We use cookies to improve your experience. Do you accept?

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing Mar 21, 2023

The first-ever malware attack through the NuGet repository has come to the notice of researchers. Attackers used typosquatting to impersonate legitimate packages and uploaded them to the repository to infect .NET developers with cryptocurrency stealers. In another incident, the RedLine stealer made a comeback in a campaign that abused the legitimate Adobe Acrobat Sign service to trick users.

Besides these emerging threats, security experts shared a report highlighting a total of 55 actively exploited zero-day flaws in 2022. Many of these flaws were exploited by Chinese threat actors, enabling them to either gain elevated privileges or perform remote code execution on vulnerable devices.

Top Breaches Reported in the Last 24 Hours

Cl0p claims attack on Saks Fifth Avenue

Saks Fifth Avenue has emerged as the newest victim of aggressive Cl0p ransomware attacks that compromised over 130 organizations. These organizations were impacted by attacks that exploited vulnerable GoAnywhere MFT servers. The ransomware gang claimed the attack by sharing the name of the retail firm on its leak site.

Docomo recovering from a security incident

Docomo Pacific, the largest telecom service provider in the U.S. territories of Guam and the Northern Mariana Islands, is recovering from a cyberattack that took place last week. The attack had led to an outage of phone services and internet connectivity.

Ferrari reveals a data breach

On March 20, Ferrari revealed that its Italian subsidiary, Ferrari S.p.A, was the victim of a ransomware attack. The attacker has demanded a ransom to prevent the leak of contact details of clients. At present, the luxury sports cars company claims that there is no evidence of sensitive data being accessed and that there is no impact on its operational functions.

Top Malware Reported in the Last 24 Hours

RedLine stealer's new campaign

Threat actors are abusing the legitimate Adobe Acrobat Sign service to distribute the notorious RedLine information stealer. The infection chain starts with a phishing email that asks recipients to verify a report by clicking on the review and sign button. Once the victim clicks on the button, they are redirected to a site that asks them to enter a CAPTCHA that is hard coded. Upon providing the CAPTCHA, the victim downloads the ZIP archive which contains the trojan.

Malicious packages drop cryptocurrency stealers

Attackers have been found impersonating legitimate packages via typosquatting to infect .NET developers with cryptocurrency stealers. These malicious packages are delivered through the NuGet repository, with three of them being downloaded over 150,000 times within a month. The malicious packages are designed to download and execute a PowerShell-based dropper script that configures the compromised system before dropping the second-stage payload.

Malicious apps used to spy on Android phones

Several apps created by Pinduodo have been found to contain malware that monitors Android phones. As per an analysis by security researchers, the apps use several zero-day exploits to hack users. While Google has set Google Play Protect to block users from installing these malicious apps, users who have downloaded the apps from other custom apps stores such as Samsung, Huawei, and Xiaomi are urged to uninstall them.

Top Vulnerabilities Reported in the Last 24 Hours

Most exploited zero-day flaws in 2022

Researchers at Mandiant revealed that 55 zero-days were actively exploited in 2022. Most of these flaws affected Microsoft, Google, and Apple products. Around 53 of these flaws enabled the attackers to either gain elevated privileges or perform remote code execution on vulnerable devices. Moreover, seven of these flaws were exploited by Chinese state-sponsored actors.

A flaw in Pixel’s Markup tool fixed

A flaw in Google Pixel’s Markup tool enabled partial recovery of edited or redacted screenshots and images that were modified in the last five years. The flaw was tracked as CVE-2023-21036 and was fixed via an update on March 13. It stemmed from how the image file was opened for editing.

Related Threat Briefings