We use cookies to improve your experience. Do you accept?

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing Feb 25, 2022

Threats due to ProxyShell and ProxyLogon continue to mount pressure on organizations that have failed to patch the vulnerabilities. In a new finding, the operators of Cuba ransomware are actively scanning for vulnerable Microsoft Exchange servers to gain initial access to corporate networks and encrypt devices.

In other major threats, several organizations are caught in MuddyWater’s crosshairs as the U.S. and the U.K. expose new tactics and techniques of the Iranian attackers, which include the use of several new variants of malware. Additionally, a stealthy backdoor malware dubbed SockDetour - which targeted the defense industry - has been linked to a China-based Tiltedtemple threat actor group.

Top Breaches Reported in the Last 24 Hours

DNA Solutions’ data exposed

The personal data of some users have been exposed following a breach at Oklahoma-based DNA Solutions. The breach was identified in November 2021 and occurred due to a flaw in third-party software.

Payments solution company targeted

A payments solution company in North America was targeted in a sophisticated phishing attack that made use of DocuSign and a compromised third-party email domain. The emails were sent to around 550 members of the targeted company.

Top Malware Reported in the Last 24 Hours

New SockDetour malware

A new custom malware dubbed SockDetour targeted systems belonging to U.S. defense contractors. The stealthy backdoor was used to maintain access to compromised networks. According to researchers, the malware has been used in the wild since July 2019. It has been associated with a China-based threat actor group tracked as Tiltedtemple.

Multiple malware linked to MuddyWater

In a joint advisory, the CISA, FBI, and the U.K’s NCSC warned that the Iran-based MuddyWater threat actor group is using new variants of malware in its spear-phishing campaigns and other operations. The malware sets used by the attackers include PowerGoop, Small Sieve, Canopy, Mori, and POWERSTATS. In some cases, the APT group had used a new version of PowerGoop as a loader to install a malicious Google Update executable.

Cuba ransomware’s latest activity

The operators of Cuba ransomware are actively exploiting Microsoft Exchange servers vulnerable to ProxyShell and ProxyLogon vulnerabilities in an attempt to gain initial access to the corporate network. The threat actors are also using Mimikatz, Cobalt Strike Beacon as part of the attack campaign.

Top Vulnerabilities Reported in the Last 24 Hours

GE Digital issues patches

GE Digital released patches and mitigations for two high-severity vulnerabilities affecting its Proficy CIMPLICITY HMI/SCADA software. The flaws are tracked as CVE-2022-23921 and CVE-2022-21798. They can be abused to conduct Man-in-the-Middle (MitM) attacks.

Zenly discloses users’ data

A pair of bugs impacting the Zenly social app allowed strangers to view other users’ phone numbers and locations. The bugs, identified as a user-data exposure vulnerability and an account takeover vulnerability, are patched with the release of a new version of the app.

Cisco issues patches

Cisco issued updates for four security flaws that could be abused to take control of affected systems. The most critical of the flaws is CVE-2022-20650 which is related to a command injection flaw. An attacker can exploit the flaw by sending a specially-crafted HTTP POST request to the NX-API of an affected device.

Top Scams Reported in the Last 24 Hours

Citibank users fall to phishing bait

An ongoing large-scale phishing campaign is targeting customers of Citibank with a goal to steal their personal information. The campaign uses the CitiBank logo to make it look convincing. As part of the attack, the unsuspecting users are asked to verify their accounts as suspicious transactions have been detected. They are asked to visit a phishing site that replicates the original Citibank website to sign in to their accounts.

Related Threat Briefings