Cyware Daily Threat Intelligence

Daily Threat Briefing • November 9, 2022
Daily Threat Briefing • November 9, 2022
Reported in the past 24 hours is the new Cloud9 botnet cum infostealer. On Chromium-based web browsers, including Chrome and Edge, this malware allows unauthenticated users to execute commands remotely. It is spread via a browser extension that is made up of three JavaScript files and incorporates a clipper module. Meanwhile, a trio of vulnerabilities was spotted in Samsung phones. The exploit against these bugs has reportedly been developed by a commercial surveillance vendor, aka spyware provider.
Security experts also released a detailed analysis of the new version of IceXLoader malware dropper. The study revealed that the adversaries have been targeting a mix of private home PCs and corporate systems.
Mississippi election websites offline
A major DDoS attack crippled several Mississippi state websites right when the midterm election was going on. The targeted websites were thrown offline. A pro-Russian hacking group has taken the credit for the attack in a Telegram post. Authorities clarified that the election system wasn’t affected and is secured.
New ‘Cloud9’ botnet RAT
A highly-capable Chrome browser-based botnet was discovered in the wild. Named Cloud9, it attempts to record keystrokes, steal user credentials, mine cryptocurrency, inject malicious JS code and ads, perform DDoS attacks, and much more. The malicious extension is distributed via unofficial channels and websites that advertise fake Adobe Flash Player updates.
New IceXLoader version 3.3.3
Researchers at FortiGuard Labs studied a commercial malware known as IceXLoader. Such commercial malware are often used to download and deploy additional malware on infected machines. First seen in June, the highly obfuscated dropper v3.3.3 is written in the Nim programming language. Researchers also found an SQLite DB containing thousands of victim records.
Zero-day abuse in Samsung phones
Google Project Zero disclosed three bugs in Samsung phones were being exploited by a spyware vendor since they had a zero-day status. The flaws, identified as CVE-2021-25337, CVE-2021-25369, and CVE-2021-25370, could be chained and exploited against Android-based Samsung phones.
Microsoft Patch Tuesday details
Microsoft released 68 patches for vulnerabilities across its products, which also includes six actively exploited Windows bugs. There are a total of 27 elevation of privilege, four security feature bypass, 16 RCE, 11 information exposure, six DoS, and three spoofing bugs. The tech giant classified a flaw as a zero-day and has no official fix available.
Intel and AMD Patch Tuesday
Intel released 24 new advisories that include over 50 flaws in its different products. Meanwhile, AMD issued fixes for a total of 10 flaws through four advisories. For Intel, seven advisories are regarding high-severity privilege escalation flaws. Some Intel devices were found susceptible to RingHopper attacks.
Missing Authorization bug in Blog2Social
The Wordfence Threat Intelligence team unveiled a missing authorization vulnerability in a popular WordPress plugin, Blog2Social. The versions impacted due to this flaw are 6.9.11 and earlier. This vulnerability could be abused—with minimal permissions—to alter the plugin’s settings.
VMware fixes multiple critical bugs
Three security holes in VMware’s Workspace ONE Assist solution pose threats, such as authentication bypass and privilege elevation (to admin), to users. The bugs are tracked as CVE-2022-31685, CVE-2022-31686, and CVE-2022-31687 - all were rated 9.8/10 on the CVSS scale.
Citrix received updates for three flaws
Citrix has addressed an authentication bypass flaw (CVE-2022-27510), an insufficient verification of data authenticity flaw (CVE-2022-27513), and a user login brute force protection functionality bypass flaw (CVE-2022-27516) in its recent round of updates.
The critical authentication bypass vulnerability affects Citrix ADC and Citrix Gateway.