Cyware Daily Threat Intelligence

Daily Threat Briefing • May 26, 2021
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Daily Threat Briefing • May 26, 2021
The underground exploit market has just become stronger with the discovery of two new exploit techniques named Evil Annotation and Sneaky Signature that can be used to tamper with the content of digitally signed PDFs. The most worrying part is that 24 of the 26 popular PDF tools have been found to be vulnerable to these techniques.
Another serious case of the Rowhammer attack has come to the notice of a bunch of academics. Dubbed Half-Double, the new variant works on newer DRAM chips, enabling anyone to take full control over systems and manipulate data stored in memory.
Meanwhile, the TeamTNT threat actor group’s fondness for Kubernetes clusters has reached a new level. As per the recent report, nearly 50,000 IPs have been found to be compromised by the attackers, between March to May, this year.
Top Breaches Reported in the Last 24 Hours
Belgium Interior ministry targeted
The Belgian Interior ministry was the target of a 2019 cyberespionage campaign that was uncovered this March. Federal authorities had launched an investigation to identify the origin of the operation, which data had been hacked, and whether a foreign state was involved.
Hospital’s data exposed
Hackers who targeted hospitals in New Zealand’s Waikato district have released private patient information to media outlets. The attack took place last week, following which the hospitals saw unauthorized access to documents containing names, phone numbers, and addresses of patients and staff.
RMCHCS impacted
Rehoboth Mckinley Christian Health Care Services (RMCHCS) reported a data breach impacting around 200,000 patients and employees. Investigation revealed that threat actors had gained unauthorized access to certain systems that contained patient information between January 21 and February 5.
New details on Kubernetes attack
New details reveal that the TeamTNT hacking group has targeted close to 50,000 IPs in a lesser-known worm-like attack between March and May. Most of the compromised Kubernetes nodes are from China and the U.S.
Top Malware Reported in the Last 24 Hours
SolarMarker backdoor
Researchers have spotted a new cyberespionage campaign in which SolarMarker backdoor pretends to be a legit PDFescape Installer to bypass security solutions. Upon execution, it deploys a fake clean installer named PDFescape_Desktop_Installer.exe.
Top Vulnerabilities Reported in the Last 24 Hours
New exploits discovered
New exploits, dubbed Evil Annotation and Sneaky Signature, can be weaponized against certified PDFs to alter arbitrary content. Researchers tested the exploits on 26 popular PDF tools and found 24 of them vulnerable to either one or both the flaws.
A new variant of Rowhammer
Security experts from Google have demonstrated yet another variant of the Rowhammer attack that bypasses all security defenses to tamper with data stored in memory. Dubbed Half-Double, the new technique capitalizes on newer DRAM chips to alter the contents of memory.
Chrome 91 updated
Google has released a stable version of Chrome 91 with patches for a total of 32 vulnerabilities. Eight of these flaws are rated high-severity, while another eight are medium severity flaws and five low-severity holes. The most important of these is CVE-2021-30251, a heap buffer overflow in Autofill.
VMware rolls out patches
VMware has rolled out patches to address a critical security vulnerability in the vCenter Server. Tracked as CVE-2021-21985, the issue stems from a lack of input validation in the Virtual SAN Health Check plugin. It can allow an adversary to execute arbitrary code on a vulnerable server.
Pulse Secure fixes a REC flaw
Pulse Secure has issued a workaround for a critical remote code execution vulnerability found in its Pulse Connect Secure VPNs. Identified as CVE-2021-22908 and rated with a CVSS score of 8.5, the flaw can allow a remote attacker to execute code as a user with root privileges.