Cyware Daily Threat Intelligence
Daily Threat Briefing • Apr 27, 2023
We use cookies to improve your experience. Do you accept?
Daily Threat Briefing • Apr 27, 2023
The cyber adversaries abusing PaperCut flaws have been identified. Microsoft security team has reported that the recent attacks exploiting vulnerabilities in PaperCut servers were carried out by affiliates of the Cl0p and LockBit ransomware groups. In their attempt, cybercriminals attempted to deliver the TrueBot downloader to steal LSASS credentials. Meanwhile, RTM Locker becomes another Linux-hounding ransomware threat. It is also the first time that the developers’ would be targeting NAS and ESXi servers, using a combination of asymmetric and symmetric encryption.
E-commerce platform PrestaShop fixed a high-severity flaw that could allow any user, irrespective of their level of permissions, to modify or delete SQL databases. It has no mitigation available, hence security updates need to be applied as soon as possible.
Criminals dumped sensitive school data
The personal information of the students linked to the Minneapolis public school system was leaked by attackers. The affected data include SSNs, mental health records of students, and even allegations of abuse against the district’s staff members. The district encompasses dozens of schools with around 29,000 students in total. The leak also included details about children with special needs.
Cl0p and LockBit abusing PaperCut flaws
Microsoft has attributed the abuse of two vulnerabilities pertaining to PaperCut application servers to Cl0p and LockBit ransomware affiliate groups. Cl0p actors have been exploiting the PaperCut flaws to gain initial access to corporate networks since April 13th. They would deploy the TrueBot malware and a Cobalt Strike Beacon implant on the compromised network. LockBit, comparatively, had fewer intrusions.
Powerless backdoor by Iranian group
An updated version of the PowerLess backdoor was detected in an attack campaign by the Iranian state-sponsored threat actor Educated Manticore. The campaign begins by using an ISO disk image file containing Iraq-themed decoys. The new version includes .NET binary code seemingly assembled in mixed mode. The malware samples were submitted to VirusTotal by the same submitters from Israel.
HiddenAds on Play Store
The McAfee Mobile Research Team reported 38 games on the Google Play Store containing hidden advertising. These HiddenAds apps were downloaded by users worldwide by at least 35 million users. The apps were designed to secretly send malicious packets for generating advertising revenue. Most instances were detected in the U.S., Canada, Brazil, and South Korea.
RTM Locker unveils Linux version
RTM Locker threat actors have launched a new version of the ransomware strain that can infects Linux, NAS, and ESXi hosts. Its code share similarities to the Babuk ransomware's leaked source code, revealed Uptycs experts. The encryption function uses pthreads (aka POSIX threads) to speed up execution. How the ransomware gains initial access to vulnerable systems is currently a mystery.
Cisco fixes zero-day
Cisco disclosed a zero-day in the web-based management interface of its Prime Collaboration Deployment (PCD) software version 14 and earlier. The security issue, tagged CVE-2023-20060, can be exploited by an unauthenticated user to carry out cross-site scripting (XSS) attacks. When successfully exploited, it could allow an attacker to execute arbitrary script code within the impacted interface or gain access to sensitive information through a web browser.
PrestaShop's****SQL database exposed by a bug
A sensitive bug in PrestaShop, the open-source e-commerce platform, was patched to avoid a major incident involving its database servers. The flaw (CVSS score of 9.9), could be exploited to potentially cause service outages or impact businesses by allowing an attacker to make unauthorized modifications to the online store’s database. This impacts all PrestaShop installations from version 8.0.3 and older.