Cyware Daily Threat Intelligence
Daily Threat Briefing • Feb 2, 2023
We use cookies to improve your experience. Do you accept?
Daily Threat Briefing • Feb 2, 2023
The fact that Redis servers don't have authentication enabled by default (as they are not supposed to be exposed to the internet), the admin’s role becomes critical. However, some instances of negligence were observed and the operators of HeadCrab malware were able to take over 1,200 such servers to mine Monero. Meanwhile, cyberspace was introduced to a new DDoS-as-a-Service (DDoSaaS) platform, dubbed Passion, that supposedly has Russian ties and showcases L4 and L7 attack capabilities. In January, it defaced the websites of organizations in Japan and South Africa.
Malware threats galore! Cybercriminals developed a new IceBreaker malware that is deployed via a highly specific social engineering attempt against the online gaming and gambling industries. The campaign is active since at least September 2022.
**System encrypted at U.K school **
Vice Society claims to have obtained private information from Guildford County School in England. The Record has seen hundreds of documents appear on the criminal group's leak site after being allegedly taken from the school on January 19. Several of them have filenames that imply they are safeguarding reports—private internal records that teachers create to keep track of information about at-risk pupils.
European car dealer attacked
Personal information of the customers of Arnold Clark, one of Europe’s largest independent car retailers, was affected in a ransomware attack. The data impacted include vehicle details, passport and driver's license data, National Insurance numbers, and bank account details, besides the personal data.
ION Group
Dublin-based financial software company ION Group suffered a ransomware attack by the Russia-based LockBit gang. The firm had to disconnect all the affected servers. The attack affected the trading and clearing of exchange-traded derivatives by ION customers in the global markets. More details on the attack are awaited.
HeadCrab mines Monero
Aqua Security researchers found a new malware, dubbed HeadCrab, that has infected over a thousand Redis servers since September 2021. Researchers found approximately 1,200 actively infected servers that it has been abusing to mine Monero cryptocurrency. HeadCrab uses state-of-the-art infrastructure that is largely undetectable by agentless and traditional anti-virus solutions.
APT34 deploys backdoor
Threat group APT34 has been observed dropping a suspicious executable that wormed across machines to steal users' credentials, revealed Trend Micro. The malware is capable of new exfiltration techniques; it can extract and transfer data to external mail accounts. This is reportedly the first time that APT34 used this malware in its attack campaigns.
**InTheBox adds new web injects **
While tracking activities by the InTheBox threat group, Cyble experts disclosed that the group has been adding new web injects compatible with over 1,800 Android banking malware. It targeted apps in retail banking, e-commerce, mobile payment platforms, and cryptocurrency exchanges across at least 13 countries. The group is highly active on a Russian-language cybercrime forum.
Passion botnet
Medical institutions in the U.S. and Europe are under attack from a new botnet network called Passion launching DDoS attacks. It operates as a DDoS-as-a-Service (DDoSaaS) platform and has distinctive ties with Russian hacking groups, such as Anonymous Russia, Killnet, MIRAI, and Venom. It ran several defacement campaigns on Japanese and South African organizations in early January.
Breaking the ice to fool users
Online gaming and gambling firms are once again under attack by a never-before-seen backdoor known as IceBreaker. According to security analysts at SecurityJoes, the malware’s compromise method relies on tricking customer service agents into opening malicious screenshots that the threat actor sent to appear as someone facing an issue. Notably, the operators aren’t believed to be native English speakers as they request to speak with Spanish-speaking agents.
GammaLoad and GammaSteel enter Ukraine
The government of Ukraine made stronger claims about Russian state-sponsored threat actor Gamaredon using spyware variants in its campaign to maintain control over infected hosts. The group used two different spyware, GammaLoad and GammaSteel. While the former is engineered to download next-stage VBScript from a remote server, the latter has abilities to pursue reconnaissance and execute additional commands.
Lazarus after unpatched Zimbra devices
North Korean group Lazarus has hit Zimbra devices through previously disclosed security flaws in unpatched devices. Hackers abused CVE-2022-27925 and CVE-2022-37042 for initial access. The flaws can be abused to gain remote code execution on the underlying server. Approximately 100GB of data may have been pilfered by the hacker group from an unnamed victim.
Traffic controller systems on the risk
Security researcher Rustam Amin uncovered two serious threats in Econolite EOS, a traffic controller software. One of the bugs, tracked as CVE-2023-0452, is due to a weak algorithm for hashing privileged user credentials. The other one is CVE-2023-0451, an improper access control issue.
Couple of flaws in ImageMagick
Two security vulnerabilities in the open-source image manipulation software ImageMagick can lead to information disclosure and a DoS condition, as reported by Metabase Q researchers. The first bug, CVE-2022-44268, gets triggered when parsing a PNG image with a filename that is a single dash (-). The other bug, CVE-2022-44267, can be exploited while parsing a PNG image.
High-severity bug fixed in Cisco devices
Cisco issued patches addressing a high-severity flaw tracked as CVE-2023-20076. The bug, which affects some of its industrial routers, gateways, and enterprise wireless access points, can be abused to run arbitrary code on devices. However, to do so, the hacker must obtain administrative access.
Pig butchering scam continues
Cybercriminals developed two fraudulent apps and pushed them on the app stores of Google and Apple to trick users into making fake cryptocurrency investments. Researchers from Sophos spotted the Ace Pro and MBM_BitScan apps on both Google’s Play Store and Apple’s App Store, for which all the funds deposited would reach directly to the scammers.