Cookie Settings

This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing Mar 12, 2021

Malware attacks have been one of the biggest security threats for many organizations for over a decade. Throwing light on the growing threats, researchers have discovered the return of Dridex and Metamorfo trojan in different attack campaigns. Both the campaigns use spoofed emails as part of the initial infection process.

Moreover, two new ransomware are being used in the wild to target organizations and individuals. One of them is dubbed DEARCRY that is distributed by exploiting ProxyLogon vulnerabilities. The other is a variant of Darkside ransomware that is capable of targeting NAS devices, along with Windows and Linux systems.

Top Breaches Reported in the Last 24 Hours

Woodcreek Provider Services affected

A ransomware attack at Woodcreek Provider Services has affected the data of over 200,000 patients, providers, and staff. It allowed attackers access to personal information including Social Security Numbers, dates of birth, and other data. The healthcare firm is one of the victims affected by the attack that took place at Netgain Technologies LLC in November last year.

Molson Coors’ operation disrupted

The brewing operations of Molson Coors have been disrupted in a cybersecurity incident. The firm has engaged a forensic IT firm to investigate the incident.

Top Malware Reported in the Last 24 Hours

Dridex attacks on a rise

Researchers are observing a rise in Dridex-related network attacks that are being driven by the Cutwail botnet. The trojan is delivered in the second stage of the infection process that begins with a booby-trapped email. Currently, the campaign is active in Italy and Japan.

New skimming attack

A new investigation on a compromised Magento 2 website revealed a malicious injection that was capturing POST request data from site visitors. The pilfered data is encoded before saving it to a .JPG file.

Return of NanoCore RAT

A new malspam campaign is abusing icon files to trick victims into executing the NanoCore RAT. The emails use a .zipx file attachment with a message that pretends to be from ‘Purchase Manager’ of organizations that are being spoofed by attackers.

New BadHatch backdoor version

A revamped version of BadHatch backdoor used by the FIN8 threat actor group has surfaced in the threat landscape. The new variant is being used to compromise companies in the chemical insurance, retail, and technology industries. The attacks have been seen hitting organizations around the world, mainly in Canada, Italy, Panama, Puerto Rico, South Africa, and the U.S.

Darkside 2.0 ransomware

A new version of the Darkside ransomware includes features for targeting virtual machines, a faster encryption process, and VoIP calling. It also features multithreading in both Windows and Linux versions. Furthermore, the Darkside 2.0 is capable of targeting NAS devices.

New DEARCRY ransomware

Threat actors are now abusing the ProxyLogon vulnerabilities affecting Microsoft Exchange servers to install a new ransomware called DEARCRY. Once launched, the ransomware attempts to shut down a Windows service named ‘msupdate’.

Metamorfo banking trojan

A phishing campaign has been found abusing AutoHotKey (AHK) to deliver the Metamorfo banking trojan to victims. The campaign is being used to target Spanish users.

Top Vulnerabilities Reported in the Last 24 Hours

Vulnerable Schneider Power Meters

Technical details for the potentially serious vulnerabilities affecting PowerLogic smart meters made by Schneider Electric were publicly released by security researchers. One of them, CVE-2021-22714, is considered critical as it allows attackers to cause the targeted meter to reboot and possibly even to execute arbitrary code.

Related Threat Briefings