Cyware Daily Threat Intelligence
Daily Threat Briefing • Dec 8, 2022
We use cookies to improve your experience. Do you accept?
Daily Threat Briefing • Dec 8, 2022
Attacks against the cryptocurrency industry intensify as criminals play mediators between VIP clients and the cryptocurrency exchange platforms they are associated with, on Telegram. Scammers attempt to win the clients’ trust which may end up in the remote hijacking of their systems. Among the top threats in today’s round-up includes a ransomware group that has concentrated its attacks against the education sector in the U.S. As observed, hackers timed their campaigns to coincide with this sector’s unique calendar year - the transition period between the beginning and end of the school year.
Separately, a sensitive authentication bypass vulnerability in Fortinet products has opened up devices to a remote login threat by cybercriminals. The bug is triggered during the Radius server authentication process, via a specially crafted message.
Ohio restaurants’ FB accounts hacked
Restaurants in Cincinnati, Ohio, were taken aback after a cybercriminal hacked into their social media accounts to steal thousands of dollars while also hurting their reputations. In an incident, criminals took over their Facebook page and misused the owners’ bank accounts associated with the social media platform. They even posted such material from the FB account that earned it a ban for a lifetime.
CommonSpirit Health confirmed massive data leak
At least seven Washington state hospitals associated with Chicago-based CommonSpirit had their patient data blurted out in a ransomware attack. It revealed that an unknown third party penetrated the organization's network between September 16 and October 03. It is estimated that more hospitals and patients may have suffered due to the breach.
Fantasy, a wiper malware by Agrius APT
ESET researchers attributed a new wiper malware, dubbed Fantasy, and its execution tool to the Agrius APT group. The Iranian group has been targeting diamond industries in South Africa, Hong Kong, and Israel. The malware’s foundations are pretty similar to that of Apostle wiper, except that it (the latter) also posed as a ransomware strain.
Vice Society vs the education sector
The Vice Society ransomware group emerged as a major threat to the education sector, especially in the U.S. As of now, its victim count is over 40 educational organizations, K-12 and higher education institutions in particular, with about 15 in the U.S. Vice Society was first seen in the summer of 2021. Its other targeted sectors are healthcare and NGOs.
IE zero-day exploited
A zero-day bug in Internet Explorer is being abused in attacks by APT37, a North Korean hacking group. The bug, CVE-2022-41128, was located in the browser’s ‘JScript9’ JavaScript engine that remote attackers could exploit for arbitrary code execution on a compromised system. It is a type-confusion flaw, similar to the JScript9 flaw (CVE-2021-34480) patched last year.
Bugs in FortiOS and FortiProxy
Fortinet announced patches for multiple vulnerabilities in FortiOS and FortiProxy products. It involves a critical authentication bypass flaw, CVE-2022-35843, in the SSH login component of FortiOS. The bug is triggered during the use of Radius authentication. By forging an Access-Challenge response from the Radius server, hackers may log into the target’s device.
Giveaway scam rides on Elon Musk’s wave
A crypto giveaway scam dubbed Freedom Giveaway is targeting new Twitter followers of Elon Musk, Tesla, and SpaceX. Potential victims are being added to a "Deal of the Year" list on Twitter for this operation. Hackers falsely promise them up to 5000 BTC if they deposit small amounts into an attacker's wallet. The list has so far added 155 members.
Crypto-investment firms in the fray
According to Microsoft, cybercriminal group DEV-0139 is approaching cryptocurrency investment firms’ VIP customers to infect their systems with malware. The adversaries took to Telegram chat groups to identify such targets, win their trust, and then share malicious Excel spreadsheets with them. The campaign also delivers a second payload which is an MSI package for a CryptoDashboardV2 app.