Cyware Daily Threat Intelligence
Daily Threat Briefing • Mar 21, 2022
We use cookies to improve your experience. Do you accept?
Daily Threat Briefing • Mar 21, 2022
A lot has happened over the weekend. A new backdoor, dubbed Serpent, was found slithering into French target networks. The backdoor boasts of advanced functionalities and was deployed through the use of an open-source package installer. The sophisticated South Korean hacking group, DarkHotel, had been conducting a new campaign, from December 2021 to January 2022. It has targeted several Macau luxury resorts.
We all are aware of the popular CRM software Hubspot. A lot of companies used it to onboard new users and manage marketing campaigns. Now, a breach at Hubspot has affected 30 of its clients.
Hubspot hacked
CRM tool Hubspot has been hacked, which has led to data breaches at Swan Bitcoin, BlockFi, Circle, and NYDIG. A total of 30 clients have been affected. However, treasuries and operations remain unaffected, stated the companies. The attack was caused by a threat actor gaining access to an employee account and targeting stakeholders in the cryptocurrency sector.
DarkHotel campaign targets Macau resorts
A new attack campaign by the South Korea-based DarkHotel hacking gang has been targeting luxury resorts in Macau, China. The campaign started in December 2021 and continued until January this year. Two of the hotels targeted include the Grand Coloane Resort and the Wynn Palace, both 5-star hotels. The group had sent phishing emails to 17 hotels on December 7, 2021, from an address pretending to be from the Macao Government Tourism Office.
Anonymous hacked Omega Company
Omega Company—the R&D unit of Russian oil pipeline company Transneft—was hacked by the Anonymous collective. The hacktivists have exfiltrated 79GB of emails and published them on the Distributed Denial of Secrets, a non-profit whistleblower leak site. The stolen data consists of invoices, product shipment information, and equipment technical configurations.
Dental care data breach
Texas-based Jefferson Dental and Orthodontics suffered a data breach that may have affected more than a million Texans. The attack occurred on August 9, 2021, and led to the exposure of SSNs, financial information, health insurance information, and drivers’ licenses.
New backdoor targets French entities
French entities in the real estate, construction, and government sectors were attacked via macro-enabled Microsoft Word documents propagating the open-source Chocolatey package installer. The installer, in turn, was used to deliver a backdoor called Serpent. The backdoor is capable of enabling remote administration, data theft, C2, and delivering other payloads.
AvosLocker targets U.S. critical infrastructure
The FBI, in coordination with the Treasury Department and FinCEN, issued a joint cybersecurity advisory warning of AvosLocker ransomware targeting several critical infrastructures in the U.S. The RaaS affiliate-based actor has also targeted industries in the financial services, government facilities, and critical manufacturing sectors. The threat actor’s leak site boasts of targeting victims in the U.S., the UAE, the U.K, China, Germany, Syria, Spain, Saudi Arabia, Turkey, and Belgium.
Free decryptor for Diavol victims
Emsisoft released a free decryptor for the victims of Diavol ransomware. The FBI, in January, had linked Diavol operations to the infamous TrickBot gang. However, the cybersecurity firm cannot guarantee that the decrypted data would be identical to the one previously encrypted since the ransomware doesn’t save any information about unencrypted files.
More Conti leaks
A Ukrainian security researcher, going by the name 'Conti Leaks' on Twitter, has once again leaked malware source code from the Conti ransomware operation. The new leak contains source code for Conti version 3 which was last modified on January 25, 2021. The leaked code is a Visual Studio solution that allows anyone with access to compile the ransomware locker and decryptor.
Critical bug in Western Digital app
EdgeRover, Western Digital’s desktop app for Mac and Windows, was found vulnerable to local privilege escalation and sandboxing escape flaws, which could lead to DoS attacks or disclosure of confidential information. Tracked CVE-2022-22998, the vulnerability is related to directory traversal and has a severity rating of 9.1.
Facebook phishing scam
Scammers are sending phishing emails to Facebook users, with the subject line - Someone tried to log into your account, user ID. The message contains two buttons, “Report the User” and “Yes, Me.” Upon clicking any of the buttons, a pre-formatted mail is opened and additional details are requested from the targets.