Go to listing page

Cyware Daily Threat Intelligence, April 14, 2021

Cyware Daily Threat Intelligence, April 14, 2021

Share Blog Post

Malicious cryptomining remains prevalent and continues to grow in scope. In the past 24 hours, security experts have detected two different incidents where threat actors are making use of the recently discovered ProxyLogon vulnerabilities and cracked software to deploy Monero miners. 

Besides this, malicious actors have switched QBot with IceID trojan to deliver more malicious payloads. This indicates attackers’ intention to keep the campaign active for a long time. 

Meanwhile, security patches released by Microsoft and Adobe as part of April 2021 Patch Tuesday are sure to bring a sigh of relief for their customers using vulnerable products.         

Top Breaches Reported in the Last 24 Hours

Casinos affected
Two Tasmanian casinos have been forced to shut down following a ransomware attack. The attack occurred on April 3 and affected hotel booking systems. The slot machines, known as pokies in Tasmania, are also out of service since the attack. 
 
Top Malware Reported in the Last 24 Hours

Malicious web pages
More than 100,000 web pages hosted by Google sites are being used to trick netizens into opening booby-trapped business documents containing RAT.  The site pages include common business terms like ‘template’, ‘invoice’, ‘receipt’, ‘questionnaire’, and ‘resume’ to lure online users into clicking on them.

QakBot returns
Researchers have spotted campaigns where attackers switched IceID with QakBot trojan to deliver malicious payloads. The campaign relied on updated XLM macros to distribute the trojan. 

New malicious package
A new malicious package, dubbed web-browserify, that targets NodeJS developers has been spotted on the npm registry. The package once executed, uses another legitimate npm component, systeminformation, to collect information from the infected systems.  

Another cryptomining incident
Cracked copies of Microsoft Office and Adobe Photoshop are being used to steal browser session cookies and Monero cryptocurrency wallets from users who install the pirated software. The cracked software are distributed via BitTorrent. 
    
Top Vulnerabilities Reported in the Last 24 Hours

Microsoft patches 114 CVEs
Microsoft has issued fixes for 114 vulnerabilities as part of April 2021 Patch Tuesday. The flaws affect Microsoft Windows, Edge browser, Microsoft Office, Azure and Azure DevOps Server, Exchange Server, SharePoint Server, Hyper-V, Visual Studio, and Team Foundation Server. Nineteen of these flaws are critical, four of which are related to Microsoft Exchange Server bugs. 

New attacks against ProxyLogon 
An unknown threat actor is attempting to use the recently discovered ProxyLogon vulnerabilities to deliver Monero cryptominers onto other vulnerable Microsoft Exchange servers. The attack begins with a PowerShell command to retrieve a file named win_r.zip from compromised servers’ Outlook Web Access logon path.

Google patches zero-day vulnerabilities
Google has issued updates for two zero-day vulnerabilities affecting Windows, macOS, and Linux users. The flaws, tracked as CVE-2021-21206 and CVE-2021-21220, are being exploited in the wild. 

Adobe fixes critical flaws
Adobe has announced patches for two critical buffer overflow vulnerabilities found in four of its products. These flaws could lead to the execution of arbitrary codes onto the victims’ systems. Adobe says none of these vulnerabilities has been exploited in malicious attacks. 

PoC for QNAP NAS vulnerabilities released
A PoC for a remote code execution vulnerability (CVE-2020-2501) affecting QNAP NAS devices is now publicly available. The flaw, related to the memory corruption issue, affects QNAP NAS devices running Surveillance Station versions 5.1.5.4.2 and 5.1.5.3.2. 

Zero-day exploited
A zero-day vulnerability in Desktop Window Manager is being exploited in the wild by several threat actors. It is an escalation of privilege exploit and assigned with CVE number CVE-2021-28310.     

 Tags

qakbot trojan
web browserify
qnap nas devices
proxylogon vulnerabilities

Posted on: April 14, 2021


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.