Cookie Settings

This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing Feb 4, 2021

The TeamTNT cybercrime gang is ramping up its attacks on cloud servers. This time, it has launched a new cryptojacking operation that targets Kubernetes clusters. A new malware dubbed Hildegard is being used in the campaign. To make it worse, scammers have begun targeting servers to fulfill their malicious intent. In the past 24 hours, a new cryptocurrency giveaway scam that leverages Discord servers has come to the light.

A new form of threat has emerged from Mirai’s expanded range of variants. Dubbed as Matryosh, the botnet is exclusively designed to launch DDoS attacks on Android devices.

Top Breaches Reported in the Last 24 Hours

Oxfam Australia’s data on sale

Oxfam Australia has launched an investigation after its customer database containing 1.7 million customer details and donor information was put on sale on the dark web. The exposed information included email addresses, names, physical addresses, phone numbers, and donation amounts of customers.

Stormshield discloses a data breach

A French cybersecurity firm, Stormshield, has disclosed a data breach after threat actors gained access to one of its customer support portals. This enabled the crooks to steal the information of some of its clients. The company also claimed that a portion of its source code was also accessed by the attackers

Foxtons Group data on the dark web

Estate agent Foxtons Group is under pressure due to a data leak incident. Reports claim that thousands of customer card and personal details have been uploaded to a dark web site. The data are related to customers who are associated with the firm from before 2010.

Over 3.2 billion emails and passwords leaked

More than 3.2 billion unique pairs of cleartext emails and passwords have been dumped on a popular hacking forum. The leaked database includes a script named count_total.sh, which was also included in 2017’s Breach Compilation. This breach also includes two other scripts - query.sh, for querying emails and sorter.sh for sorting the data.

Top Malware Reported in the Last 24 Hours

New Matryosh botnet

Matryosh is a new variant of the Mirai botnet that is primarily designed to launch DDoS attacks. It propagates through exposed Android Debug Bridge (ADB) interfaces to infect Android devices. Research claim that the botnet’s command format and its use of TOR C2 are highly similar to that of another botnet called LeetHozer.

Hildegard malware

The TeamTNT threat actor group is deploying a new Hildegard malware in a new cryptojacking operation. The campaign targets Kubernetes clusters to gain initial access.

Top Vulnerabilities Reported in the Last 24 Hours

Zero-day flaws in the plugin

Two new zero-day vulnerabilities in WordPress Plugin Limit Login Attempts Reloaded can be exploited to take over a WordPress site. The flaws are identified as Improper Restriction of Excessive Authentication Attempts (CVE-2020-35590) and Improper Neutralization of Input During Web Page Generation (CVE-2020-35589).

New X-Leak exploit

A new way to perform an XS-Leak side-channel attack has been disclosed. The new side-channel attack leverages browser and extension vulnerabilities to trigger cross-site leaks.

Cisco fixes flaws in VPN routers

Cisco has addressed multiple pre-auth RCE vulnerabilities found in several small business VPN routers. This could allow attackers to execute arbitrary code on targeted devices.

Update on Baron Samedit flaw

Apple’s macOS Big Sur OS and multiple Cisco products are affected by the recently disclosed Baron Samedit flaw. Tracked as CVE-2021-3156, the issue is related to a heap-based buffer overflow and can be exploited by unprivileged users to gain root privileges on the host. The vulnerability has been patched in the latest version of the Sudo utility.

Vulnerable Realtek Wi-Fi module

Several vulnerabilities found in the Realtek RTL8195A Wi-Fi module can expose many devices to remote attacks. The most severe of these is a stack overflow vulnerability that is tracked as CVE-2020-9395 and can result in the complete takeover of the module and the device’s wireless communications.

Top Scams Reported in the Last 24 Hours

Free cryptocurrency scam

Scammers are now targeting Discord servers to send private messages to users in a new cryptocurrency giveaway scam. The messages appear to be from new, upcoming cryptocurrency exchanges and promise free Bitcoin or Ethereum. Each message contains instructions and a code for accepting the gift, as well as a link to register on the fake exchange. Victims going through the registration process are then lured to provide their personal details that include their contact details, photo IDs, and signature.

Related Threat Briefings