Cyware Daily Threat Intelligence

Daily Threat Briefing • Feb 3, 2022
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Daily Threat Briefing • Feb 3, 2022
Cyberattacks due to new malware are intensifying. In the last 24 hours, researchers have uncovered a cryptojacking malware named CoinStomp that is targeting Asian cloud service providers. In another incident, Microsoft has warned about a new variant of UpdateAgent macOS malware that is capable of delivering adware and potentially other threats.
There has also been a report of an SEO poisoning attack campaign that is being actively used to drop BATLOADER and other payloads like Ursnif and Atera Agent malware onto the targeted systems. The attackers are targeting users looking to download video conferencing tools such as TeamViewer, Zoom, or Visual Studio.
Top Breaches Reported in the Last 24 Hours
KP Snacks’ operation disrupted
The manufacturing and distribution operations of British snacks producer Kenyon Produce (KP) Snacks suffered a major disruption following a ransomware attack. The company became aware of the attack on January 28 and immediately took the necessary steps to contain the incident. Conti ransomware group is likely behind the attack.
$322 million stolen
A vulnerability in the Wormhole cryptocurrency platform allowed a threat actor to steal an estimated $322 million worth of Ether cryptocurrency. The attackers exploited the ‘smart contracts’ feature on the platform to hack the portal.
Students’ data impacted
Pellissippi State Community College suffered a ransomware attack that enabled attackers to gain unauthorized access to the personal information of former and current students. However, the incident did not impact the credit card information of students. The compromised personal data included names, email addresses, internal identification numbers, and school passwords.
German oil companies attacked
The BlackCat ransomware group has been held responsible for the recent cyberattacks on two German oil companies. This ultimately affected hundreds of gas stations across northern Germany. The firms took immediate actions as part of their contingency plans.
Top Malware Reported in the Last 24 Hours
Newly discovered CoinStomp
A new malware dubbed CoinStomp is targeting cloud services to mine cryptocurrencies. Currently, the malware has targeted multiple cloud service providers in Asia. It employs the Timestomping attack technique and a number of anti-analysis techniques to evade detection.
SEO poisoning drops malware
A new SEO poisoning campaign is being used in the wild to drop BATLOADER and other payloads like Ursnif and Atera Agent malware onto the targeted systems. The attackers target the victims who are on the lookout for downloading productivity tools like TeamViewer, Zoom, or Visual Studio. The attackers use these software installers as part of their SEO poisoning attack in order to redirect users to false sites.
UpdateAgent evolves
The relatively new macOS malware UpdateAgent has been upgraded to deliver adware and potentially other malicious payloads. One of the latest features also includes its ability to bypass Apple’s built-in Gatekeeper system.
Top Vulnerabilities Reported in the Last 24 Hours
Trend Micro issues patches
Trend Micro recently patches two high-severity vulnerabilities affecting some of its hybrid cloud security products. The vulnerabilities are tracked as CVE-2022-23119 and CVE-2022-23120. They impact Deep Security and Cloud One Workload Security Solutions. The PoC exploits for the same were made available on January 19 and the patches were released last year.
Cisco patches RV routers
Cisco has announced patches for multiple vulnerabilities affecting its Small Business RV160, RV260, RV340, and RV345 series routers. The most severe of these is tracked as CVE-2022-20699 and can allow threat actors to execute arbitrary code on a vulnerable device.