Cyware Daily Threat Intelligence
Daily Threat Briefing • Jun 13, 2022
We use cookies to improve your experience. Do you accept?
Daily Threat Briefing • Jun 13, 2022
AvosLocker and Cerber2021 became the latest ransomware duo to target unpatched Confluence servers. Hackers are already performing mass scans to search for vulnerable machines. Meanwhile, a sensitive data leak incident affecting an open-source continuous integration service put many developers and their applications at the mercy of hackers.
Separately, significant risks were observed affecting Industrial Control Systems (ICS) after Austrian researchers reported a number of vulnerabilities in thermal cameras produced by a Chinese firm.
Travis CI blabbers a plethora of data
Travis CI, an integration service used to build and test software projects, leaked thousands of authentication tokens and other sensitive records of developers. If in the wrong hands, tokens can let a hacker read or modify the code stored in repositories (Github, Docker, AWS), which could further affect ongoing software applications and connected code libraries.
**Ransomware attack cripples Arizona hospital **
Nearly 700,000 patients at Yuma Regional Medical Center, Arizona, suffered a ransomware incident after a hacker group took over its systems. It is expected that files containing patient information, including SSNs, and health-related data may have been accessed by the adversaries.
Ransomware abuse patched Atlassian flaw
AvosLocker and Cerber2021 have been observed exploiting the unpatched OGNL injection vulnerability, aka CVE-2022-26134, to gain initial access to Atlassian Confluence Server and Data Center instances. In fact, Cerber has previously targeted Confluence servers in December 2021.
CrescentImp threatens Ukrainian media firms
The CERT-UA disclosed a new malicious campaign aimed at media organizations, such as radio stations, newspapers, and news agencies, in the country. Hackers reportedly exploited the Follina vulnerability, identified as CVE-2022-30190, to compromise victims’ machines with the CrescentImp payload. Researchers have observed over 500 email addresses used in this campaign.
Iranian group uses DNS backdoor
Security experts at Zscaler ThreatLabz found the Iranian Lyceum Group targeting Middle Eastern organizations via DNS hijacking techniques. The newly developed .NET-based DNS backdoor is essentially a customized version of the open-source tool DIG.net. The backdoor is dropped in the Startup folder of a system from a macro-enabled Word document.
HelloXD ransomware drops MicroBackdoor
Palo Alto Networks detailed a new ransomware variant called HelloXD taking on systems running on Windows and Linux. Researchers say it is based on leaked code from Babuk and first appeared in the wild on November 30, 2021. According to reports, hackers use an open-source malware MicroBackdoor for C2 communications.
Bugs in PyPi malicious packages
PyPI packages, namely 'keep,' 'pyanxdns,' 'api-res-py,' were backdoored owing to the malicious 'request' dependency within some of their versions. These bugs are tracked as CVE-2022-30877 (affecting 'keep' version 1.2), CVE-2022-30882 ( affecting 'pyanxdns' version 0.2, and CVE-2022-31313 (affecting 'api-res-py' version 0.1). The risk with ‘keep’ is comparatively more as the package gets downloaded over an average of 8,000 times in a week.
Camera flaws exposing ICS
SEC Consult uncovered a series of vulnerabilities impacting thermal cameras produced by Infiray, a Chinese manufacturer of optical components. The cameras, model IRAY-A8Z3, are vulnerable to RCE attacks. If exploited, the flaws could act as an entry point for unauthorized users to enter into ICS and supervisory control networks.