Cyware Daily Threat Intelligence
Daily Threat Briefing • December 9, 2021
Whether it is hardware or software, malware threats are prowling at every level of the tech stack. In the last 24 hours, we witnessed the discovery of a new MANGA botnet campaign targeting network routers and a new ransomware strain targeting enterprise Atlassian Confluence and Gitlab servers.
Not just individual users but entire nations also face the wrath of organized cybercriminal groups. Chinese hackers have been targeting a number of Southeast Asian countries, including the governments and military forces of Indonesia, the Philippines, Thailand, Malaysia, and Vietnam. In other news, Google and SonicWall urged users to update their devices to fix a number of critical vulnerabilities.
Top Breaches Reported in the Last 24 Hours
Microsoft Vancouver leaks website credentials
A Desktop Services Store file was exposed on a publicly accessible web server belonging to Microsoft Vancouver. The metadata stored on the file hinted at several WordPress database dumps, which comprised multiple administrator usernames, email addresses, and hashed passwords for the Microsoft Vancouver website.
Chinese attackers target Southeast Asian nations
Chinese hacking groups, likely state-sponsored, have been targeting government and private sector organizations across Southeast Asia. The targets included the Indonesian and Philippine navies, the Thai Prime Minister’s office and the Thai army, Malaysia’s Ministry of Defense, and Vietnam’s national assembly and the central office of its Communist Party.
Ransomware attack hits CS Energy
A major energy network in Australia operated by CS Energy suffered a ransomware attack that could have left millions of homes without energy. The quick response by the company helped in detecting and neutralizing the attack just in time before it had the potential to shut down two major thermal coal plants - Callide and Kogan Creek.
Top Malware Reported in the Last 24 Hours
Malicious npm code hijacks Discord servers
Several malicious packages in the Node.js package manager (npm) code repository were found hijacking Discord tokens. The packages can represent a supply chain threat and any application corrupted by malicious code can target its users.
Confluence and GitLab targeted by ransomware
A ransomware group leveraged exploits for recently disclosed flaws to gain access to unpatched Confluence and GitLab servers, encrypt their files, and then ask server owners for a ransom payment for data recovery. So far, the attacks have hit hundreds of servers, encrypting both Windows and Linux systems.
MANGA targets new TP-Link router vulnerability
The Dark Mirai-based botnet campaign, also referred to as MANGA, targets a vulnerability in TP-Link Home Wireless Routers, particularly the TL-WR840N EU (V5) model. The malware campaign is exploiting recently published vulnerabilities and capitalizing on the gap between the time of disclosure of a vulnerability and the application of a patch to compromise IoT devices.
Top Vulnerabilities Reported in the Last 24 Hours
SonicWall requests to patch critical SMA bugs
SonicWall urges its customers of SMA 100 series appliances to patch them against multiple security bugs with medium to critical CVSS scores. The flaws impact SMA 200, 210, 400, 410, and 500v appliances even with the Web Application Firewall (WAF) enabled.
Security updates for Android
The December 2021 security updates for Android provide patches for 46 vulnerabilities. The most critical of the addressed issues is an information leakage flaw in the Media framework. Two information disclosure flaws—CVE-2021-0967 and CVE-2021-0964—were addressed in the Media framework component this month.
**Vulnerability surfaces in GraphQL API **
A flaw has been discovered in an API based on the GraphQL specification implemented by a financial services firm. The vulnerability involves how authorization to a GraphQL API is handled when queries are nested.