Cyware Daily Threat Intelligence
Daily Threat Briefing • Sep 22, 2022
We use cookies to improve your experience. Do you accept?
Daily Threat Briefing • Sep 22, 2022
Digital skimming is a major cybersecurity threat faced by e-commerce websites lately. Recently, hundreds of e-commerce domains were found infected with Google Tag Manager-based web skimmers. Researchers uncovered thousands of payment records that cybercriminals extracted through this technique. Furthermore, BlackCat ransomware developers continue to improve and enrich the malware with new features. They have enhanced its data-stealing capability by adding a new malware to the tool kit - Eamfo.
Separately, an unidentified hacker targeted 39,000 unauthenticated Redis servers and attempted to set up cryptominers. Also, a Python module vulnerability is back in the spotlight after over a decade-and-a-half, affecting over 350,000 open-source repositories.
FBI reveals details on Albania cyberattack
The FBI and the CISA, in a joint advisory, disclosed that one of the Iranian threat groups hid inside the Albanian government network for approximately 14 months. In July, the gang carried out a damaging cyberattack that brought down many websites and services. The hackers consistently accessed the network and exfiltrated email content containing credentials for over a year by leveraging a compromised Microsoft Exchange account.
Angry developer leaks LockBit builder online
The LockBit ransomware builder for its latest encryptor has been leaked, allegedly by a disgruntled developer on Twitter. The latest version, LockBit Black (version 3.0), was released in June after a couple of months of testing. The novel version added anti-analysis features, extortion methods, and a ransomware bug bounty program. The leaked builder can be used by other hackers to launch their own operations, including encryptors, decryptors, and specialized tools for launching decryptors.
E-commerce platforms corrupted with GTM-based skimmers
Researchers at Recorded Future discovered 569 e-commerce domains infected with skimmers. Of those, 314 were using Google Tag Manager (GTM) based skimmers, and data from the remaining 255 were exfiltrated to domains abusing GTM containers. Researchers found over 165,000 payment card details for sale on dark web shops, exfiltrated from GTM-infected domains. The top five domains targeted were those of companies in the U.S., followed by Canada, the U.K, Argentina, and India.
BlackCat’s tool receives a boost
BlackCat ransomware has received an upgrade to its data exfiltration tool: Exmatter. The tool was in use since November 2021 and received a major update in August. Some of the features include limiting the types of files to exfiltrate, adding FTP as an exfiltration option, eraser feature, and a self-destruct configuration option. In another update, the group has added new Eamfo malware that can harvest credentials from Veeam backups.
Hackers target Atlassian servers
Trend Micro reported that hackers are exploiting a patched critical security flaw affecting Atlassian Confluence Server to deploy cryptominers. The security hole, tagged as CVE-2022-26134, if successfully exploited, could lead to a complete domain takeover and the deployment of information stealers, RATs, and ransomware. The exploitation method entails running a shell script resembling those employed by attackers in previous attacks reported by Lacework, Microsoft, and Akamai in June.
Redis servers found exposed online
A hacker attempted to install a cryptominer on over 39,000 unverified Redis servers exposed online, thus, putting over 300GB worth of data at risk. The exploitation technique includes tricking the servers into writing data to a directory containing SSH keys. With 15,526 out of 31,239 servers believed to have the SSH key set, the attack was attempted on over 49% of unauthenticated Redis servers. The top five countries with exposed Redis services include China (20,011), the U.S. (5,108), Germany (1,724), Singapore (1,236), and India (876).
Python bug unpatched since 2007
A Python module bug identified as CVE-2007-4559 remained unfixed for 15 years and likely affects over 350,000 open-source repositories. First revealed in 2007, the path traversal bug resides in Python’s tarfile module and can lead to arbitrary code execution. A researcher from Trellix has outlined steps to exploit the flaw in the Windows version of Spyder IDE. This bug hasn't been exploited so far, says the report.