Cyware Daily Threat Intelligence

Daily Threat Briefing • Mar 28, 2022
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Daily Threat Briefing • Mar 28, 2022
A new instance of conversation hijacking attacks has come under the scanner in the last 24 hours. It is being used to deliver the IcedID trojan to target organizations in the energy, healthcare, law, and pharmaceutical sectors. The campaign makes use of compromised Microsoft Exchange servers to send emails from hijacked accounts.
In other news, operators of two relatively new ransomware—Hive and SunCrypt—have added new capabilities with an aim to infect more devices. While Hive’s Linux encryptor has been ported to Rust programming language to stealthily target VMware virtual machines, the new version of SunCrypt includes modules to remove any evidence of its infection.
Top Breaches Reported in the Last 24 Hours
Horizon Actuarial Services LLC affected
Horizon Actuarial Services LLC, a third-party vendor of American Major League Baseball, has been hit by a cyberattack. This resulted in the loss of the personal information of players and their family members. Horizon reported that the breach affected around 39,000 individuals.
Students’ data affected
The personal information of roughly 820,000 current and former New York City public school students was affected in a breach that occurred in January. The incident occurred after threat actors gained unauthorized access to an online grading system and attendance system.
Top Malware Reported in the Last 24 Hours
New RAT spotted
Avast has discovered a new Remote Access Tool (RAT) that is being actively used in the wild in the Philippines. The RAT leverages an expired digital certificate belonging to the Philippines Navy to communicate on the C2 server. According to researchers, the malware used in the campaign is written in C++.
SunCrypt ransomware updated
The SunCrypt ransomware has been updated with new capabilities to terminate processes, stop services, and clean the machine of any evidence of the ransomware infection. The ransomware variant was first updated in 2022 and is still under development. The attackers also plan to include an anti-VM feature in the ransomware in the future.
Hive ransomware also upgraded
The operators of Hive ransomware have ported its Linux encryptor to Rust programming language to target VMware ESXi servers. Additionally, they have added new features to make it difficult for security researchers to snoop on victim’s ransom negotiations. It is believed that Hive borrows features from BlackCat ransomware.
IcedID trojan campaign detected
Researchers have detected a new conversation hijacking campaign that delivers the IcedID trojan onto the victim’s system. As part of the campaign, threat actors also used compromised Microsoft Exchange servers to send emails from the hijacked accounts. Organizations in the energy, healthcare, law, and pharmaceutical sectors have fallen victim to these attacks.
Top Vulnerabilities Reported in the Last 24 Hours
V8 type confusion vulnerability
Google has urged users to update Chrome builds to version 99.0.4844.84 to fix a type confusion vulnerability. The flaw, tracked as CVE-2022-1096, is being exploited in the wild. It affects Chrome’s JavaScript engine V8.
66 actively exploited flaws added
The CISA has added 66 new security flaws to its list of the ‘Known Exploited Vulnerabilities Catalog’. The 66 bugs include recent and old flaws in networking kits and security appliances from D-Link, Cisco, Netgear, Citrix, Netgear, Palo Alto, Sophos, Zyxel. Other affected products include enterprise software from Oracle, OpenBSD, and VMware. CISA has urged organizations to patch the affected products to prevent attacks.
Sophos patches an RCE flaw
Sophos has patched a remote code execution vulnerability (CVE-2022-1040) affecting its Firewall product line. The flaw has received a CVSS score of 9.8 and impacts versions older than v18.5 MR3 of the product.