We use cookies to improve your experience. Do you accept?

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing May 5, 2022

Active exploitation of unpatched vulnerabilities continues to explode as CISA sets a deadline for federal agencies to patch five new vulnerabilities added to its ‘Known Exploited Vulnerabilities’ catalog. Two of these flaws affect multiple Apple products. Amidst these vulnerability concerns, Avast and AVG have taken actions to patch two high-severity flaws that went undetected for more than a decade.

In other news, security experts are warning about a new fileless malware attack tactic that involves the use of Windows event logs. Adversaries are actively leveraging logs to stash and launch trojans on infected systems.

Top Breaches Reported in the Last 24 Hours

Heroku discloses a breach

Heroku acknowledged a security breach that occurred due to the compromise of OAuth tokens last month. This affected its internal customer database. As a precautionary measure, the firm has started performing forced password resets for a subset of its user accounts.

ElasticSearch server exposes data

An unprotected ElasticSearch server instance was found exposing around 5.8 GB of financial information about loans from Indian and African financial services. A total of 1,686,363 records containing personal information such as names, loan amounts, dates of birth, and account numbers were compromised in the incident.

Top Malware Reported in the Last 24 Hours

New updates on IssacWiper

Researchers have associated the recently discovered IssacWiper malware with the Sprite Spider threat actor group. The similarities are drawn based on the infrastructure deployed, including the subroutines responsible for error handling, heap memory allocation, and concurrency management.

New fileless malware attack tactic

Threat hunters have documented a fileless malware attack that abuses Windows event logs to stash and launch trojans in the last stage of the infection stage. The attack also employs Cobalt Strike Beacon, NetSPI, and various custom modules.

Top Vulnerabilities Reported in the Last 24 Hours

Cisco patches several flaws

Cisco has released patches for several vulnerabilities affecting its Enterprise Network Function Virtualization Infrastructure Software (NFVIS). One of these is a critical vulnerability—tracked as CVE-2022-20777— that can be abused to escape guest virtual machine and inject commands at the root level or leak system data from the host.

CISA adds five exploited vulnerabilities

CISA’s Known Exploited Vulnerabilities catalog is updated with five new widely exploited vulnerabilities. These include Type Confusion vulnerabilities affecting multiple Apple products and use-after-free vulnerabilities affecting Microsoft Internet Explorer and Win32k.

Decade-old flaws discovered

Researchers have disclosed two high-severity vulnerabilities in Avast and AVG antivirus products that went undetected for ten years. The flaws are tracked as CVE-2022-26522 and CVE-2022-26523. Both the flaws exist in Avast Anti Rootkit driver, introduced in January 2012 and also used by AVG. The vulnerabilities have been patched by respective vendors.

F5 patches 43 vulnerabilities

F5 has issued patches for a total of 43 vulnerabilities affecting its products. The most severe one is tracked as CVE-2022-1388 and can be exploited to execute arbitrary system commands, disable services, or delete files. The vendor has addressed the flaws in versions 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, and 13.1.5 of the product.

**A flaw patched in Snipe-IT **

Developers have patched a critical vulnerability in Snipe-IT that could be exploited to send users malicious password reset requests. Described as Server-Side Request Forgery (SSRF), the flaw is tracked as CVE-2022-23064 and has a CVSS score of 8.8.

New Threat in Spotlight

New threats from UNC2903 identified

Researchers from Mandiant have released a complete timeline of multi-phased attacks on cloud platforms. Launched by a threat actor named UNC2903, the attack leveraged the PoC for a previously disclosed SSRF vulnerability (CVE-2021-21311) that could be exploited to gain access to secret keys of targeted AWS applications and subsequently steal data.

Related Threat Briefings