Cyware Daily Threat Intelligence
Daily Threat Briefing • May 12, 2022
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Daily Threat Briefing • May 12, 2022
Iran’s APT34 (aka OilRig) group returns with an updated arsenal. Researchers discovered a new campaign against Jordanian officials, employing a new backdoor variant dubbed Saitama. The malware is written in .NET and uses the Base32 algorithm to encrypt data before sending it to C2 servers. There’s also an update on COBALT MIRAGE, another Iranian threat group, that is actively conducting ransomware operations in the U.S.
A long-lasting campaign aimed at WordPress sites is underway and owners must take every possible step to patch vulnerable plugins and themes. Research highlights that over 6,000 sites were infected with malicious scripts in April alone.
OilRig targets Jordanian government officials
OilRig APT group was sighted in a new attack campaign that targeted a government official from Jordan’s foreign ministry. The campaign leveraged phishing emails and malicious Excel documents to drop a new backdoor, named Saitama. The malware is written in .NET and uses the Base32 algorithm to encrypt data before sending it to C2 servers.
Malicious redirects spotted
Researchers have come across an ongoing campaign responsible for injecting malicious scripts into compromised WordPress sites. The campaign leverages known vulnerabilities in WordPress themes and plugins. As per researchers, the campaign had affected nearly 6,000 websites in April alone.
Intel announces patches
Intel has announced the release of security patches for multiple vulnerabilities found across its products. These include patches for a series of high-severity flaws in the BIOS firmware in several processor models. They are tracked as CVE-2021-0154, CVE-2021-0153, CVE-2021-33123, and CVE-2021-0190, and have a CVSS score of 8.2.
Konica Minolta fixes three flaws
Konica Minolta has issued patches and recommended mitigation measures following the discovery of three vulnerabilities in printers. The flaws—tracked as CVE-2022-29586, CVE-2022-29587, and CVE-2022-29588— can be exploited to gain root privileges to underlying operating systems. They can only be abused by attackers who have physical access to the printers.
HP patches UEFI flaws
HP has issued patches for two high-severity flaws impacting the UEFI firmware of more than 200 laptops, workstations, and other products. The two vulnerabilities are tracked as CVE-2021-3808 and CVE-2021-3809 and have a CVSS score of 8.8. The impacted products include numerous business notebooks, desktop PCs, retail Point-of-Sale devices, and thin client PCs.
Chrome 101 updated
Google has addressed 13 new vulnerabilities in Chrome 101. The most important of these is tracked as CVE-2022-1633 and is a use-after-free vulnerability. The latest iteration is available for Windows, Mac, and Linux systems.
Microsoft updates on ransomware families
Microsoft revealed that it discovered over 35 unique ransomware families and 250 unique threat actors last year. Most of these ransomware leveraged Cobalt Strike and several legitimate enterprise tools ( AnyDesk, Splashtop, and Teamviewer) to gain initial access and persistence on networks. Upon gaining access, most of the attackers create new backdoor user accounts to proceed with the infection chain process.
Update on COBALT MIRAGE’s attack
Researchers have shared new details about a lesser-known COBALT MIRAGE threat actor group. The gang has been held responsible for launching ransomware attacks across the U.S. The ransomware strains used in the campaign are BitLocker and DiskCryptor.