Cyware Daily Threat Intelligence

Daily Threat Briefing • Mar 31, 2022
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Daily Threat Briefing • Mar 31, 2022
Amidst the ongoing geopolitical tension between Russia and Ukraine, researchers have revealed that threat actors from China, Iran, North Korea, and Russia are capitalizing on the situation to launch phishing and malware attacks against Eastern European and NATO countries. In separate news, the Hive ransomware gang has polished its obfuscation technique that involves the use of IPv4 addresses.
Meanwhile, a new unpatched Spring4Shell vulnerability in Java Spring Framework has raised security concerns among organizations. The flaw appears to be a bypass for an old security issue in the framework. Additionally, QNAP has issued an advisory about an infinite loop vulnerability that affects specific versions of its NAS devices.
LEHB discloses a ransomware attack
Law Enforcement Health Benefits (LEHB) has disclosed a ransomware attack that occurred last year. According to the organization, attackers encrypted files on September 14, 2021. Among the files affected include the personal information of more than 85,000 users.
Hive targets PHC
Hive ransomware gang has claimed to have stolen 850,000 PII records from Partnership HealthPlan of California (PHC). The stolen data includes names, social security numbers, and addresses of users. Around 400 GB of stolen files from the healthcare organization’s server has been posted on Hive’s dark website.
Hive ransomware upgraded
Hive ransomware gang is using a new IPfuscation tactic to hide its payload. Here, the threat actors hide 64-bit Windows executables inside IPv4 addresses, which eventually causes the download of the Cobalt Strike Beacon. Instead of IPv4, researchers also discovered IPv6, UUIDs, and MAC addresses being used to obfuscate the executables.
New wave of Remcos RAT campaign
A new wave of Remcos RAT campaign, set around the payment remittance theme, has been observed by researchers. The emails appear to come from financial institutions and include a malicious Excel file that starts the infection chain process.
Lazarus’ trojanized application
A trojanized DeFi application associated with Lazarus APT was used to deliver a backdoor malware. While it’s still unclear how the threat actor tricked the victim into executing the trojanized application, researchers suspect that it sent a spear-phishing email or contacted the victim through social media.
New Spring4Shell flaw
A zero-day RCE vulnerability affecting the Spring Core Java Framework has been disclosed by researchers. Called Spring4Shell, the flaw can be exploited to execute arbitrary code on the targeted system. While the firm is yet to release a patch, a PoC exploit has been released by a Chinese security researcher. It impacts Spring Core on JDK versions 9 and later.
QNAP warns about a flaw
QNAP warns that some of its NAS devices are impacted by an infinite loop vulnerability existing in the OpenSSL cryptographic library. Tracked as CVE-2022-0778, the flaw arises when parsing security certificates and can trigger a denial of service condition or remote crash unpatched devices. To date, there is no evidence that the vulnerability has been exploited in the wild.
Google releases Chrome 100
Google has released Chrome 100 that includes patches for 28 new vulnerabilities. Nine of these flaws are rated critical. They are tracked as CVE-2022-1125, CVE-2022-1127, CVE-2022-1128, CVE-2022-1129, CVE-2022-1130, CVE-2022-1131, CVE-2022-1132, CVE-2022-1133, and CVE-2022-1134.
Vulnerabilities in ImpressCMS
Vulnerabilities in ImpressCMS could allow attackers to bypass the software’s SQL injection protections and conduct remote code execution on targeted systems. One of these flaws is tracked as CVE-2021-265599 and has been patched in the latest version of CMS. The other flaw is related to an access control issue.
Phishing through Calendly
Towards the end of February, researchers detected a credential harvesting operation that abused Calendly. The attack made use of hijacked email accounts to send emails to recipients. The emails were sent with the subject line ‘new documents received.’ Once the recipients clicked on the ‘VIEW DOCUMENTS’ button, they were redirected to an invitation on a fake Calendly site managed by threat actors.
Geopolitical tension-related threats
Google researchers revealed that threat actors from China, Iran, North Korea, and Russia are capitalizing on the latest geopolitical conflict to launch phishing and malware attacks against Eastern European and NATO countries. They are sending emails with Ukraine war-related themes to target users with malicious links. In one such incident, the attackers impersonated military personnel to extort money for the purpose of rescuing relatives in Ukraine.