Cyware Daily Threat Intelligence
Daily Threat Briefing • Jul 31, 2023
We use cookies to improve your experience. Do you accept?
Daily Threat Briefing • Jul 31, 2023
A series of malware analysis reports released by the CISA has revealed how cybercriminals exploited a command injection flaw in Barracuda ESG appliances. The reports noted that the infection chain primarily involved sending phishing emails containing booby-trapped TAR file attachments. In other news, attacks targeting Linux servers continue to rise as the cyber landscape witnessed the emergence of an Abyss Locker ransomware variant targeting VMware ESXi servers. Additionally, security experts believe that the Abyss Locker Linux encryptor has some overlaps with the HelloKitty ransomware.
Moving on. Ivanti would like to notify you about another security flaw impacting Endpoint Manager Mobile (EPMM). Researchers are only aware of the same limited number of customers that were affected by the previously reported flaw from last week.
Sensitive school data exposed
An unsecured database under the ownership of Southern Association of Independent Schools blurted out 680,000 confidential records of students and teachers. The database includes health data, teacher background checks, SSNs, financial budgets, and more. It also contained contact details of parents or guardians and emergency notifications.
Gamers targeted in malware attack
Call of Duty: Modern Warfare 2 servers were taken offline after a malware attack on the popular multiplayer game. The incident caused disruption for players worldwide. Activision, the game's publisher, acknowledged the issue. The malware attack is suspected to have originated from an external source, and details of the attack's scope and impact have not been fully disclosed yet. Players are advised to remain cautious and vigilant.
Israel's oil refinery offline
BAZAN Group, Israel's largest oil refinery, faced a DDoS attack that caused disruption to its services and access for users. Specific details about the attack's origin or the extent of the damage remain unclear. The Iranian group known as Cyber Avengers claimed responsibility for the attack. It also leaked the alleged screenshots of BAZAN's SCADA systems.
Abyss Locker’s Linux variant
MalwareHunterTeam reported a new variant of the Abyss Locker ransomware designed to target Linux-based VMware ESXi servers. It employs SSH brute-force attacks to gain unauthorized access to servers. The ransomware has claimed data theft ranging from 35GB to 700GB from different organizations. The ransomware strain is operating in the cybercrime landscape since 2019. Researchers suspect a connection with HelloKitty ransomware due to similar code elements.
Barracuda backdoor attacks analyzed
The CISA shared details about three backdoor malware variants that were used to abuse Barracuda ESG appliances, including a new persistent backdoor dubbed SUBMARINE. The malware were deployed by threat actors who exploited a critical RCE flaw (CVE-2023-2868) in ESG devices as zero-day last year. The China-based actor tracked as UNC4841 could be behind the attack, opined experts. The attackers utilized phishing emails with booby-trapped TAR file attachments to gain initial access and implant backdoors for persistence.
IcedID malware evolves
Team Cymru provided an update on the IcedID malware's BackConnect (BC) protocol, focusing on its infrastructure. The researchers found that the quantity of BC Command and Control (C2) servers has increased, with 34 medium and high confidence IcedID BC C2 servers identified since January. The average life cycle of a BC C2 has decreased from 28 to 8 days. Additionally, the management infrastructure has evolved, with various private VPN nodes, jump boxes, and Russian telecommunications IPs observed accessing BC C2 servers.
New botnet threat AVRecon grows
AVRecon, a relatively new malware, has emerged as a fresh threat to Small Office/Home Office (SOHO) routers in a multi-year campaign since May 2021. The botnet is capable of executing commands and stealing victims' bandwidth for an illegal proxy service. It has surpassed QakBot in scale, infecting over 41,000 nodes in 20 countries. AVRecon has been used to create residential proxy services to hide malicious activities, including password spraying, web-traffic proxying, and ad fraud.
New bug in Ivanti EPMM
Software firm Ivanti disclosed another security vulnerability affecting its Endpoint Manager Mobile (EPMM), which is being exploited by threat actors in the wild. Tracked as CVE-2023-35081, the vulnerability allows an authenticated administrator to conduct arbitrary file writes to the EPMM server. Attackers can exploit this flaw in combination with CVE-2023-35078 to bypass administrator authentication and ACL restrictions, if applicable. The affected versions are 11.10, 11.9, and 11.8, and older.
Annual zero-day report
Google's annual 0-day vulnerability report has highlighted a long-standing problem in the Android platform that makes n-days function as 0-days. The complexity of the Android ecosystem and discrepancies in security update intervals between device models contribute to this issue. As a result, attackers can exploit n-days on unpatched devices for months, even if a patch is available from Google or another vendor.