We use cookies to improve your experience. Do you accept?

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing Jun 16, 2022

Cisco’s virtual and hardware appliances were found vulnerable to cyberattacks owing to a high-severity bug, which affects its Email Security Appliance (ESA) and Secure Email and Web Manager products.

A new crypto threat—with a multitude of features—once again poses a threat to Android users globally. Named ?MaliBot, the malware can also bypass multi-factor authentication processes. What more? Africa’s largest supermarket retailer has succumbed to a ransomware attack, giving a glimpse of non-stop malicious efforts by cyber adversaries.

Top Breaches Reported in the Last 24 Hours

Ransomware restrains retailing

The RansomHouse ransomware group targeted the largest supermarket chain in South Africa, Shoprite Holdings Ltd. It has over 2,943 stores across Africa and over 149,000 employees. Reports say the data compromised in the attack included names and ID numbers. No financial information or bank account details were exposed.

Healthcare data illegally accessed

Baptist Medical Center in San Antonio and Resolute Health Hospital in New Braunfels disclosed network infections owing to potentially unauthorized activity. Hackers accessed the PII of patients and also wiped off some data from the network between March 31 and April 24. The impacted PII included full names, home addresses, SSNs, health insurance numbers, bill claims, and more.

Free VPN service leaks 25 million records

A routine check-up at free VPN software provider BeanVPN helped experts discover an ElasticSearch instance blurting out the cache of 18.5GB connection logs. The leaked information comprises user device and Play Service IDs, connection timestamps, IP addresses, and more. The provider’s website, however, claims it doesn’t collect logs of user activity.

**Millions exposed by POS Software Maker **

Malaysia-based software firm StoreHub found compromising the information of thousands of restaurants and retail stores, their staff members, and customers via an unprotected Elasticsearch server. The company develops POS software for F&B stores and retailers. Approximately one million customers in Malaysia and potentially across Southeast Asian countries.

Top Malware Reported in the Last 24 Hours

New android-based Crypto threat

Hackers appear to have developed a new malicious Android strain, dubbed MaliBot. The information-stealing trojan was spotted in the wild targeting online banking and crypto wallet users in Italy and Spain. It is being distributed via counterfeit websites hosting cryptocurrency mining apps such as Mining X or The CryptoApp. It can further steal MFA/2FA codes as well.

Hermit: A sophisticated spyware

Lookout anatomized an Android spyware family known as Hermit and found that it was previously used by Italian authorities and by an unknown hacker group in Syria. It also marks the first publicly identified mobile spyware developed in the country. The spyware is supposedly being distributed via SMS campaigns. Researchers also stumbled across an iOS version of the threat.

New botnet against education sector

Panchan, a new Golang-based P2P botnet, has been targeting the education sector since March 2022. A basic SSH dictionary attack powers it with wormable behavior. It harvests SSH keys and uses them for lateral movement. It used XMRig and nbhash miners that are extracted and executed during runtime, else can be detected.

Top Vulnerabilities Reported in the Last 24 Hours

Memcached injection vulnerability in Zimbra

Unauthenticated attackers could poison cache in business webmail platform Zimbra while also stealing cleartext credentials from an unsuspecting user. Researchers claim that the high-severity bug (CVE-2022-27924) lets an attacker inject arbitrary memcached commands into a targeted Zimbra instance and overwrite cached entries.

Old flaw exploited in Telerik servers

Blue Mockingbird actors are targeting an old critical vulnerability in the Telerik UI library for ASP.NET AJAX. To abuse the flaw, CVE-2019-18935, attackers must acquire the encryption keys protecting the Telerik UI’s serialization on the victims’ system. For keys, they need to make way via another vulnerability in the target web app or using CVE-2017-11317 and CVE-2017-11357.

Non-default configurations pose threat to Cisco appliances

Cisco is urging customers to address a critical vulnerability that could allow attackers to bypass authentication and access the web management interface of Cisco email gateway appliances with non-default configurations. Tracked as CVE-2022-20798, the bug occurs due to improper authentication checks on affected devices using Lightweight Directory Access Protocol (LDAP) for external authentication.

Related Threat Briefings