Go to listing page

Cyware Daily Threat Intelligence, December 09, 2022

Cyware Daily Threat Intelligence, December 09, 2022

Share Blog Post

Iranian threat actors launched a custom malware that leverages GitHub (as a virtual dead drop) to harvest data or receive commands. Dubbed Drokbk, it was used against a U.S. local government network earlier this year. Meanwhile, a vulnerability in Cisco IP phones rendered the devices open to remote code execution and DoS attacks. As of now, the mitigation is possible only for a limited number of devices and a patch will be made available by January 2023. 

Moreover, hundreds of thousands of corporate email accounts are being sold on different cybercrime forums. Most of these account leaks were the aftermath of incidents involving credential stuffing and social engineering attacks.

Top Breaches Reported in the Last 24 Hours


Android app blurts out massive data
Web Explorer – Fast Internet, an Android-based browser app, inadvertently exposed a database containing sensitive data owing to its unprotected Firebase instance. The data at risk included user ID, user country, and redirect data such as destination address. The app has over five million downloads on the Google Play store and has an attractive user rating of 4.4/5.

Acuity Brands reveals data incidents
Lighting and building management company Acuity Brands disclosed two breaches that occurred in the past year, one of which could be a ransomware event. The impacted data belonged to current and former employees and members of the firm’s health plan. But it could not confirm whether any customer data was stolen.

Corporate email accounts on sale
Cyber intelligence firm KELA found more than 225,000 email accounts up for sale in darknet marketplaces. Major webmail shops Xleet and Lufix were reportedly sharing illegal access to over 100,000 corporate email accounts. The offers ranged between $2 and $30, mostly. The data was stolen using credential-stuffing attacks and phishing techniques or was probably shared by other cybercriminals.

Attack on New York-based opera house 
A cyberattack at The Metropolitan Opera knocked its website, call center, and box office offline. The opera house makes about $200,000 every day in sales around Christmas due to greater tourist influx. However, all the scheduled performances will continue as it is. The only hindrance is the glitch in processing new ticket orders or providing refunds.

Hive attacked French sports retailer
Sports retailer Intersport, based in France, claimed it was hit by a Hive ransomware attack that has affected its customers’ data that includes SSNs and passport details. The RaaS group has posted the stolen data on its leak site and warned the firm of leaking even more data if a ransom demand isn’t met.

Top Malware Reported in the Last 24 Hours


HPH sector faces threat from new ransomware
The HHS released an alert for U.S. healthcare organizations regarding the newly spotted Royal ransomware group. Sources say the group has already claimed several healthcare victims in the Healthcare and Public Healthcare (HPH) sector in the country. As it appears, group members operate in private without affiliates and have experienced threat actors from other cybercrime groups.

Iranian actor spins new malware
A previously undocumented malware, dubbed Drokbk, was linked to an Iranian hacker group known as Nemesis Kitten (aka DEV-0270). The malware uses GitHub as a dead drop resolver to extract data from a compromised system or to receive commands. The malware is written in .NET and is deployed post-intrusion to achieve persistence. It contains a dropper and a payload to execute remote server commands.

Top Vulnerabilities Reported in the Last 24 Hours


Security hole fixed in WAF
Researchers at Claroty worked out their way to bypass the WAF solutions pertaining to several industry-leading vendors. The threat was experimented against five vendors: Palo Alto Networks, Amazon Web Services, Cloudflare, F5, and Imperva. An actor could have pulled off SQL injection attacks by using the JSON format for the payload.

Critical RCE bug in Cisco IP phones
A highly critical bug, CVE-2022-20968, in the latest generation of Cisco’s IP phones exposed them to RCE and DoS attacks. Its team asserted the availability of exploit code and that the flaw has been discussed publicly. However, It couldn’t confirm any attempts to abuse the bug.

 Tags

the metropolitan opera orchestra
cisco ip phones
royal ransomware
wafs
intersport
drokbk
web explorer fast internet
acuity brands
corporate email accounts
cve 2022 20968

Posted on: December 09, 2022


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.