Cookie Settings

This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing Jan 24, 2023

Sliver gets mainstream! The exploitation of the cross-platform post-exploitation framework has soared owing to the features it offers to hackers. Hacker groups that have used this tool in the recent past include the APT29 group (aka Cozy Bear), TA551, and Exotic Lily. While it has added woes for the cybersecurity community, there is another malware threat from the Chinese 8220 Gang who are targeting public cloud environments with custom crypto miner PwnRig and Tsunami IRC bot.

Security researchers also laid bare two critical pre-authentication bugs in OpenText’s Enterprise Content Management (ECM) product. The security holes specifically impact the product’s Content Server component. A hacker could abuse it to pull off RCE attacks on vulnerable servers.

Top Breaches Reported in the Last 24 Hours

U.K’s car dealership firm attacked

The PLAY ransomware group added Arnold Clark, one of the U.K’s largest car dealerships, as a victim on its leak site. The firm did not confirm the nature of the attack in its tweet from January 3rd but claimed to have protected customer data after observing suspicious activities. Several types of sensitive documents, including National Insurance numbers (like SSNs in the U.S.), bank statements, passport data, and car finance documents were leaked.

Unsecured data on educational app

A security misconfiguration in Diksha, a public education app, exposed the PII of 1.6 million students. The app, which is operated by India’s Education Ministry, had an unattended database that was left exposed via an Azure server for over a year. It was launched in 2017. Diksha became a primary tool for students during the pandemic.

Top Malware Reported in the Last 24 Hours

Sliver grabs attention as a post-exploitation tool

Sliver, which began as an alternative to Cobalt Strike, is being used by several threat actors as a second-stage dropper. It's used to perform the next steps of the attack chain after hackers have infiltrated via the initial intrusion vectors such as spear-phishing or by abusing unpatched flaws. Its features, such as dynamic code generation, in-memory payload execution, and process injection, make it an attractive tool for criminals.

Deploy PwnRig and IRC bot for cryptomining

Chinese 8220 Gang was seen targeting public cloud infrastructures and poorly secured applications with PwnRig miner and Tsunami IRC bot for cryptomining purposes. Its activities came to light after it attempted to infect one of Radware's Redis honeypots earlier this month. Experts warned that the group’s attack significantly affects a system's performance while exposing systems to other security risks.

Vice Society enters manufacturing

According to Trend Micro’s telemetry data, the Vice Society ransomware group — infamous for launching attacks against the education and healthcare sectors — has ventured into the manufacturing sector. It is most likely buying access in the form of compromised credentials from underground hacker forums. Its samples were detected in Brazil, Argentina, Switzerland, and Israel.

SparkRAT tool abused by Chinese hackers

A series of attacks was discovered infecting organizations in East Asia with SparkRAT, originally an open source tool. TTPs of the attacks point toward the involvement of a Chinese-speaking threat actor dubbed DragonSpark. The Microsoft Security Threat Intelligence team reported about threat actors using SparkRAT for the first time in late December 2022.

Top Vulnerabilities Reported in the Last 24 Hours

Pre-authentication bugs in OpenText

Researchers at Sec Consult reported a couple of critical pre-authentication flaws in OpenText Extended ECM. The first bug, identified as CVE-2022-45923, is in the cs.exe component of the Extended ECM server. The other, CVE-2022-45927, resides in the Java frontend of the Extended ECM server that could allow an attacker to bypass authentication for remote code execution.

AWS addressed bypass bug

A vulnerability that attackers could exploit to circumvent CloudTrail API monitoring has been fixed by AWS. cybercriminals could perform reconnaissance activities while laying low in the IAM service. The Datadog Security Research Team, who discover the bug, said sound hackers could also use the same technique to bypass Amazon’s GuardDuty.

Top Scams Reported in the Last 24 Hours

QR code scam against Chinese speakers

FortiGuard Labs unearthed a phishing campaign aiming at Chinese language users through malicious QR codes. The email spoofs the Chinese Ministry of Finance and contains a Microsoft Word attachment that has a QR code enclosed. Unsuspecting users scanning it may lose their credentials to the websites owned by the threat actor.

Related Threat Briefings