Cyware Daily Threat Intelligence
Daily Threat Briefing • January 25, 2022
Advanced threats are constantly evolving, with malware threats being the biggest of them all. The ever-surprising TrickBot gang has fine-tuned its techniques by adding multiple layers of defense to slip past security controls. This can enable them to launch Man-in-the-Browser attacks against banking users to steal their credentials and browser cookies. Moreover, the Android malware BRATA has been updated with wiper-like capabilities, which has made online banking chaotic for users in the U.K., Poland, Italy, Spain, China, and Latin America.
In other emerging threats, cybercriminals have set their eyes on PowerPoint files in a bid to expand their malicious attack attempts. These files are combined with legitimate cloud services that host the malicious payloads such as Agent Tesla and AveMaria.
Top Breaches Reported in the Last 24 Hours
Canada’s foreign ministry under attack
The Canadian government confirmed that its foreign affairs ministry, Global Affairs Canada, was affected by a cyberattack. The incident was detected on January 19, after which mitigation actions were taken. The attack did not affect any other departments of the Canadian government network.
Web skimming attack
The online store of Segway was found to be affected by a web skimming attack. The skimmer domain, booctstrap[.]com has been active since November and managed to affect users in the U.S., Australia, Canada, the U.K., and Germany.
Top Malware Reported in the Last 24 Hours
TrickBot enhances its evasion tactic
The threat actors behind the TrickBot Trojan have added multiple layers of defenses to evade detection. The new updates are related to the real-time web injections used to steal banking credentials and browser cookies. This involves redirecting victims to fake legitimate-looking domains in order to execute Man-in-the-Browser (MitB) attacks.
PowerPoint docs spread malware
Since December 2021, threat actors have been using malicious PowerPoint documents to distribute various types of malware, including RATs. These PowerPoint files are combined with legitimate cloud services that host the malicious payloads. The malware families used in the campaign are AveMaria, and AgentTesla.
BRATA upgrades its features
The Android malware BRATA has upgraded its features to perform a factory reset on compromised devices to wipe all traces of malicious activity. The latest version of the malware has been found targeting online banking users in the U.K., Poland, Italy, Spain, China, and Latin America. Among the other new capabilities added to the new variant includes keylogging functionality and GPS tracking.
Top Vulnerabilities Reported in the Last 24 Hours
CWP flaws fixed
Researchers discovered that the Control Web Panel (CWP) web hosting panel is affected by two serious vulnerabilities that can allow attackers to remotely hack servers. One of the flaws is tracked as CVE-2021-45467 and the other is CVE-2021-45466. Chaining the two security holes can lead to unauthenticated remote command execution with root privileges. While the researchers are not sure whether the vulnerabilities have been exploited, the CWP developers, on their part, have fixed the flaws with recent updates.
Dark Souls servers affected
A critical RCE flaw in the Dark Souls video game could allow attackers to execute almost any program or steal confidential information from the victim’s computer. The flaw could also enable threat actors to launch cryptocurrency mining attacks. The problem exists in the series prior to Dark Souls III. The developers have temporarily deactivated PvP servers across multiple affected versions.
Vulnerable SonicWall gateways
A critical severity vulnerability impacting SonicWall’s Secure Mobile Access (SMA) gateways is now being actively exploited in the wild. The flaw, tracked as CVE-2021-20038, impacts SMA 100 series appliances. Successful exploitation of the flaw can let threat actors execute malicious code in compromised SonicWall appliances.