shell. The stage is followed by attackers installing and launching a dropper malware that is used to launch the Trigona ransomware.

‘AuKill’ EDR killer

Sophos X-Ops uncovered a defense evasion tool called AuKill. The tool exploits an outdated version of the driver used by version 16.32 of the Microsoft utility Process Explorer to disable EDR processes to deploy either a backdoor or ransomware on the targeted system. Since the beginning of 2023, the tool has been used to drop Medusa Locker and LockBit ransomware strains.

Raspberry Robin adopts evasion technique

According to Check Point Research, Raspberry Robin malware has undergone some tactical changes in its evasion techniques to avoid detection, especially on Virtual Machines (VMs). The security experts have also analyzed two new exploits—CVE-2020-1054 and CVE-2021-1732—that the malware used to gain higher privileges on compromised systems.?

Top Vulnerabilities Reported in the Last 24 Hours

Two security issues impact PaperCut

Cybercriminals are exploiting a pair of flaws in print management software by PaperCut. The first bug, identified as CVE-2023–27350, is an unauthenticated RCE flaw impacting all PaperCut MF or NG versions 8.0 or later. The other one, identified as CVE-2023–27351, is an unauthenticated information disclosure flaw affecting all PaperCut MF or NG versions 15.0 or later. Users are urged to patch immediately.

Google addresses the second zero-day

Google released fixes for a new zero-day in the Chrome browser. The security flaw, identified as CVE-2023-2136, pertains to an integer overflow problem in Skia. An exploit for this bug also exists in the wild, confirmed Google. Last week, a type confusion zero-day in the V8 JavaScript engine was addressed by Google.

Related Threat Briefings