Go to listing page

Cyware Daily Threat Intelligence, April 26, 2022

Cyware Daily Threat Intelligence, April 26, 2022

Share Blog Post

Emotet is showing a strong resurgence as it gets a new life. The trojan has joined hands with Conti ransomware to launch a plethora of malicious schemes. Researchers found that over a dozen attacks launched by Conti, in the last three months, were the recipients of Emotet malspam campaigns. In parallel, Emotet is testing its new delivery techniques against disabled VBA macros across Microsoft products.

Meanwhile, seven widely exploited vulnerabilities have come under the scanner of the CISA as it urged federal agencies to apply the required patches at the earliest. This includes a remote code execution vulnerability in the VMware Workspace ONE Access and Identity Manager, which is being actively exploited by the Rocket Kitten threat actor group.

Top Breaches Reported in the Last 24 Hours

GHT Coeur Grand Est targeted
GHT Coeur Grand Est was hit by a cyberattack that affected its hospital centers in Vitry-le-François and Saint-Dizier. The incident was discovered on April 19. The firm has asserted that the attackers managed to copy essential administrative data, which might be used for phishing in the future. 

Top Malware Reported in the Last 24 Hours

Conti-Emotet join hands
Emotet trojan has joined hands with Conti ransomware to launch a plethora of malicious schemes. Over a dozen entities targeted, between December 2021 and March 2022, by Conti ransomware were driven via Emotet malspam campaigns. It is likely that Emotet is highly relied upon by Conti operators to find victims.

Emotet evolves its techniques
Emotet is testing new attack methods on a small scale as Microsoft disabled VBA macros by default across its products. The new email campaign analyzed by researchers involves the use of salary-themed lures and OneDrive URLs hosting ZIP archives that contain Microsoft Excel Add-in files.

Top Vulnerabilities Reported in the Last 24 Hours

Unpatched VMware flaw exploited
Iranian-linked threat actor group, Rocket Kitten, has been observed actively exploiting a recently patched VMware vulnerability to gain initial access and deploy the Core Impact penetration testing tool on vulnerable systems. Tracked as CVE-2022-22954, the remote code execution vulnerability affects VMware Workspace ONE Access and Identity Manager.

Wide exploitation of WSO2 vulnerability
Organizations are warned of attacks stemming from the exploitation of WSO2 vulnerability. The flaw tracked as CVE-2022-29464, impacts WSO2’s API Manager, Identity Server, Enterprise Integrator, and Open Banking products. Additionally, the CISA has added the flaw to its Known Exploited Vulnerabilities Catalog and instructed federal agencies to install the available patches by May 16.

CISA adds seven vulnerabilities
The CISA has added seven new vulnerabilities to its list of actively exploited security issues, including those from Microsoft, Linux, and Jenkins. The vulnerabilities can allow threat actors to perform a variety of attacks, including stealing credentials, gaining access to networks, remotely executing commands, or stealing information from devices.


conti ransomware
vmware workspace one access and identity manager
rocket kitten threat actor group
emotet malspam campaigns

Posted on: April 26, 2022

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.