Cyware Daily Threat Intelligence

Daily Threat Briefing • Feb 16, 2023
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Daily Threat Briefing • Feb 16, 2023
Skipping patching VMware ESXi bugs? Be wary. Hundreds of systems in Europe were found infected with the ESXiArgs ransomware. A fact that stood out in the research was that the infections began as early as October 12, 2022, much before warnings started to spread about the attacks. Along similar lines, a new Mirai botnet variant, known as V3G4, has emerged to abuse more than a dozen bugs across a myriad of products. Vulnerable servers and devices running on Linux are specifically on target.
Meanwhile, Cisco, Intel, and Splunk have patched a number of vulnerabilities in their respective systems and products. In other news, researchers warned users about the ProxyShellMiner campaign abusing ProxyShell flaws.
Airline targeted by criminals
Scandinavian Airlines (SAS) suffered a cyberattack that paralyzed the carrier's website and exposed customer data via its app. Customers who attempted to use the app were actually logged into somebody else’s accounts and could access the individual’s personal information. The entire website was reportedly down for a certain span of time on Tuesday.
Ticketing and events firm leak celebrity data
Qatar-based Q-Tickets was found blurting out sensitive data of over 500 famous cricketers from different nations, including India, Pakistan, New Zealand, West Indies, and Afghanistan. Players’ phone numbers, email addresses, and passport details were exposed in the incident. However, Q-Tickets claimed that it never hosted any passport data on the site.
Wrath of ESXiArgs continues
Attack surface management firm Censys disclosed that the ESXiArgs ransomware strain has affected over 500 systems, with a majority of them located in France, the Netherlands, Germany, the U.K, and Ukraine. Researchers found that the same hacker group dropped eerily similar ransom notes on two hosts that date back to October 12, 2022. Then, on January 31, the notes were updated and used in the February campaign.
Mirai’s variant abuses dozens of bugs
Researchers at Unit42 laid bare a Mirai botnet variant dubbed V3G4 that compromised hosts by abusing several vulnerabilities in products from DrayTek, Geutebruck, FreePBX, Atlassian, and others. The botnet infected exposed servers and networking devices running on Linux OS. Successful exploitation of the bugs could let hackers take full control of the hosts and make them a part of the botnet.
Exchange threat amplifies with ProxyShellMiner
A highly evasive malware campaign is delivering ProxyShellMiner to Windows systems, revealed security analysts at Morphisec. As the name suggests, the payload abuses the ProxyShell bugs, CVE-2021-34473 and CVE-2021-34523, in Exchange servers. The attackers use the domain controller's NETLOGON folder to make sure the crypto miner runs throughout the domain after successfully penetrating an Exchange server.
Critical bugs in ClamAV
ClamAV patched a couple of critical flaws in its library, with the severe one affecting Cisco’s endpoint, cloud, and web security products. Tracked as CVE-2023-20032, the bug could enable an attacker to pull off an RCE attack or trigger a DoS condition on the affected Cisco products. The products listed under the Vulnerable Products section need to be updated.
Intel Security Center releases 31 advisories
Customers of Intel were urged to update products in the wake of the 31 advisories it released. Experts uncovered five SGX-related security bugs, with two of them referring to privilege escalation threats that, if exploited, could lead to information disclosure. The two bugs are traced as CVE-2022-38090 and CVE-2022-33196.
Splunk addresses severe flaws
Splunk announced several updates for Splunk Enterprise, fixing security issues around third-party packages used by the product. CVE-2023-22939 and CVE-2023-22935 are the most severe vulnerabilities that enable a hacker to bypass Search Processing Language (SPL) safeguards. Both vulnerabilities affect instances with Splunk Web enabled and require a high-privileged user to make a request in their browser.