Cyware Daily Threat Intelligence

Daily Threat Briefing • Jan 17, 2023
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Daily Threat Briefing • Jan 17, 2023
The threat of spray-and-pray attacks continues to loom over vulnerable Zoho ManageEngine products owing to CVE-2022-47966. Researchers have announced an imminent PoC exploit. The arbitrary code execution flaw can give a sound hacker complete control over the compromised system. A set of three rogue PyPI packages have once again attempted to disrupt software developers’ work. The packages in question are named colorslib, libhttps, and httpslib.
Frauds through Google Ads have been making headlines for the past few weeks. Attackers were able to relay an attack on the crypto wallet of an NFT influencer, swindling over $50,000 worth of NFTs and cryptocurrency.
Norwegian software maker suffered breach
The servers of DNV, the Norway-based ShipManager software provider that helps manage about 1,000 shipping vessels globally, were knocked offline by a cyberattack. The attack comes amid heightened concerns over the not-so-strong security infrastructure of the global supply chain following the Russia-Ukraine conflict. However, the victim firm claimed there was no harm to any other software or data.
Google Ads malware steals big
An NFT influencer was scammed for over $52,000 worth of NFTs in a phishing attack via malicious Google Ads. He reportedly lost at least 19 Ether ($27,000), a Mutant Ape Yacht Club (MAYC) NFT with the current floor price of 16 ETH ($25,000), and multiple other NFTs. The hacker moved most of the ETH through numerous wallets before sending it for swapping for unknown cryptocurrencies through FixedFloat.
A trio of fake PyPI packages
A threat actor identifying itself as Lolip0p was spotted dropping three rogue packages to the PyPI repository with an aim to carry out supply chain attacks. The packages, named colorslib (versions 4.6.11 and 4.6.12), libhttps (version 4.6.12), and httpslib (versions 4.6.9 and 4.6.11) are designed to drop malware. The executable downloaded during the infection process is capable of dropping additional binaries.
Geopolitical themes to spread NjRAT
Trend Micro uncovered an ongoing campaign, dubbed Earth Bogle, targeting potential victims in the Middle East and Africa using geopolitical themes. The campaign drops NjRAT malware, which is served through public cloud storage services such as files.fm and failiem.lv. The enclosed malicious file claims to contain a “sensitive” audio file.
**Announcement for PoC-release **
Security analysts would soon be releasing the PoC exploit code for a critical flaw that enables remote code execution without authentication in many Zoho and VMware products. The flaw CVE-2022-47966 is due to the use of an outdated and vulnerable third-party dependency, Apache Santuario. The easy-to-abuse flaw is a suitable candidate for cybercriminals conducting spray-and-pray attacks.
GitHub Codespaces is vulnerable
New research revealed that a feature in GitHub Codespaces could be exploited by threat actors to deliver malware of their choice to a compromised device. Experts at Trend Micro demonstrated a scenario where they could serve malicious content at a rapid rate by exposing ports to the public.
Smartphone users smashed with smishing
Danish smartphone users were bombarded with cryptic messages from a user who goes by the moniker of “Dansk-game”. It misinforms users about their enrollment to a monthly pay-to-win plan. The URL appended to the SMSs lured them to an infamous website where players can find cracks for popular games.
Hackers leverage mobilization move by Russia
Hackers have turned the fear of mobilization in citizens of Russia into an opportunity to harvest the personal data of individuals. The hackers involved are sending out texts—via Telegram—directing them to an infected site that purportedly contains a list of people who could be sent to fight in Ukraine in the coming months.