We use cookies to improve your experience. Do you accept?

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing May 23, 2023

Security experts are warning against an easy-to-weaponize security vulnerability affecting a variety of Zyxel firewalls. There are approximately 42,000 instances of Zyxel web interfaces exposed to the internet, leaving out vulnerable VPN implementations (which means the actual count is even higher). Moving on. A cryptocurrency phishing and scam service known as Inferno Drainer has made headlines for pilfering more than $5.9 million worth of assets from roughly 5,000 individuals. The extensive scope and impact of the operation highlight the urgent need to combat cryptocurrency-related scams.

A number of malware stains have been reported by security researchers at ASEC. Cybercriminals were found propagating DarkCloud, ClipBanker, and StrelaStealer malware in two separate email campaigns. StrelaStealer is being used against Spanish users.

Top Breaches Reported in the Last 24 Hours

Hospital targeted by Royal Ransomware

Clarke County Hospital, Iowa, disclosed that it experienced a ransomware attack after security researchers stumbled across its stolen data on the leak site of Royal ransomware. Though the hospital did not explicitly confirm the involvement of Royal ransomware, it did disclose that the attack knocked all its network access offline. The leak may have affected patients’ personal data and medical records, such as health insurance information, medical record number, and diagnostic information of the visitors.

Operation disrupted at motorcycle manufacturing firm

Following a cyberattack, the Indian manufacturing plant responsible for producing Suzuki motorcycles has been compelled to cease operations. In light of the incident, the company has postponed its annual supplier conference, originally scheduled to commence this week. The operations at the manufacturing plant have been temporarily suspended, resulting in an approximate production loss of 20,000 vehicles.

Top Malware Reported in the Last 24 Hours

WINTAPIX in the Middle East

An unidentified threat actor group has been observed employing a malicious Windows kernel driver in targeted attacks, primarily focusing on the Middle East region. Fortinet security experts have dubbed the artifact as WINTAPIX (WinTapix.sys). Using kernel privileges, an attacker can perform various operations ranging from manipulation of critical security mechanisms to arbitrary code execution.

Spam email spreads DarkCloud and ClipBanker

ASEC’s AhnLab discovered a spam email campaign that distributes the DarkCloud info-stealer malware. The email contents urge recipients to review the attached payment statement, which purportedly pertains to their company account. Additionally, the threat actor installs ClipBanker on infected devices that replace a user’s wallet address with the threat actor’s wallet address.

StrelaStealer targets Spanish users

A security team from the same firm spotted another phishing email related to payment fees that aim to target Spanish users with the StrelaStealer info-stealer. StrelaStealer, first identified in November 2022, is capable of stealing user account credentials from email clients including Thunderbird and Outlook.

Top Vulnerabilities Reported in the Last 24 Hours

Zyxel flaw can be abused, PoC out

A recently patched command injection flaw in various Zyxel firewalls could potentially be exploited in real-world attacks, stated Rapid7 researchers. The flaw, identified as CVE-2023-28771, affects some versions of Zyxel APT, USG FLEX, and VPN firewalls and Zyxel ZyWALL/USG gateways and firewalls. Moreover, the researchers have shared a technical analysis and a Proof-of-Concept (PoC) script that demonstrates the vulnerability and enables the execution of a reverse root shell.

Samsung patches spy bug

Samsung patched a security hole that was being abused by Spanish spyware vendor Variston to implant surveillance malware on targeted devices in the UAE. The exploit chain developed by them leverages multiple zero-days that were already fixed by Samsung, Google, and chipmaker ARM. The flaw allowed attackers to overcome Android's address space layout randomization security feature that randomizes the location of system executables in memory.

Top Scams Reported in the Last 24 Hours

Inferno Drainer drains nearly 6 million

Security analysts at Scam Sniffer exposed a crypto phishing and scam service Inferno Drainer that swindled about $5.9 million worth of cryptocurrencies from 4,888 victims. It reportedly crafted over 689 counterfeit websites since March 27, 2023. The fraudulent websites created by scammers impersonated 229 prominent brands, including Pepe, Bob, Collab.Land, MetaMask, OpenSea, and LayerZero.

Related Threat Briefings