Cyware Daily Threat Intelligence

Daily Threat Briefing • Mar 23, 2023
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Daily Threat Briefing • Mar 23, 2023
Banking portals and cryptocurrency services are undoubtedly top targets of today’s cybercriminals. Researchers have taken the wraps off of a similar threat dubbed Nexus. A cousin of the SOVA banking trojan, even though not fully developed, the new kid on the block is not to be underestimated as it may compromise about 450 financial applications. A new Magecart attack technique is also out in the wild. Adversaries, instead of polluting the HTML of the WooCommerce store or checkout pages, have decided to inject malicious code into the files of a valid payment gateway. The covert operation is proving a success.
Furthermore, roughly a dozen flaws were fixed in Cisco IOS and IOS XE software, with six of them falling into the critical severity region. The bugs ranged from privilege escalation vulnerabilities to command execution on the OS with root-level privileges, and more.
Streaming platform blabbers 20GB data
Entertainment industry giant Lionsgate inadvertently laid bare 20GB (~ 30 million entries) server logs via an unprotected database server. The logs contained subscribers’ IP addresses and user data such as device type, operating system, and web browser. Logs also exposed usage information for the platform, which is often utilized for analytics and performance monitoring.
New way of skimming card data
A cybercriminal group has adopted a new technique of hiding the malicious code inside the Authorize[.]net payment gateway module for WooCommerce to pilfer credit card data. Previously, hackers would inject harmful code into the HTML of the store or the checkout pages. With the new tactic, criminals can successfully bypass different security checks.
Nexus banking trojan via MaaS
Researchers at Cleafy uncovered a new Android banking trojan being tracked as Nexus. The malware has appeared on multiple hacking forums with the same name and is promoted via a Malware-as-a-Service (MaaS) subscription. Though the malware appears to be at a nascent stage, researchers confirmed several active campaigns using it already. It can perform account takeover attacks against apps of 450 banking portals and cryptocurrency services.
Kritec Magecart skimmer
Akamai shed light on a Magecart skimmer campaign camouflaged as the Google Tag Manager script. Threat actors reportedly used a new skimmer, Kritec, named after one of its domain names. Its skimming code is heavily obfuscated, mostly via obfuscator[.]io, and loads the malicious JavaScript in an unprecedented way. The way it exfiltrates data is also unique; it uses POST requests instead of WebSockets.
Cisco patches six high-severity issues
Cisco rolled out its semiannual IOS and IOS XE software security advisory bundle, patching ten security holes. Among these are six—CVE-2023-20080, CVE-2023-20072, CVE-2023-20027, CVE-2023-20067, CVE-2023-20035, and CVE-2023-20065—with critical severity ratings. They pose threats of device takeover, arbitrary command execution, and privilege escalation.
Cropped but not actually cropped
Recently, security researchers David Buchanan and Simon Aarons disclosed a flaw, dubbed acropalypse, in Google Pixel's Markup Tool that would let individuals partially recover the cropped out part of an edited image. Now, the same privacy flaw has been found affecting the Windows Snipping Tool. In the case of a screenshot of sensitive documents or a private pic, the flaw can be proven devastating if exploited.
BEC firm impersonation
Check Point’s Avanan found a large number of emails posing as legitimate firms and services, redirecting unsuspecting users to a fake cryptocurrency site. In February and March, security experts observed a total of 33,817 such email-based attacks. PayPal and Google were the most frequently impersonated services.