Go to listing page

Cyware Daily Threat Intelligence, December 07, 2021

Cyware Daily Threat Intelligence, December 07, 2021

Share Blog Post

With an increasing reliance on e-commerce sites due to the pandemic, a rise in web skimming attacks has also been witnessed. Recently, threat actors were found exploiting the Google Tag Manager (GTM) service to launch web skimming attacks. Not only e-commerce shops but offline convenience stores of SPAR were also hit by cyberattacks that crippled its IT systems across the U.K. In another incident, the Russian APT group, Nobelium, was seen targeting French institutions with spear-phishing campaigns.

Attention! Bots continue to create havoc. Numerous payloads were found abusing a vulnerability and one of them is also capable of executing Moobot, a Mirai-based DDoS botnet. Another bot in the news is Cryptbot, which is capable of stealing user information from various cryptocurrency wallets. In addition, flaws in modern web browsers, NodeBB forum, and Kafdrop interface were spotted.

Top Breaches Reported in the Last 24 Hours

Hidden wave of web skimming attacks
Threat actors are abusing a legitimate feature of the Google Tag Manager (GTM) service to launch web skimming attacks by hiding malicious JavaScript code on 316 e-commerce sites since March this year. The attackers created their own GTM container to deploy their scripts. They remained under the radar for months and affected around 88,000 users.

SPAR stores under attack
The convenience store chain SPAR was forced to close some of its stores in the U.K after a cyberattack on its IT systems. Out of its nearly 2,600 stores located across the U.K, 330 SPAR shops in northern England were crippled. The affected stores were unable to process payments made using credit or debit cards.

Nobelium APT targets French firms
The French national cybersecurity agency ANSSI alerted that the Russia-linked Nobelium APT group has been targeting French organizations since February. The state-sponsored hacker group compromised email accounts belonging to French organizations and used them to launch spear-phishing campaigns aimed at foreign institutions.

Top Malware Reported in the Last 24 Hours

New Moobot attack
Fortinet researchers observed numerous payloads exploiting a vulnerability in Hikvision products to probe the status of devices or extract sensitive data from victims. One of these payloads also drops a downloader, which executes Moobot, a Mirai-based DDoS botnet.

Cryptbot spread via malicious software
Security firm Red Canary warned of a malicious installer for KMSPico, a software used to activate pirated copies of Microsoft Windows and Office, spread on the internet. This installer is laden with a malware, dubbed Cryptbot, that has the ability to steal user information from various cryptocurrency wallets and web browsers.

Top Vulnerabilities Reported in the Last 24 Hours

XS-Leaks attacks
A group of academics from Ruhr-Universität Bochum (RUB) and Niederrhein University discovered a set of cross-site data leakage flaws in all popular modern web browsers. The 14 attacks discovered are collectively known as XS-Leaks. The browser flaws can enable a malicious website to harvest users’ personal data in the background without their knowledge.

NodeBB forum flaw
Researchers from SonarSource warned of critical vulnerabilities in the open-source forum platform NodeBB, which could allow attackers to steal private information and access admin accounts. The vulnerabilities include a path traversal bug (CVE-2021-43788), a cross-site scripting vulnerability (CVE-2021-43787), and an authentication bypass bug (CVE-2021-43786) that could result in remote code execution on the underlying server.

Security misconfiguration in Kafdrop
Researchers at Spectral discovered a security flaw in Kafdrop, an open-source UI and management interface for Apache Kafka clusters. The researchers warned that by adding an insecure management UI on top of mission-critical Kafka clusters, many operators have exposed their secure clusters online. Spectral provided an authentication code for companies to address the Kafdrop flaw.

Top Scams Reported in the Last 24 Hours

Twitter verified account scam
In a new phishing campaign, Twitter verified accounts are being targeted while taking advantage of Twitter’s recent removal of the verified badge from numerous verified profiles. The phishing emails sent to the targeted users request them to verify their identity in order to maintain their verified status. The links in the emails take users to compromised pages that are modified to steal their credentials.


nobelium apt
moobot family
xs leaks

Posted on: December 07, 2021

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.