Cyware Daily Threat Intelligence
Daily Threat Briefing • Oct 28, 2022
We use cookies to improve your experience. Do you accept?
Daily Threat Briefing • Oct 28, 2022
Security weaknesses in government networks can invite intrusions from geopolitically-motivated bad actors. In one such instance, the Slovak and Polish parliaments were disrupted due to an attack on their computers and phone systems. Meanwhile, the saga of crypto heists continues with the latest multimillion-dollar theft from Team Finance, a DeFi lockup protocol.
Coming to new malware updates from the last 24 hours, a banking trojan and a DDoS botnet were found making waves across different regions. While the Drinik trojan targeted customers of 18 Indian banks, the Fodcha botnet leveled up to terabit-scale attacks with the added threat of ransom demands. An emergency update was issued for Google Chrome to fix an actively exploited zero-day flaw, marking the seventh such occurrence this year.
Slovak and Polish Parliaments attacked
Cyberattacks hit the Slovak and Polish parliaments, interrupting the parliamentary session and bringing down the voting system in Slovakia’s legislature. All computers and phone lines went down, making it impossible for lawmakers to vote on several bills.
Hackers rob DeFi platform
Hackers stole $14.5 million worth of cryptocurrency after exploiting a vulnerability in the audited v2 to v3 migration function of the DeFi platform Team Finance. The company has urged the exploiter to get in touch for a bounty payment.
New York Post hacked
Attackers hacked the New York Post and used its website and Twitter account to publish offensive headlines and tweets targeting U.S. politicians. The remarks were made on the U.S. President Joe Biden and his son Hunter Biden, NYC Mayor Eric Adams, NY Governor Kathy Hochul, D-NY Rep. Alexandria Ocasio-Cortez, R-IL Rep. Adam Kinzinger, and Texas Governor Gregg Abbot.
New banking trojan in the light
According to Cyble researchers, a new version of the Drinik Android trojan targets 18 Indian banks, posing as the country’s official tax management app to steal victims’ banking credentials and personal information. Since 2016, Drinik has been circulating in India and operating as an SMS stealer. However, in September 2021, it added banking trojan features that targeted 27 financial institutions by directing victims to phishing pages.
Fodcha version 4 is here
A new version of the Fodcha DDoS botnet delivers ransom demands directly within DDoS packets used against victims’ networks, revealed Netlab 360. The latest Fodcha version 4 now uses encryption to establish communication with the C2 server and relies on 42 C2 domains to operate 60,000 active bot nodes daily, generating up to 1Tbps of destructive traffic.
Raspberry Robin delivers Clop ransomware
In the last 30 days, the Raspberry Robin malware has compromised nearly 3,000 devices in almost 1,000 organizations. Its latest attacks have resulted in Cl0p ransomware infections, and the threat actor is now capable of employing at least four different tactics for gaining purchase on devices. Microsoft attributes the post-compromise Cl0p activity to DEV-0950, aka FIN11 or TA505, indicating Raspberry Robin’s growth in the wider cybercrime economy.
SiriSpy allows eavesdropping
A vulnerability in Apple’s iOS and macOS, dubbed SiriSpy, could have allowed any app with access to Bluetooth to eavesdrop on conversations with Siri and audio. When using AirPods or Beats headsets, the malicious app could also record conversations from the iOS keyboard dictation feature. Tracked as CVE-2022-32946, SiriSpy has now been patched.
VMware product patched
VMware issued fixes for a critical vulnerability in the management service for its network virtualization and security platform, NSX. The vulnerability in VMWare NSX Manager stemmed from an old deserialization bug in an outdated Java library called XStream. Attackers could abuse the flaw to achieve pre-authentication remote code execution on the host computer.
Another Chrome zero-day
Google released emergency updates to mitigate an actively exploited zero-day flaw in its Chrome web browser. The vulnerability, tracked as CVE-2022-3723, is a type confusion flaw in the V8 JavaScript engine. This is the third actively exploited bug of its kind in V8 reported this year after CVE-2022-1096 and CVE-2022-1364, while also being the seventh zero-day in Google Chrome since the start of 2022.