Iranian threat actors have become extremely busy recently. For instance, the MuddyWater group is conducting a cyberespionage campaign against Turkish entities using malicious PDF files and Office documents. On the other hand, another Iranian threat actor came up with a new PowerShell-based backdoor named PowerLess.
Speaking of targeted attacks, two subsidiaries of the Marquard & Bahls Group fell victim to a devastating cyberattack, impacting its crucial systems. Meanwhile, the CISA has added eight more vulnerabilities to its catalog, among which two have a remediation date of February 11. In other news, the Moses APT was witnessed using a new malware—StrifeWater RAT—with advanced functionalities.
Top Breaches Reported in the Last 24 Hours
Cyberattack hits Oiltanking group
German petrol distributor Oiltanking group fell victim to a cyberattack that heavily disrupted its operations. The attack has also affected Mabanaft GmbH. Both firms are subsidiaries of the Marquard & Bahls group, which might have been the epicenter of the breach. While the attack has not impacted the fuel supply, it has paralyzed all computerized systems, including tank loading and unloading processes.
MuddyWater attacks Turkish entities
The Iranian MuddyWater APT group is targeting Turkish organizations and governmental institutions in a new cyberespionage campaign. The campaign is using malicious Office documents and PDFs pretending to be from the Turkish Health and Interior Ministries. The documents deliver a malicious PowerShell-based downloader that gains a foothold into the network.
Whisper leaks user records
Secret sharing app Whisper once again exposed two databases containing messages and user information. The data was exposed to the internet and did not require any authentication to access them. Researchers surmise that the data mostly belonged to Whisper’s native infrastructure and was not the work of a malicious actor. The exposed data includes username and nickname, user ID numbers, secret keys and tokens, geolocation, message content and timestamps, and URLs of attached images, among others.
Top Malware Reported in the Last 24 Hours
New PowerLess backdoor discovered
The Iran-based Phosphorous threat actor group has added a new PowerShell backdoor named PowerLess to its arsenal. The malware includes keylogging and info stealing capabilities. One of the IP addresses serves a domain that is being used as a C2 server for the recently discovered Memento ransomware.
New StrifeWater RAT spotted
Researchers observed a new StrifeWater RAT being used by the Moses APT group. The RAT comes with multiple evasion and screen capturing capabilities. The malware can also create persistence, download additional extensions, and execute system commands.
Top Vulnerabilities Reported in the Last 24 Hours
CISA adds eight more vulnerabilities
The CISA has updated the Known Exploited Vulnerabilities list with eight vulnerabilities. This includes an Apple IOMobileFrameBuffer memory corruption vulnerability, a SonicWall SMA 100 Appliances stack-based buffer overflow vulnerability, a Microsoft Internet Explorer use-after-free vulnerability, and two GNU Bash arbitrary code execution vulnerabilities, among others.
Samba addresses a vulnerability
Samba has addressed a critical vulnerability that can let attackers remotely execute code on servers running vulnerable software. The flaw is tracked as CVE-2021-44142 and affects Samba installations with versions prior to 4.13.17.
Vulnerable WordPress plugin
The WordPress plugin
named Essential Addons for Elementor in versions 5.0.4 and older is impacted by a critical remote code execution vulnerability. The flaw could allow attackers to perform a local file inclusion attack, such as a PHP file, on the site. The vulnerable plugin affects 600,000 sites.
UPnP routers vulnerable to Eternal Silence attacks
Around 277,000 routers are exposed to Eternal Silence attacks that can be launched via Universal Plug and Play (UPnP). Threat actors are attempting to exploit EternalBlue (CVE-2017-0144) and EternalRed (CVE-2017-7494) vulnerabilities on unpatched Windows and Linux systems, respectively, to execute cryptocurrency mining malware and conduct worm-like attacks on the entire network. The injection attempt exposed TCP ports 139 and 445 on devices connected to targeted routers.