Cyware Daily Threat Intelligence

Daily Threat Briefing • Oct 17, 2022
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Daily Threat Briefing • Oct 17, 2022
Targeting IT and OT environments have lately been one of the top priorities of threat actors. A new powerful UEFI rootkit has surfaced in the darknet marketplace as a major threat across those environments. Meanwhile, researchers spotted a phishing campaign by hackers running the Ducktail phishing campaign. Hackers were observed dropping a never-before-seen Windows-based info-stealing malware to steal Facebook credentials, browser data, and cryptocurrency wallets.
Furthermore, the cyber landscape learned about two new ransomware variants in the weekend. The one named Prestige has launched attacks against the transportation and logistics sector in Poland and Ukraine. The other one named Venus is up against publicly-exposed Remote Desktop services.
Woolworths-owned retailer suffers breach
MyDeal, a subsidiary of Woolworths group, confirmed that hackers expose personal data for 2.2 million users from the online marketplace. The incident occurred after an unauthorized user infiltrated through its network via compromised credentials. For nearly 1.2 million customers involved, the breach blurted out only their email addresses. For the rest, personal records, including emails addresses, names, home addresses, DoB, and contact number were exposed.
Lockbit hits Japanese tech firm
The LockBit 3.0 ransomware group has claimed a new victim in the form of a microelectronics designing and manufacturing firm in Japan, Oomiya. If the company doesn’t pay up the ransom as asked, the group may leak the data by October 20, 2022. The attack has impacted several supply chains across the manufacturing, semiconductor, communications, automotive, and healthcare sector.
Government institutions crippled in Bulgaria
The websites of the Bulgarian presidency and several other government ministries were targeted by a major DDoS attack. Other victims of the attack campaign are the Internal Affairs Ministry, the Defence Ministry, the Constitutional Court, and the Justice Ministry. The origin of the attack is Magnitogorsk, Russia. Local authorities reportedly identified at least one person involved in the attack.
Black Lotus - the new UEFI Windows rootkit tool
Cybersecurity veteran pulled attention with its recent disclosure of a powerful, persistent Windows rootkit, dubbed Black Lotus, being offered in the underground marketplaces. Written in Assembly and C, the toolkit is 80kb in size and boasts geofencing capabilities and avoids targeting countries in the CIS region. It is available for sale at $5,000, with $200 per new version and added capabilities.
Prestige ransomware enters Ukraine and Poland
Microsoft Threat Intelligence Center discovered a new ransomware attack campaign directed at the transportation and logistics entities in Ukraine and Poland. For now, researchers have attributed the infections to an unnamed cluster - DEV-0960. They are also clueless about the method of initial access.
Ducktail attackers replace malware tool
A newly-launched phishing campaign by Ducktail operators is spreading malware via fake lures for games, subtitle files, adult videos, and cracked MS Office applications. The info-stealer, written in PHP, focuses on stealing Facebook account data and any valuable information stored in users’ accounts. Under certain conditions, it can siphon off payment information, cycles, amounts spent, user details, verification status, PayPal address, owned pages, and more.
Venus ransomware appears against Windows devices
MalwareHunterTeam took the wraps off a new malware strain, Venus, circumventing the publicly-exposed Remote Desktop services to compromise and encrypt Windows systems. The ransomware is capable of terminating at least thirty-nine processes associated with database servers and MS Office applications.
Patched issued against Zimbra bug
Zimbra issued a fix to mitigate attacks that exploded after the reports of a security vulnerability in its enterprise collaboration suite. Identified as CVE-2022-41352, with a CVSS score of 9.8, the bug lets an attacker upload arbitrary files to vulnerable instances. The Zimbra Collaboration Suite was impacted with a zero-day and remained unpatch for nearly 1.5 months.
**Fraudsters lure Amazon customers **
Amazon officials clarified that some of their customers have been receiving texts about following a malicious link that will purportedly secure their accounts. In a scenario, the new text message scam read “We detected a login into your account from a new device on 27/09/2022 at 15:10:08 UTC. If this wasn’t you, you can terminate that session via [https://checkup-amazon.com]."