Cookie Settings

This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing Mar 31, 2022

Amidst the ongoing geopolitical tension between Russia and Ukraine, researchers have revealed that threat actors from China, Iran, North Korea, and Russia are capitalizing on the situation to launch phishing and malware attacks against Eastern European and NATO countries. In separate news, the Hive ransomware gang has polished its obfuscation technique that involves the use of IPv4 addresses.

Meanwhile, a new unpatched Spring4Shell vulnerability in Java Spring Framework has raised security concerns among organizations. The flaw appears to be a bypass for an old security issue in the framework. Additionally, QNAP has issued an advisory about an infinite loop vulnerability that affects specific versions of its NAS devices.

Top Breaches Reported in the Last 24 Hours

LEHB discloses a ransomware attack

Law Enforcement Health Benefits (LEHB) has disclosed a ransomware attack that occurred last year. According to the organization, attackers encrypted files on September 14, 2021. Among the files affected include the personal information of more than 85,000 users.

Hive targets PHC

Hive ransomware gang has claimed to have stolen 850,000 PII records from Partnership HealthPlan of California (PHC). The stolen data includes names, social security numbers, and addresses of users. Around 400 GB of stolen files from the healthcare organization’s server has been posted on Hive’s dark website.

Top Malware Reported in the Last 24 Hours

Hive ransomware upgraded

Hive ransomware gang is using a new IPfuscation tactic to hide its payload. Here, the threat actors hide 64-bit Windows executables inside IPv4 addresses, which eventually causes the download of the Cobalt Strike Beacon. Instead of IPv4, researchers also discovered IPv6, UUIDs, and MAC addresses being used to obfuscate the executables.

New wave of Remcos RAT campaign

A new wave of Remcos RAT campaign, set around the payment remittance theme, has been observed by researchers. The emails appear to come from financial institutions and include a malicious Excel file that starts the infection chain process.

Lazarus’ trojanized application

A trojanized DeFi application associated with Lazarus APT was used to deliver a backdoor malware. While it’s still unclear how the threat actor tricked the victim into executing the trojanized application, researchers suspect that it sent a spear-phishing email or contacted the victim through social media.

Top Vulnerabilities Reported in the Last 24 Hours

New Spring4Shell flaw

A zero-day RCE vulnerability affecting the Spring Core Java Framework has been disclosed by researchers. Called Spring4Shell, the flaw can be exploited to execute arbitrary code on the targeted system. While the firm is yet to release a patch, a PoC exploit has been released by a Chinese security researcher. It impacts Spring Core on JDK versions 9 and later.

QNAP warns about a flaw

QNAP warns that some of its NAS devices are impacted by an infinite loop vulnerability existing in the OpenSSL cryptographic library. Tracked as CVE-2022-0778, the flaw arises when parsing security certificates and can trigger a denial of service condition or remote crash unpatched devices. To date, there is no evidence that the vulnerability has been exploited in the wild.

Google releases Chrome 100

Google has released Chrome 100 that includes patches for 28 new vulnerabilities. Nine of these flaws are rated critical. They are tracked as CVE-2022-1125, CVE-2022-1127, CVE-2022-1128, CVE-2022-1129, CVE-2022-1130, CVE-2022-1131, CVE-2022-1132, CVE-2022-1133, and CVE-2022-1134.

Vulnerabilities in ImpressCMS

Vulnerabilities in ImpressCMS could allow attackers to bypass the software’s SQL injection protections and conduct remote code execution on targeted systems. One of these flaws is tracked as CVE-2021-265599 and has been patched in the latest version of CMS. The other flaw is related to an access control issue.

Top Scams Reported in the Last 24 Hours

Phishing through Calendly

Towards the end of February, researchers detected a credential harvesting operation that abused Calendly. The attack made use of hijacked email accounts to send emails to recipients. The emails were sent with the subject line ‘new documents received.’ Once the recipients clicked on the ‘VIEW DOCUMENTS’ button, they were redirected to an invitation on a fake Calendly site managed by threat actors.

New Threat in Spotlight

Geopolitical tension-related threats

Google researchers revealed that threat actors from China, Iran, North Korea, and Russia are capitalizing on the latest geopolitical conflict to launch phishing and malware attacks against Eastern European and NATO countries. They are sending emails with Ukraine war-related themes to target users with malicious links. In one such incident, the attackers impersonated military personnel to extort money for the purpose of rescuing relatives in Ukraine.

Related Threat Briefings