Cyware Daily Threat Intelligence

Daily Threat Briefing • Jun 14, 2022
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Daily Threat Briefing • Jun 14, 2022
The world of web3 is at the heart of yet another increasingly bizarre internet scam. There’s a SeaFlower operation that aims to infect web3 users through imposter websites and SEO poisoning and black SEO techniques promoting fake crypto wallets.
New cyber threats hover over Drupal users. Researchers have reported vulnerabilities in a third-party library that the platform leverages to handle HTTP requests and responses to external services. In another thread, a sensitive data leak event has hit the principal stock exchange in Uganda.
Healthcare institution’s networks compromised
Kaiser Permanente disclosed a data exposure incident that concerns PII and medical data of about 70,000 individuals. The information exposed in the attack includes the full names of patients, medical record numbers, dates of service, and laboratory test results. No sensitive information, such as SSNs and credit card numbers, were leaked. Hackers penetrated the systems by compromising an employee’s email account.
Uganda Securities Exchange laid bare sensitive data
A misconfigured database on the servers of Uganda Securities Exchange blurted out more than 32GB worth of data online. The leaked data included plain-text login credentials of customers and businesses using the Easy Portal of the exchange. Easy Portal is a self-service portal for users and trading partners to view stock performance, statements, and monitor account balance.
Palo Alto Networks uncovers PingPull
Researchers at Unit 42 spotted the China-linked Gallium APT dropping PingPull, a previously undetected RAT, in a recent cyberespionage campaign directed at South Asia, Europe, and Africa. Written in Visual C++, the malware lets hackers access a reverse shell and run arbitrary commands on compromised systems. Researchers also noted PingPull’s variants using HTTPS and TCP for C2 communications instead of ICMP.
BlackCat operators eye Microsoft Exchange servers
According to Microsoft, vulnerable Microsoft Exchange servers are being targeted by BlackCat ransomware affiliates. In an incident, hackers exploited a victim’s Microsoft server to hold stolen credentials and data for extortion. Additionally, two of the most prolific affiliate groups—associated with the likes of Hive, Conti, and Ryuk ransomware—have switched to deploying BlackCat, says the report.
**Highly-evasive malware for Linux systems **
A new Linux rootkit, dubbed Syslogk, was seen in attacks aiming to hide malicious processes while deploying a backdoor called Rekoobe on the device. Reports find that the malware is currently being developed by its authors, whose project is based on Adore-Ng, an old open-source rootkit. Syslogk rootkit has the ability to force-load its modules into the Linux kernel.
Fake cryptocurrency wallets out hunting
Trojanized mobile cryptocurrency wallet applications for MetaMask, Coinbase, TokenPocket, and imToken have surfaced lately. The campaign, dubbed SeaFlower by researchers at Confiant, has been labeled as one of the most technically sophisticated threats conspired against Web3 enthusiasts. The language used in the campaign hints at the involvement of Chinese actors.
Critical flaws impact Drupal users
Security experts at Drupal raised an alert around a pair of high-risk vulnerabilities that hackers can exploit to remotely hijack Drupal-powered websites. Tracked as CVE-2022-31042 and CVE-2022-31043, the flaws were fixed by Guzzle, the third-party library that Drupal engages with. Drupal has released an advisory stating that the flaws may affect some contributed projects or custom code on sites.
SynLapse is patched
Orca Security discovered SynLapse, a critical Synapse Analytics vulnerability in Microsoft Azure that also affects Azure Data Factory. An attacker can bypass tenant separation to obtain credentials to other Azure Synapse customer accounts, execute code on targeted machines, and even access customer credentials. Researchers suggest moving to a sandboxed environment and restricting API access.
DoS flaw on Envoy Proxy servers
JFrog stumbled across a DoS vulnerability in Envoy Proxy, an open-source edge and service proxy server designed for cloud-based applications and high-traffic websites. The flaw, identified as CVE-2022-29225, allows attackers to crash a proxy server and impact its performance. Users are requested to upgrade to Envoy versions 1.19.5, 1.20.4, 1.21.3, and 1.22.1.