Cyware Daily Threat Intelligence
Daily Threat Briefing • Sep 27, 2022
We use cookies to improve your experience. Do you accept?
Daily Threat Briefing • Sep 27, 2022
Tibetan government and organizations need to be on a high alert in the wake of the LOWZERO backdoor that is being used by Chinese espionage hackers. The threat actor has been incorporating novel techniques and methods to target Tibetan entities for at least two years now. In other news, the Erbium info-stealer was found being advertised on Russian-speaking hacker forums. The malware is swiftly becoming a preferred choice for hackers and is being disseminated as game cheats on gaming forums to steal credentials and crypto wallets.
Lastly, the WhatsApp security team has addressed two significant RCE vulnerabilities as per its latest advisory. The two flaws, classified as critical and high-severity, concerns Android as well as iOS users.
Optus hacker lays down his demands
The threat actor responsible for the Optus breach leaked a sample of 10,200 customer details and sought $1 million in extortion. The dataset has subsequently been removed, and the attacker claimed to have erased the only copy of the stolen information. Last week, the telecom firm disclosed the cyberattack, however, it did not reveal how many of its clients may have been impacted by the breach.
Hackers leak Paris hospital patients' info online.
After a Paris hospital refused to pay a multi-million dollar ransom to cyberattackers, the latter leaked medical scans and lab tests, as well as patients' national security numbers, on the dark web. Instead of selling the data, the hacker made a portion of it available for download on the dark web. The hackers carried out the attack last month.
China-backed TA413 targets Tibetan entities
The Chinese cyberespionage group TA413 is exploiting newly disclosed security flaws in Sophos Firewall (CVE-2022-1040) and Microsoft Office (CVE-2022-30190) to attack Tibetan entities with a previously unreported backdoor called LOWZERO. A spear-phishing attack in May, which exploited flaws in Microsoft Equation Editor, was seen dropping the custom LOWZERO implant by employing a Royal Road RTF weaponizer tool.
**Info-stealer Erbium is gaining popularity **
Cyfirma disclosed that cybercriminals are using the Erbium malware to steal gamers’ cryptocurrency wallets and credentials through cracks and cheats of popular video games. It operates as a Malware-as-as-Service (MaaS) and is reportedly gaining popularity among cybercriminals for its broad functionality, competitive pricing, and customer support. It targets a wide range of cold desktop wallets, such as Exodus, Armory, Bitecoin-Core, Bytecoin, and more. It can intercept 2FA codes as well.
Microsoft Powerpoint abused to deliver malware
A****Cluster25 report stated that Russian GRU-linked APT28 is delivering Graphite malware to target entities in the defense and government sectors of the European Union and Eastern Europe. Graphite malware, which is in portable executable form, is designed to allow the threat actor to load other malware into system memory. Trellix researchers have attributed Graphite to APT28 with low to moderate confidence based on code similarities with malware samples from 2018.
Two RCE flaws in WhatsApp
The WhatsApp security team has addressed two critical vulnerabilities that could be exploited for remote code execution. The first flaw, CVE-2022-36934, is an integer overflow vulnerability that can be exploited by the attacker during a video call. CVE-2022-7492 is another high-severity bug that can be exploited via specially crafted video files. The bugs impact Android as well as iOS users.
Lazarus hackers target macOS users
Hackers from the Lazarus group were observed deploying malware on the systems of macOS users interested in a career in the crypto industry. SentinelOne spotted a fake document advertising positions in Crypto[.]com. The campaign seems to be part of the ongoing job frauds under the moniker Operation In(ter)ception. It is believed that the malware is distributed through direct messages on LinkedIn.