Cyware Daily Threat Intelligence

Daily Threat Briefing • Feb 4, 2021
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Daily Threat Briefing • Feb 4, 2021
The TeamTNT cybercrime gang is ramping up its attacks on cloud servers. This time, it has launched a new cryptojacking operation that targets Kubernetes clusters. A new malware dubbed Hildegard is being used in the campaign. To make it worse, scammers have begun targeting servers to fulfill their malicious intent. In the past 24 hours, a new cryptocurrency giveaway scam that leverages Discord servers has come to the light.
A new form of threat has emerged from Mirai’s expanded range of variants. Dubbed as Matryosh, the botnet is exclusively designed to launch DDoS attacks on Android devices.
Top Breaches Reported in the Last 24 Hours
Oxfam Australia’s data on sale
Oxfam Australia has launched an investigation after its customer database containing 1.7 million customer details and donor information was put on sale on the dark web. The exposed information included email addresses, names, physical addresses, phone numbers, and donation amounts of customers.
Stormshield discloses a data breach
A French cybersecurity firm, Stormshield, has disclosed a data breach after threat actors gained access to one of its customer support portals. This enabled the crooks to steal the information of some of its clients. The company also claimed that a portion of its source code was also accessed by the attackers
Foxtons Group data on the dark web
Estate agent Foxtons Group is under pressure due to a data leak incident. Reports claim that thousands of customer card and personal details have been uploaded to a dark web site. The data are related to customers who are associated with the firm from before 2010.
Over 3.2 billion emails and passwords leaked
More than 3.2 billion unique pairs of cleartext emails and passwords have been dumped on a popular hacking forum. The leaked database includes a script named count_total.sh, which was also included in 2017’s Breach Compilation. This breach also includes two other scripts - query.sh, for querying emails and sorter.sh for sorting the data.
Top Malware Reported in the Last 24 Hours
New Matryosh botnet
Matryosh is a new variant of the Mirai botnet that is primarily designed to launch DDoS attacks. It propagates through exposed Android Debug Bridge (ADB) interfaces to infect Android devices. Research claim that the botnet’s command format and its use of TOR C2 are highly similar to that of another botnet called LeetHozer.
Hildegard malware
The TeamTNT threat actor group is deploying a new Hildegard malware in a new cryptojacking operation. The campaign targets Kubernetes clusters to gain initial access.
Top Vulnerabilities Reported in the Last 24 Hours
Zero-day flaws in the plugin
Two new zero-day vulnerabilities in WordPress Plugin Limit Login Attempts Reloaded can be exploited to take over a WordPress site. The flaws are identified as Improper Restriction of Excessive Authentication Attempts (CVE-2020-35590) and Improper Neutralization of Input During Web Page Generation (CVE-2020-35589).
New X-Leak exploit
A new way to perform an XS-Leak side-channel attack has been disclosed. The new side-channel attack leverages browser and extension vulnerabilities to trigger cross-site leaks.
Cisco fixes flaws in VPN routers
Cisco has addressed multiple pre-auth RCE vulnerabilities found in several small business VPN routers. This could allow attackers to execute arbitrary code on targeted devices.
Update on Baron Samedit flaw
Apple’s macOS Big Sur OS and multiple Cisco products are affected by the recently disclosed Baron Samedit flaw. Tracked as CVE-2021-3156, the issue is related to a heap-based buffer overflow and can be exploited by unprivileged users to gain root privileges on the host. The vulnerability has been patched in the latest version of the Sudo utility.
Vulnerable Realtek Wi-Fi module
Several vulnerabilities found in the Realtek RTL8195A Wi-Fi module can expose many devices to remote attacks. The most severe of these is a stack overflow vulnerability that is tracked as CVE-2020-9395 and can result in the complete takeover of the module and the device’s wireless communications.
Top Scams Reported in the Last 24 Hours
Free cryptocurrency scam
Scammers are now targeting Discord servers to send private messages to users in a new cryptocurrency giveaway scam. The messages appear to be from new, upcoming cryptocurrency exchanges and promise free Bitcoin or Ethereum. Each message contains instructions and a code for accepting the gift, as well as a link to register on the fake exchange. Victims going through the registration process are then lured to provide their personal details that include their contact details, photo IDs, and signature.