Cyware Daily Threat Intelligence
Daily Threat Briefing • May 15, 2023
We use cookies to improve your experience. Do you accept?
Daily Threat Briefing • May 15, 2023
Are you still operating on vulnerable Microsoft SQL (MS SQL) servers? Security researchers have taken the wraps off of a new attack campaign using the CLR SqlShell malware. Patch if you haven’t yet as the malware has the capability to serve as a gateway for deploying cryptocurrency miners and ransomware. Speaking of malware, a Ransomware-as-a-Service (RaaS) actor has debuted to join the company of adversaries exploiting Linux and VMware ESXi systems. Leaked Babuk source code and the popularity of ESXi have made the VMware virtualization infrastructure tool an attractive target, outlines the experts. The group was named MichaelKors.
On the vulnerability front, the CISA has urged organizations to pay attention to a set of seven security holes, including the Ruckus product flaw which was being exploited by threat actors associated with the AndoryuBot botnet. There’s one thing common to all these bugs — their connection to Linux hosts.
For detailed Cyber Threat Intel, click ‘Read More.’
A daily newspaper facility suffered attack
The Philadelphia Inquirer was hit with a cyberattack that disrupted its operations at a large scale while halting printing. The operational disruption would not impact news coverage of the election, but journalists may have to work from home or from a different location on election night, said an official. An investigation is ongoing into the extent and specific targets of the attack.
French transportation services expose customer data
The research team at Cybernews made a significant finding regarding a data breach in La Malle Postale's system, affecting 90,000 customers. The breach resulted in the exposure of personal data, including names, emails, phone numbers, private SMS communication, passwords, and employee credentials. Over 13,000 SMS messages exchanged between La Malle Postale and its customers were also exposed.
Cyberattack hits U.S healthcare org
BrightSpring Health-owned PharMerica compromised the data of more than 5.8 million individuals owing to a third-party intrusion into its computer systems. The incident laid bare sensitive personal and medical data including names, addresses, birth dates, SSNs, health insurance, and diagnostic information. It appears that the Money Message ransomware group could be behind the attack as it was spotted leaking stolen PII and PHI of individuals.
Copy of BlackBit surfaces in Korea
ASEC’s AhnLab disclosed the distribution of the LokiLocker ransomware in Korea, which bears a striking resemblance to the BlackBit ransomware. Firstly, both ransomware strains disguise themselves as svchost.exe, a legitimate Windows process, in order to blend in and evade detection. Additionally, they employ the same obfuscation tool - .NET Reactor. The ransom note and the icon of the infected files also have similarities.
Cracks and keygens distribute malware
AhnLab has uncovered yet another campaign dropping RecordBreaker Stealer, aka Raccoon Stealer V2, disguised as illegal software, such as cracks and keygens. It utilizes various channels, including websites and YouTube, as the means of distribution. Users unknowingly download an infectious, password-protected ZIP file from the distribution site that eventually drops the malware. While the malware itself has a small actual size, criminals have inflated it by inserting extraneous data.
Abusing SQL servers for infection
Poorly managed Microsoft SQL (MS SQL) servers are once again being targeted in a different campaign that aims to propagate CLR SqlShell malware. Through this, cybercriminals can deploy additional payloads in the form of cryptocurrency miners, proxyware, and ransomware. Threat actors make use of CLR stored procedures to install the malware in MS SQL servers using the xp_cmdshell command, which sets it apart from other malware targeting MS SQL servers.
New RaaS group emerges
Security firm CrowdStrike spotted a new RaaS operation called MichaelKors has become the latest file-encrypting malware to target Linux and VMware ESXi systems. Observing the trend, researchers said it is due to the inherent design of ESXi which does not provide support for third-party agents or AV software. Besides, the popularity of ESXi as a widespread virtualization and management system is also a contributing factor to the surging attacks.
New group drops custom implant and backdoor
A hacking group dubbed Lancefly was found targeting government, aviation, education, and telecom sectors in South and Southeast Asia via the Merdoor backdoor. The custom implant has been in use since as early as 2018. The attack chains lead to the installation of Merdoor and an updated version of the ZXShell rootkit. Furthermore, how the actors gain initial access to vulnerable systems is currently unclear.
Multiple bugs added to KEV
The CISA has listed seven Linux and Linux-related flaws in its Known Exploited Vulnerabilities (KEV) catalog. These are CVE-2023-25717 (Ruckus AP remote code execution), CVE-2021-3560 (Red Hat Polkit privilege escalation), CVE-2014-0196 and CVE-2010-3904 (Linux kernel privilege escalations), CVE-2015-5317 (Jenkins UI information disclosure), CVE-2016-8735 (Apache Tomcat remote code execution), and CVE-2016-3427 (an Oracle Java SE and JRockit issue).