We use cookies to improve your experience. Do you accept?

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing Mar 27, 2023

A new info-stealer has forayed into cyberspace targeting macOS users. Dubbed MacStealer, it may siphon off iCloud Keychain data, passwords, and credit card data from browsers including Google Chrome, Brave, and Mozilla Firefox. Meanwhile, the typical IRS scam has made a comeback with Emotet impersonating officials to lure people looking to file taxes. Also, security experts laid bare a malicious code injection campaign that has crippled over 51,000 websites since the onset of the ongoing campaign in 2020.

Adding to the woes is a new ransomware operation dubbed Dark Power. The ransomware group has already listed ten victims from across the world. Security analysts note that the group attaches an unusual eight-page PDF document as a ransom note.

Top Breaches Reported in the Last 24 Hours

Puerto Rico agency under attack

The Vice Society ransomware gang listed the Puerto Rico Aqueduct and Sewer Authority (PRASA) as its latest victim. The criminals could access customer and employee information during the attack. As per the leak site, the ransomware group stole passport data, driver’s licenses, and other documents of individuals.

Operation disrupted in Tennessee city

The IT systems at the City of Oak Ridge, Tennessee, came to a halt in the wake of a ransomware attack. A ransomware expert at Emsisoft declared the attack as the 18th local government agency in the U.S. to be targeted by a ransomware attack so far this year. Just two weeks back, Tennessee State University disclosed experiencing a ransomware attack.

Top Malware Reported in the Last 24 Hours

New information-stealer targeting macOS

MacStealer is a new information-stealing malware threat attempting to pilfer sensitive information from compromised macOS devices. The malware uses Telegram as its C2 channel and specifically affects devices running Catalina and later versions on M1 and M2 CPUs. It can harvest documents, browser cookies, and login information from individuals.

Onyxproxy - malicious PyPI package

A malicious package was reported on the PyPI repository that uses Unicode to evade detection and deliver information-stealing malware. Named onyxproxy, the package was uploaded to the repository on March 15 and has data harvesting capabilities. Supply chain security firm Phylum said that the developers of the package are not sophisticated, they likely just cut-and-paste code from various sources and put them together.

Emotet propagates via fake tax forms

Malwarebytes and Palo Alto Networks uncovered a new phishing campaign targeting U.S. taxpayers by impersonating W-9 tax forms. The campaign spreads the Emotet malware, which recently switched to using OneNote files for successful propagation. Actors impersonate the Internal Revenue Service and the companies that potential victims work with.

Dark Power wants a small ransom

A new ransomware operation by the Dark Power group was spotted in the wild by cybersecurity firm Trellix. It gives victims a total of 72 hours to send $10,000 in Monero cryptocurrency to receive a working decryptor. To experts, it appears to be a private project since this operation has no traces of promotion over any hacker forums or dark web spaces. According to the leak site, there have been 10 victims so far.

Top Vulnerabilities Reported in the Last 24 Hours

Microsoft fixes Acropalypse

An emergency security patch was rolled out by Microsoft to address the Acropalypse privacy vulnerability affecting the Windows 10 and Windows 11 Snipping tool. The company has urged users to apply the patch to fix the CVE-2023-28303 bug. The flaw was rated low on the severity scale owing to requiring uncommon user interaction and other factors affecting it.

MLflow vulnerability patched

MLflow, the open-source framework used to manage machine-learning tests and record results, suffered a critical bug that could expose sensitive information such as SSH keys and AWS credentials. The bug, tracked as CVE-2023-1177, was rated the highest i.e CVSS 10. A remote, unauthenticated criminal could force MLflow to leak the contents of any readable files stored on the server via specifically crafted requests.

Top Scams Reported in the Last 24 Hours

JS injection campaign ongoing since 2020

An ongoing malicious JavaScript injection campaign has infected over 51,000 websites, revealed researchers with Unit42. These websites redirect victims to malicious pages faking a rather popular video-sharing platform or dubious content containing adware and scam baits. Through this, hackers could send browser notifications via a website they control.

Related Threat Briefings