Go to listing page

Cyware Daily Threat Intelligence, April 05, 2022

Cyware Daily Threat Intelligence, April 05, 2022

Share Blog Post

The notorious FIN7 group has ramped up its offensive capabilities by adding new malicious code to its malware arsenal. These include a new POWERPLANT backdoor and two new versions of BIRDWATCH downloader—tracked as CROWVIEW and FOWLGAZE. Researchers claim that these malware are being used by threat actors to gain initial access and deliver more payloads.

Meanwhile, a new sophisticated malware campaign delivering a blizzard of RATs is going global as threat actors unleash a variety of RATs along with new tactics. The attackers are leveraging a new version of 3LOSH crypter to deliver AsyncRAT and LimeRAT, among others. There’s also an update about the LockBit ransomware campaign that involves the use of SocGholish in the initial stage and BLISTER as a second-stage loader.


Top Breaches Reported in the Last 24 Hours


The Works’ affected
UK high street retailer, The Works, has shut down its stores following a cybersecurity incident. It occurred after attackers gained unauthorized access to its systems. The firm disclosed that the attack has disrupted a limited number of trading and business operations.

Inverse Finance targeted
More than $15 million were stolen after hackers exploited the DeFi platform Inverse Finance. According to the company, the hackers manipulated its money market, Anchor, and increased the price of INV via Sushiswap. This enabled the attackers to borrow $15.6 million in the DOLA, ETH, WBTC, and YFI cryptocurrencies.

Nordex affected by a cyberattack
Wind turbine giant Nordex was forced to shut down its IT systems after discovering a cyberattack. The incident affected multiple systems in the firm. As a part of the precautionary measure, the company took immediate actions to prevent further propagation of the attack.

Top Malware Reported in the Last 24 Hours


AsyncRAT malware campaign
An ongoing malware attack campaign is using ISO disk images to deliver AsyncRAT, LimeRAT, and other commodity malware to victims. The threat actors behind the campaign have been using a new version of 3LOSH crypter to generate obfuscated code to hide the RAT payloads and facilitate the infection process.

Malware loader campaign discovered
A new campaign that delivers SocGholish in the initial stage, with BLISTER as a second-stage loader, has been uncovered by researchers. It is believed that both the loaders are being used to evade detection to execute final payloads, specifically LockBit in this case.

Top Vulnerabilities Reported in the Last 24 Hours


Cisco issues a patch
A security researcher managed to exploit vulnerabilities in an obsolete Java library to launch remote code execution attacks on Cisco Nexus Dashboard Fabric Controller. Following this discovery, Cisco issued patches last month. One of these flaws was related to a Java deserialization flaw in an old library.

Yokogawa patches multiple flaws
Japanese automation giant Yokogawa has recently patched a series of vulnerabilities affecting its control system products. The flaws can be exploited to execute arbitrary commands, suppress alarms, delete files, escalate privileges, and disrupt physical processes. They are related to hardcore credentials, path traversal, command injection, DLL hijacking, inappropriate access privileges, and uncontrolled resource consumption. 

VMware patches Spring4Shell flaw
VMware has issued security updates for the critical Spring4Shell flaw which impacts several of its cloud computing and virtualization products. Tracked as CVE-2022-22965, the flaw has a CVSS score of 9.8. Meanwhile, CISA has added the Spring4Shell flaw to its ‘Known Exploited Vulnerabilities’ Catalog as reports of active exploitation of the flaw comes to light. 

Top Scams Reported in the Last 24 Hours


New WhatsApp phishing campaign
A new WhatsApp phishing campaign impersonating WhatsApp’s voice message feature is being used to spread information-stealing malware. So far, the campaign has affected around 28,000 email addresses. As a part of the campaign, the recipients are led to a series of steps that ultimately cause the installation of the malware that is capable of pilfering credentials.  

New Threat in Spotlight


FIN7 updates its arsenal
The FIN7 APT group has evolved its malware and attack tactics. These include a new POWERPLANT backdoor and two new versions of BIRDWATCH downloader—tracked as CROWVIEW and FOWLGAZE. Researchers claim that these malware are being used by threat actors to gain initial access and deliver more payloads.

 Tags

nordex
fowlgaze
limerat trojan
3losh crypter
powerplant backdoor
socgholish malware

Posted on: April 05, 2022


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.