Cyware Daily Threat Intelligence
Daily Threat Briefing • Sep 26, 2022
We use cookies to improve your experience. Do you accept?
Daily Threat Briefing • Sep 26, 2022
Telecoms, Internet Services Providers (ISPs), and universities across the Middle East and Africa have been under attack by a sophisticated threat actor, dubbed Metador. The group boasts of two custom Windows malware frameworks with one finding its expertise in multi-layered obfuscation and the other being used for more hands-on activities, such as taking screenshots and recording keyboard actions. Firewall security lapse can be catastrophic for organizations. Sophos is warning customers of a high-severity code injection vulnerability being exploited in the wild by cybercriminals.
Meanwhile, a major credit card scam has been unearthed by security experts that helped hackers fraudulently transact millions of dollars from users’ accounts. To pull this off, scammers have erected multiple fake dating and customer support websites to phish individuals.
Healthcare facility blurted out 23GB of data
An India-based healthcare software provider inadvertently exposed the Covid antigen test results of more than 1.7 million individuals via misconfigured databases. The incident laid bare the personal and medical records of victims such as their nationality, Voter IDs, Covid-19 test results, Aadhaar card numbers, and passport details. Notably, all the tests were conducted through a rapid antigen kit known as Covi-Catch.
Harly trojan infects 200 applications
Kaspersky uncovered about 200 Android applications infected with the Harly trojan. The malicious apps, which impersonated authentic apps for simple address books, translator services, and call screen modifiers, were downloaded by millions of users worldwide. The operators behind the malware subscribe unsuspecting users to paid services without their knowledge. The malware can intercept OTPs to bypass MFA.
**FARGO ransomware targets MS-SQL servers **
ASEC security researchers warned that FARGO ransomware aka TargetCompany is targeting vulnerable Microsoft SQL servers in a new round of attacks. Hackers target database servers often through brute-force and dictionary attacks, or else through known unpatched flaws. The intended victims are threatened with selling their stolen files on the attackers’ Telegram channel unless they pay a ransom.
Vulnerability in Sophos Firewall
Sophos detected a severe code injection bug in the company's firewall solution primarily aimed at enterprises in South Asia. The issue, identified as CVE-2022-3236, was discovered in Sophos Firewall's User Portal and Webadmin, allowing attackers to conduct RCE attacks. Users relying on older versions of Sophos Firewall need to upgrade to a supported version to receive the patch.
Microsoft releases security update
Microsoft has come up with an out-of-band security update to address a vulnerability in its Endpoint Configuration Manager solution. The flaw, identified as CVE-2022-37972, is a medium-severity spoofing issue. The flaw is related to the use of NTLM authentication that hackers could abuse to bypass the connection fallback setting to carry out the attack. No proof of exploitation so far, but the security hole has been disclosed publicly.
**Millions swindled in credit card scam **
ReasonLabs exposed several fake dating and customer support websites that have cheated thousands of victims since 2019. The website owners, likely operating from Russia, ran an extensive network to reportedly steal millions of dollars from victims’ credit cards. As per the researchers, the entire scam affected over a dozen companies that include payment providers (Visa, Mastercard, and others), and web hosting (AWS, GoDaddy, and others) platforms.
Cybercriminals impersonate Netflix
Inky Technology reported that cybercriminals are using a new phishing attack technique to spoof Netflix web pages with an aim of stealing credentials. The users were tricked into resolving an account issue attached along with the email. The threat actors are sending phishing emails—from an abused email server administered by a Peruvian University—containing ZIP files. The attackers are able to harvest PII, such as credit card information, billing address, and date of birth.
**Metador: A new threat group **
Researchers have uncovered a never-seen-before threat actor Metador has been targeting telcos, ISPs, and universities for nearly two years. It carried out cyberespionage in the Middle East and Africa. The group leverages two potential Windows-based malware—metaMain and Mafalda—in its attack campaign, and there are traces of Linux malware as well. Researchers are as of now unsure about the initial infection vector used by the group.