Cookie Settings

This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing Oct 26, 2022

Cryptojacking incidents are taking the crypto world by storm. Of late, researchers took the wraps off of a highly sophisticated cryptomining campaign that leverages freejacking techniques. Threat actors abused more than two dozen GitHub accounts, 2,000 Heroku accounts, and 900 Buddy accounts to borrow free computing power. In another similar incident, “Kiss-A-Dog” campaign has emerged as a cryptojacking scheme taking over vulnerable Kubernetes and Docker instances. Herein, the attackers also demonstrated the ability to detect and uninstall third-party cloud monitoring services.

Meanwhile, Microsoft has addressed a vulnerable driver blocklist issue that prevented software updates from syncing with systems running older Windows versions. The security gap could have led to serious implications for Windows users.

Top Breaches Reported in the Last 24 Hours

All customer data exposed by Medibank

Australian health insurer Medibank announced that the recent breach compromised the PHI for all of its 3.9 million customers. The insurer firm said it has not yet understood the full scope of data that was stolen for each of its customers. However, the information contains full names, phone numbers, Medicare and policy numbers, health claims, and other diagnostic data.

**Skimmer on See Tickets **

Ticketing service provider See Tickets informed its customers about cybercriminals taking over its website to obtain payment card details. The storage blob had remained exposed for over 2.5 years. Compromised data include full names, physical addresses, ZIP codes, payment card numbers, card expiration dates, and CVV numbers.

Top Malware Reported in the Last 24 Hours

Vice Society vs U.S. education sector

Microsoft exposed targeted attack campaigns against the education sector in the U.S. by Vice Society between July and October. The hacker group notably switched ransomware payloads in its attacks toward the sector across the U.S. and worldwide. In some instances, it pursued double extortion attacks, and in other cases, it performed extortion using exfiltrated stolen data while not encrypting them on compromised systems.

Sophisticated cryptomining operations

The threat research team at Sysdig unearthed an active cryptomining operation, by the Purpleurchin threat actor, prospering via freejacking. The campaign uses some of the largest cloud and continuous integration and deployment (CI/CD) service providers, such as GitHub, Buddy[.]works, Heroku, to build, execute, and scale the operation. Researchers found over 30 GitHub accounts, 2,000 Heroku accounts, and 900 Buddy accounts.

"Kiss-A-Dog" cryptojacking scheme

CrowdStrike stumbled across a new attack targeting cloud infrastructure around the world, including vulnerable Docker and Kubernetes instances. Called Kiss-A-Dog, actors in this campaign leveraged multiple C&C servers to escape containerized environments to gain root privileges. The situation can be exploited to use kernel and user rootkits for obfuscation, creating backdoors, lateral movement, and persistence.

LV ransomware infiltrates Jordan company

Trend Micro findings spotted an LV ransomware strain intrusion on the networks of a Jordan-based company. Hackers used the double-extortion technique to extort their victims. It threatened to release the stolen data after encrypting the victim’s files. Attacks by LV ransomware have been increasing since the second quarter of 2022, experts noted.

Top Vulnerabilities Reported in the Last 24 Hours

Bug unpatched since 2000

Security expert Andreas Kellas uncovered details about a 22-year-old high-severity bug in the SQLite database library. Assigned CVE-2022-35737, the flaw is an integer overflow issue that impacts SQLite versions 1.0.12 through 3.39.1. A hacker can trigger the issue to execute arbitrary code on the affected system when the library is compiled without stack canaries.

VMware patches critical flaw

A critical RCE flaw has been reported in the VMware Cloud Foundation product, which is caused due to an unauthenticated endpoint that utilizes XStream for input serialization. The bug is tracked as CVE-2021-39144 and rated 9.8 out of 10 on the CVSS scale. The vendor has also made a patch available for end-of-life products. VMware also addressed CVE-2022-31678, an XML External Entity (XXE) vulnerability, that can trigger DoS conditions.

Vulnerable driver blocklist sync issue

A researcher disclosed that Microsoft has been providing an outdated list of vulnerable drivers from December 2019 even to Windows 10 and Windows Server systems. The issue, however, was that the vulnerable driver blocklist was not synced to systems running older Windows versions. This posed the risk of vulnerable drivers being exploited for privilege escalation in the Windows kernel and execution of malicious code. The firm has addressed this issue.

Related Threat Briefings