We use cookies to improve your experience. Do you accept?

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing Oct 13, 2022

Meet YoWhatsApp! The fake WhatsApp version has come to the notice of researchers as it carries a malware strain capable of gaining control over users’ WhatsApp accounts. Users need to beware of ads on Snaptube and Vidmate as hackers use those platforms to disseminate the infected application. Speaking of malware, a banking malware variant is being propagated through voice phishing campaigns. Hackers are using the Telephone-Oriented Attack Delivery (TOAD) technique to target Android users with the Copybara Android banking malware.

Besides, a new threat cluster is making waves in the Middle East and Asia. Identified as WIP19, the group members target IT and telecom companies. Threat actors exploited a stolen certificate to sign their novel malware.

Top Breaches Reported in the Last 24 Hours

Over 100 million washed away

Hackers drained off more than $100 million in a flash loan attack from Mango Markets, a cryptocurrency trading platform. Using two accounts, they manipulated the price of the MNGO coin and inflated it by as much as five to ten times the original price on various exchange platforms within a few minutes. Authentic users may face difficulty in withdrawing any assets in the aftermath of the hack.

Attacks against Telecom and IT firms

WIP19, a new threat group, has been observed cyberattacking telecommunications and IT service providers in the Middle East and Asia. Researchers discovered some overlap with Operation Shadow Force, a malware group, but also outline the use of new malware and techniques. The members used a stolen digital certificate—issued by a DEEPSoft—to sign malicious components.

Top Malware Reported in the Last 24 Hours

YoWhatsApp drops Triada

A malicious version of the popular WhatsApp messaging app was found dropping an Android trojan known as Triada. Named YoWhatsApp, the unofficial app offers the ability to lock chats, send texts to unsaved numbers, and customize using different themes. It is spread to users via fraudulent ads on Snaptube and Vidmate. Meanwhile, the malware aims to steal the keys to take over users’ WhatsApp accounts.

QBot infects 800 corporate users

Kaspersky revealed that QBot has been quite active of late as it observed around 1,800 malware infections worldwide between September 28 and October 7. Among those, approximately 800 were corporate users. The majority of victims have been spotted in the U.S., Italy, India, and Germany. QBot can steal email archives and use the stolen emails to target even more users.

New Android malware steals banking credentials

Researchers at ThreatFabric uncovered an Android banking malware attack phishing users for their contact details and sensitive banking data. The malware, dubbed Copybara, can extract usernames and passwords for multiple banking accounts. The attack begins with an SMS phishing message purported to arrive from an online bank. The link enclosed in the message redirects users to the fake bank site to steal credentials.

Top Vulnerabilities Reported in the Last 24 Hours

Vulnerability in Siemens PLC

Team82, formerly known as The Claroty, reported a high-severity bug (CVE-2022-38465), in Siemens SIMATIC PLC that could be abused to retrieve hardcoded, global private cryptographic keys and take control of the devices. The stolen keys can let hackers execute several advanced attacks against Siemens SIMATIC devices and the related Totally Integrated Automation (TIA) Portal, while also bypassing its four-level protections.

**npm timing attack **

Aqua Security's threat research team noted an npm timing attack that blurts out the names of private packages to threat actors who can, in turn, release typosquatted packages publicly to mislead developers into using them. The attack uses that gap of a few hundred milliseconds between the return of a "404 Not Found" error when searching for a private or non-existent package in the repository.

Palo Alto Networks and Aruba Network announce patches

Palo Alto Networks warned its customers about a critical authentication bypass flaw in the web interface of its PAN-OS 8.1 software. The flaw, identified as CVE-2022-0030, can be exploited to perform privileged actions. Also, a duo of authentication bypass flaws has surfaced in Aruba’s EdgeConnect Enterprise Orchestrator product. These are tracked as CVE-2022-37913 and CVE-2022-37914.

Related Threat Briefings