Cyware Daily Threat Intelligence
Daily Threat Briefing • Jul 8, 2022
We use cookies to improve your experience. Do you accept?
Daily Threat Briefing • Jul 8, 2022
A vigorous attack campaign has been detected against Ukraine entities. IBM Security X-Force has shared details on six phishing operations by the TrickBot group, dropping four kinds of malware on Ukrainian state authorities, individuals, and organizations. In other news, Cisco has released patches for two vulnerabilities for its Cisco Expressway Series and Cisco TelePresence Video Communication Server. These could be exploited to take full control of compromised devices.
Researchers uncovered a fake browser extension that has 350 versions and troubles online users by running unsolicited ads. Dubbed ABCsoup, it features the same extension ID as that of Google Translate and affects Google Chrome, Opera, and Firefox.
Data leak on multiple Iranian steel facilities
A threat group known as Predatory Sparrow has claimed that it has pilfered nearly 20GB of corporate data of Iranian steel facilities, revealing its affiliation with Iran’s Islamic Revolutionary Guard Corps. The criminal outfit alleged that it is an independent group, but there are speculations that it could be the work of the Israeli government.
Malicious browser extension
Zimperium researchers found a malicious browser extension targeting Russian Google Chrome, Opera, and Mozilla Firefox users through adware campaigns. The malware family has been named ABCsoup, which has about 350 variants. These camouflage as a Google Translate add-on and ??are installed onto a victim's system using a Windows-based executable.
QNAP warns against Checkmate
NAS appliance maker QNAP Systems is alerting its customers about the new Checkmate ransomware. Internet-exposed QNAP devices with SMB services enabled and having weak passwords are at the risk of brute-force attacks by the group. Hackers demand $15,000 worth of BTC in exchange for a decryptor and a decryption key.
Free decryption tool for ransomware
Emsisoft issued a free decryption tool for the victims of AstraLocker and Yashma ransomware to help them recover their encrypted files. The tool is available for download from Emsisoft's servers. Researchers have further advised victims of AstraLocker and Yashma, who were compromised via Windows Remote Desktop, to change the passwords for all user accounts.
TrickBot gets aggressive against Ukraine
TrickBot operators have launched at least six phishing campaigns against Ukrainian entities to deliver malicious programs such as IcedID, CobaltStrike, Meterpreter, and AnchorMail. The attacks reportedly commenced in mid-April. It appears that the group has done advanced planning because some payloads display a higher degree of target selection.
TA578 lures via Yandex Forms
Security experts found a cybercriminal group, tracked as TA578, using Yandex Forms to threaten individuals with a fake copyright infringement claim that pretends to come from Zoho. The attack leads to the download of IcedID, a modular banking trojan, that can steal Windows user credentials and deploy additional payloads such as Cobalt Strike beacons.
Cisco patches two critical bugs
Cisco has addressed flaws in the Cisco Expressway Series and Cisco TelePresence Video Communication Server that may allow an attacker to remotely obtain complete control over the targeted device. Identified as CVE-2022-20812 and CVE-2022-20813, a hacker can abuse these by executing arbitrary files or conducting null byte poisoning attacks on an affected device.
Multiple flaws addressed in Node.js
Seven flaws were patched for Node.js in the JavaScript runtime environment. Exploiting these, an attacker could not only run arbitrary code but also trigger an HTTP request smuggling attack among other attacks. These are tracked as CVE-2022-32213, CVE-2022-32214, CVE-2022-32215, CVE-2022-32212, CVE-2021-22884, CVE-2022-32222, and CVE-2022-2097.
Phishing scams on government sites
CloudSEK uncovered a highly sophisticated phishing technique targeting government websites globally, including the Indian government's portal. The hacker's tactic involves using a fraudulent URL to harvest sensitive information, such as credit card numbers, expiration months, and CVV codes, from prospective victims.