Cyware Daily Threat Intelligence
Daily Threat Briefing • May 23, 2023
We use cookies to improve your experience. Do you accept?
Daily Threat Briefing • May 23, 2023
Security experts are warning against an easy-to-weaponize security vulnerability affecting a variety of Zyxel firewalls. There are approximately 42,000 instances of Zyxel web interfaces exposed to the internet, leaving out vulnerable VPN implementations (which means the actual count is even higher). Moving on. A cryptocurrency phishing and scam service known as Inferno Drainer has made headlines for pilfering more than $5.9 million worth of assets from roughly 5,000 individuals. The extensive scope and impact of the operation highlight the urgent need to combat cryptocurrency-related scams.
A number of malware stains have been reported by security researchers at ASEC. Cybercriminals were found propagating DarkCloud, ClipBanker, and StrelaStealer malware in two separate email campaigns. StrelaStealer is being used against Spanish users.
Hospital targeted by Royal Ransomware
Clarke County Hospital, Iowa, disclosed that it experienced a ransomware attack after security researchers stumbled across its stolen data on the leak site of Royal ransomware. Though the hospital did not explicitly confirm the involvement of Royal ransomware, it did disclose that the attack knocked all its network access offline. The leak may have affected patients’ personal data and medical records, such as health insurance information, medical record number, and diagnostic information of the visitors.
Operation disrupted at motorcycle manufacturing firm
Following a cyberattack, the Indian manufacturing plant responsible for producing Suzuki motorcycles has been compelled to cease operations. In light of the incident, the company has postponed its annual supplier conference, originally scheduled to commence this week. The operations at the manufacturing plant have been temporarily suspended, resulting in an approximate production loss of 20,000 vehicles.
WINTAPIX in the Middle East
An unidentified threat actor group has been observed employing a malicious Windows kernel driver in targeted attacks, primarily focusing on the Middle East region. Fortinet security experts have dubbed the artifact as WINTAPIX (WinTapix.sys). Using kernel privileges, an attacker can perform various operations ranging from manipulation of critical security mechanisms to arbitrary code execution.
Spam email spreads DarkCloud and ClipBanker
ASEC’s AhnLab discovered a spam email campaign that distributes the DarkCloud info-stealer malware. The email contents urge recipients to review the attached payment statement, which purportedly pertains to their company account. Additionally, the threat actor installs ClipBanker on infected devices that replace a user’s wallet address with the threat actor’s wallet address.
StrelaStealer targets Spanish users
A security team from the same firm spotted another phishing email related to payment fees that aim to target Spanish users with the StrelaStealer info-stealer. StrelaStealer, first identified in November 2022, is capable of stealing user account credentials from email clients including Thunderbird and Outlook.
Zyxel flaw can be abused, PoC out
A recently patched command injection flaw in various Zyxel firewalls could potentially be exploited in real-world attacks, stated Rapid7 researchers. The flaw, identified as CVE-2023-28771, affects some versions of Zyxel APT, USG FLEX, and VPN firewalls and Zyxel ZyWALL/USG gateways and firewalls. Moreover, the researchers have shared a technical analysis and a Proof-of-Concept (PoC) script that demonstrates the vulnerability and enables the execution of a reverse root shell.
Samsung patches spy bug
Samsung patched a security hole that was being abused by Spanish spyware vendor Variston to implant surveillance malware on targeted devices in the UAE. The exploit chain developed by them leverages multiple zero-days that were already fixed by Samsung, Google, and chipmaker ARM. The flaw allowed attackers to overcome Android's address space layout randomization security feature that randomizes the location of system executables in memory.
Inferno Drainer drains nearly 6 million
Security analysts at Scam Sniffer exposed a crypto phishing and scam service Inferno Drainer that swindled about $5.9 million worth of cryptocurrencies from 4,888 victims. It reportedly crafted over 689 counterfeit websites since March 27, 2023. The fraudulent websites created by scammers impersonated 229 prominent brands, including Pepe, Bob, Collab.Land, MetaMask, OpenSea, and LayerZero.