Cyware Daily Threat Intelligence
Daily Threat Briefing • May 16, 2022
We use cookies to improve your experience. Do you accept?
Daily Threat Briefing • May 16, 2022
NFTs are all the rage at this moment as netizens are fast adopting the trend. Threat actors are not left behind and are leveraging various tricks and tactics up their sleeves to steal money and credentials from unsuspecting users. In one such campaign, they are propagating the potent RedLine malware via fake Binance NFT mystery box bots.
Gone are the days when Discord used to be just a gaming messaging app; now it is regularly used by attackers to deliver malware. In the latest malicious use, the platform is being used to deploy a Syk Ccrypter that delivers multiple malware onto users’ devices.
Malicious actors like hitting big targets and Parker Hannifin ended up as one of the latest victims of the Conti ransomware gang. The group stole lots of sensitive data pertaining to the firm’s employees and their dependents.
Cobalt Mirage sent ransom notes to printers
Iran-based Cobalt Mirage, aka Charming Kitten, Phosphorus, and APT35, sent its ransom note to the printer of one of its victims from January, a U.S. philanthropic organization. The note contained an email address and Telegram account for discussion on decryption and recovery. The threat actor used ProxyShell and Microsoft Exchange vulnerabilities to gain remote access to the accounts.
Parker Hannifin lost employee data
Fortune 500 company Parker Hannifin had to shut down its systems as an unauthorized third party breached its networks between March 11 and 14. Personal data—names, social security numbers, dates of birth, online credentials, home addresses, driver’s license numbers, passport numbers, and bank account details—of employees and their dependents were exposed. In some cases, the exfiltrated files also included dates of coverage and service, provider information, medical and clinical treatment information, and claims information. The breach was, reportedly, caused by the Conti ransomware group.
Anonymous leaked stolen data
Anonymous collective claimed to have hacked several Russian organizations and government entities. It leaked the stolen data on DDoSecrets. Some of the organizations hacked include SOCAR Energoresource, Achinsk City Government, Polar Branch of the Russian Federal Research Institute of Fisheries and Oceanography, and the Port and Railway Projects Service of JSC UMMC.
New Syk Crypter propagates via Discord
Morphisec disclosed that attackers are exploiting Discord’s CDN with the new Syk Crypter to bypass signature and behavior-based security controls. Apart from Syk Crypter, the attack chain includes a .NET loader, known as DNetLoader. The crypter delivers multiple malware families, such as njRAT, AsyncRAT, RedLine Stealer, QuasarRAT, NanoCoreRAT, and WarzoneRAT.
Fake Pixelmon NFT site
Threat actors have designed a fake Pixelmon NFT site that lures fans with free collectibles and tokens while compromising their systems with malware that steals cryptocurrency wallets. The password-stealing malware, dubbed Vidar, connects to a Telegram channel and retrieves the IP address of a malware’s C2 server.
New RedLine malware campaign
A new campaign is promoting fake Binance NFT mystery box bots on YouTube to trick buyers into infecting themselves with the RedLine Stealer from GitHub repositories. The malware has been configured to exit if the host computer is located in Ukraine, Russia, Belarus, Azerbaijan, Armenia, Moldova, Kyrgyzstan, Tajikistan, Uzbekistan, or Kazakhstan.
Phishing campaign deploys three kinds of malware
A phishing campaign targeting Windows is propagating three kinds of malware - BitRAT, AveMariaRAT, and PandoraHNVC trojan. The phishing email pretends to be from a trusted source and the malware steal usernames, passwords, and bank details, among other sensitive information.
Sysrv botnet targets Windows and Linux
A new variant of the Sysrv botnet, dubbed Sysrv-K, is now scanning WordPress and Spring Framework for vulnerabilities to exploit. Its aim is to deliver cryptominer on vulnerable Windows and Linux servers. The flaws exploited have patches issued and the attackers are targeting old bugs in WordPress plugins, along with new ones, including CVE-2022-22947.
Threat actors exploit Zyxel flaw
Just a day after the disclosure of the flaw—CVE-2022-30525—in Zyxel firewalls, threat actors started exploiting it. Shadowserver detected almost 21,000 potentially affected firewalls located in Switzerland, Italy, the U.S., and France.
CISA removes buggy Windows update
A Windows LSA spoofing vulnerability, tracked as CVE-2022-26925, was removed by the CISA from its Known Exploited Vulnerabilities Catalog after Microsoft warned that a recent update may cause issues on certain systems. The issue is authentication failure on domain controllers, including failures on servers or clients for services - NPS, RRAS, Radius, EAP, and PEAP.