Cyware Daily Threat Intelligence
Daily Threat Briefing • Oct 25, 2022
We use cookies to improve your experience. Do you accept?
Daily Threat Briefing • Oct 25, 2022
More than three million bucks worth of credit card data of Americans has been stolen via Point-Of-Sale (POS) systems. The incident, which affected more than 167,000 credit cards, involved MajikPOS and Treasure Hunter malware. Both infect Windows POS terminals and steal the data as soon as a card data is read and stored in plain text in memory. Moreover, critical bugs were found in Atlassian’s Jira infrastructure. Successful abuse of these can harm enterprise-product users in terms of privilege elevation attacks, Atlassian cloud credentials leaks, and more.
Besides, Apple has issued updates to remediate a zero-day in iOS and iPadOS that attackers have been exploiting in the wild since January. The sensitive flaw could be abused via a rogue application to execute arbitrary code with the highest privileges.
Behind the Tata Power attacks
Tata Power, a Tata Group subsidiary, was targeted by a ransomware attack earlier this month. The Hive ransomware group now claimed credit for attacking the networks of the victims and indicated that the ransom negotiations failed. Cybercriminals, in an act of vengeance, have leaked the data that contains engineering drawings, financial and banking records, as well as client information, other than employees’ PII.
Iranian atomic organization hacked
The email servers of one of the subsidiaries of the Iranian Atomic Energy Organization (AEOI) were allegedly crippled by a cyber threat group known as Black Reward. The hacker group leaked some of the stolen data on Telegram. Meanwhile, the victim firm stated that the incident was to garner public attention and tarnish the rapport of AEOI in the media.
Car dealership group hit by $60 million hack
Pendragon Group, a car dealer in the U.K, was struck by a Lockbit 3.0 attack. The extortion gang has demanded a cryptocurrency ransom equivalent to $60 million. While Pendragon did not share many details about the incident, it claimed that the attack didn’t affect its operations. The gang has threatened to release files stolen from Pendragon on October 29 if the demand isn’t met.
Emotet drops CoinMiner and Quasar RAT
Trustwave SpiderLabs noted a spike in malspam campaigns by the Emotet botnet. In this attack wave, attackers are reportedly using invoice-themes phishing lures with password-protected archive files. These files drop CoinMiner and Quasar RAT to take over compromised systems. CoinMiner, besides cryptomining, can also act as a credential stealer. Quasar RAT is an open-source .NET-based RAT with powerful capabilities.
New campaign drops infected Chrome extensions
Guardio Labs has uncovered a new malvertising campaign delivering malicious Google Chrome extensions known as Dormant Colors. Researchers discovered at least 30 variants of these extensions in both Chrome and Edge web stores until mid-October. The extensions hijack searches and return affiliate links as a result. Hackers aim to generate income by stealing data and traffic drawn to these websites.
POS malware siphoned off card data
Cybercriminals used two strains of POS malware—Treasure Hunter and its advanced successor MajikPOS—to steal the details from more than 167,000 credit cards from different payment terminals, revealed Group-IB. The value of the stolen data could fetch hackers roughly $3.3 million in an underground marketplace deal. The stolen data belongs to tens of thousands of card owners who used it between February 2021 and September 8, 2022.
Apple puts zero-day at rest
Apple, in its latest security update, addressed the ninth zero-day that was being exploited in attacks against iPhones since the onset of this year. The bug, identified as CVE-2022-42827, is an out-of-bounds write flaw caused by software writing data outside the boundaries of the current memory buffer. Attacks could abuse it for data corruption, application crashes, or arbitrary code execution with kernel privileges.
Multiple critical bugs in Veeam
CloudSEK researchers reported multiple high-severity vulnerabilities in the Veeam Backup & Replication application. The bugs, namely CVE-2022-26500, CVE-2022-26501, and CVE-2022-26504, could be abused by an unauthorized user for remote code execution. Security experts also took the wrap off of fully weaponized tools propagated by criminals to exploit the bugs.
A couple of Windows exploits
LogCrusher and OverLog were identified as two exploits in Microsoft Windows. The duo concerns the EventLog Remoting Protocol (MS-EVEN) that enables remote access to event logs. LogCrusher lets any domain user remotely crash the Event Log application of a Windows machine, whereas OverLog could be abused to pull off DoS attacks by filling the hard drive space of a Windows machine on the domain.
Cisco and Gigabyte flaws in KEV catalog
The CISA included two Cisco and four Gigabyte product vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. Cisco product vulnerabilities CVE-2020-3433 and CVE-2020-3153 affect the AnyConnect Secure Mobility Client for Windows. Gigabyte bugs impact GPCIDrv and GDrv low-level drivers in the Gigabyte App Center, the Xtreme gaming engine, the Aorus graphics engine, and the OC Guru utility.
High-severity Jira bugs
Security experts at Bishop Fox highlighted two critical security gaps in Jira Align. The first issue is a server-side request forgery (SSRF) flaw in the application’s ‘Connectors’ settings that can lead an attacker to the AWS credentials of the Atlassian service account. The other issue, described as insufficient authorization controls in the ‘People’ permission, enables privilege escalation to the highest role in Jira Align.