Cyware Daily Threat Intelligence

Daily Threat Briefing • Aug 24, 2021
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Daily Threat Briefing • Aug 24, 2021
Attention! FBI has shared detailed information about OnePercent Group that has been actively targeting U.S. organizations since November 2020. The threat actor is touted to have a long-standing connection with REvil, Maze, and Egregor ransomware groups.
Security experts have also raised red flags on a year-long espionage campaign targeting public and private companies in South Asian countries. It uses two new shellcode loaders such as StealthVector and StealthMutant, alongside a backdoor named ScrambleCross. Another ongoing campaign distributing a new variant of Konni RAT has also been found targeting users in Russia. Meanwhile, IoT device manufacturers are on the radar of attackers following the discovery of common injection vulnerabilities in Realtek chipsets.
Top Breaches Reported in the Last 24 Hours
38 million records exposed
Around 38 million records containing data related to Covid-19 vaccination status, Social Security numbers, and email addresses have been exposed following a misconfiguration issue in Microsoft Power Apps. The data leak has impacted American Airlines, Microsoft, JB Hunt, and the government of New York City, Maryland, and Indiana.
South Asia countries under attack
A new espionage campaign targeting public and private companies in South Asian countries is underway. The campaign has been active since July 2020 and uses shellcode loaders such as StealthVector and StealthMutant, along with a backdoor named ScrambleCross. Phishing emails containing malicious LNK files are used as an initial infection vector.
Phishing with UPS.com
A phishing campaign that exploited the XSS vulnerability in UPS.com allowed threat actors to distribute a malicious document through a remote Cloudflare worker. The attack used phishing emails that pretended to be from UPS and stated that a package had an exception and needed to be picked up by the recipient.
US organizations targeted by OnePercent Group
FBI has shared TTPs of OnePercent Group, a threat actor that is believed to be associated with REvil, Maze, and Egregor ransomware groups. Some of the tactics opted by the gang involve the use of phishing emails, Cobalt Strike beacon, RClone, and IcedID trojan.
SAC Wireless attacked
SAC Wireless, a subsidiary of Nokia, has disclosed a data breach following an attack by Conti ransomware. The incident was discovered on June 16. The company believes that the attackers may have stolen personal information such as names, dates of birth, government ID numbers, medical history, health insurance policy information, and tax return information of users.
Top Malware Reported in the Last 24 Hours
Triada trojan
A malicious version of FMWhatsApp includes a Triada trojan that can collect data from users’ phones. Depending on the type of information, it can further install modules of other trojans such as xHelper, intercept the login confirmation text, and display unwanted ads.
A new variant of Konni malware
An ongoing phishing campaign, launched in late July 2021, is pushing a new variant of Konni RAT to target users in Russia. The malicious activity starts from a document that executes a malicious macro. The document written in the Russian language tempts users to know about the trade and economic issues between Russian and the Korean Peninsula or about a meeting of the intergovernmental Russian-Mongolian commission.
**Top Vulnerabilities Reported in the Last 24 Hours **
Realtek SDKs actively exploited
Attackers are actively exploiting common injection vulnerabilities discovered in Realtek SDK that are used by at least 65 vendors including Asus, Belkin, D-Link, Netgear, Tenda, ZTE, and Zyxel. The flaws are tracked as CVE-2021-35392, CVE-2021-35393, CVE-2021-35394, and CVE-2021-35395. One of these flaws (CVE-2021-35395) has been exploited in the wild to spread a version of the Mirai botnet.
Vulnerable B.Braun products
Infusion pumps and docks manufactured by B.Braun are riddled with several security vulnerabilities that can be abused by attackers to manipulate the medication doses of victims.