Go to listing page

Cyware Daily Threat Intelligence, December 23, 2022

Cyware Daily Threat Intelligence, December 23, 2022

Share Blog Post

A few days after the FBI issued a warning against hackers abusing search engine ads, conspirators of the IceID botnet have been seen resorting to a similar technique while also adding a new payload to it. Actors have targeted some popular keywords for top brands and applications. Speaking of malware variants, Vice Society has also adopted a new custom-coded variant called PolyVice. The variant is eerily similar to Chilly ransomware and SunnyDay ransomware, with a 100% match on functions.

Furthermore, researchers laid bare an automated attack system used by the financially motivated FIN7 group. Called Checkmarks, the hackers have used the system to abuse Microsoft Exchange remote code execution and privilege elevation vulnerabilities.

Top Breaches Reported in the Last 24 Hours


Belgium bank suffers insider breach
Degroof Petercam, a Belgian merchant bank, blurted out the data of hundreds of its clients that include some major Belgian organizations. Reports suggest an employee of the bank abused his privileged access to customer data. A bank official said only professional Stock Options Plan (SOP) accounts are affected by the leak.

LastPass incident more severe
Password management service LastPass suffered a security breach in August. It has now revealed that attackers stole a variety of customers’ personal information, including their vault data from the encrypted storage service. The service stores data in a proprietary binary format and contains both unencrypted data and fully-encrypted data.

Hackers bypass 2FA
A number of ?Comcast Xfinity customers reported their accounts being hacked despite two-factor authentication being enabled on their accounts. According to a researcher, hackers attempted credential-stuffing attacks on users’ accounts. Criminals also tried to break into victims’ DropBox, Evernote, and Coinbase and Gemini cryptocurrency exchange accounts.

Top Malware Reported in the Last 24 Hours


IcedID botnet’s malvertising campaign
Trend Micro noted a new distribution trend for the IcedID botnet via Google pay-per-click (PPC) ads, aka malvertising. The adversaries behind IcedID malware erected fake websites of legitimate organizations and well-known applications to lure online users. Attackers also drop a new loader via an MSI file, which is an unusual behavior by IcedID.

Vice Society’s new payload
The Vice Society ransomware group spun another custom ransomware variant, dubbed PolyVice. The strain deploys a robust encryption scheme that uses NTRUEncrypt and ChaCha20-Poly1305 algorithms. The authors of this new ransomware variant are also likely selling similar payloads to other hacking groups that also share similarities with Chily and SunnyDay ransomware strains.

Top Vulnerabilities Reported in the Last 24 Hours


FIN7 exploits Exchange and SQL injection bugs
The FIN7 hacking group adopted an automated attack system known as Checkmarks to abuse Microsoft Exchange and SQL injection flaws in targeted systems. The hacker group has been leveraging it to infiltrate corporate networks to steal data since June 2021. Criminals use multiple exploits during their operation that includes their own custom code and publicly available PoCs.

XSS bug in Zoom’s Whiteboard
Security researcher Eugene Lim uncovered a Zoom bug impacting both the desktop and web versions of its Whiteboard app. The cross-site scripting (XSS) vulnerability in Zoom Whiteboard could let a user bypass the sanitization check and send arbitrary JavaScript code to other users. However, it was not an easily exploitable bug, said the researcher.

 Tags

fin7 group
google pay per click
zoom whiteboard
polyvice ransomware
checkmarks
degroof petercam
lastpass
icedid botnet
comcast xfinity
vice society

Posted on: December 23, 2022


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.