Threat actors are getting better at masking their attack payloads from detection and one such unique trick has come to the fore in the last 24 hours. In an interesting discovery, researchers have found that attackers are leveraging lesser-known .ppam add-on files in PowerPoint to wrap their malicious executables. Although it's a relatively new technique, such files are sent via phishing emails which continue to be a popular attack vector for cybercriminals.
Another cyber-espionage campaign that leveraged the spear-phishing method was also found targeting various government and media organizations in Europe. Dubbed Operation EmailThief, the campaign was attributed to a threat actor named TEMP_Heretic. In other updates, a new threat actor group named Antlion managed to stay under the radar for months to distribute a custom backdoor called xPack.
Top Breaches Reported in the Last 24 Hours
Morely Companies Inc. discloses a data breach
Business services provider Morley Companies Inc. has disclosed a data breach as a result of a ransomware attack that occurred in August 2021. The incident affected the data of more than 500,000 individuals, including Morley’s employees, contractors, and clients. The compromised data included full names, social security numbers, dates of birth, medical diagnostics, and treatment information of individuals.
Operation EmailThief espionage campaign
A targeted spear-phishing campaign called Operation EmailThief exploited an XSS zero-day vulnerability in Zimbra to target several government and media organizations in Europe. Launched by a threat actor named TEMP_Heretic, the campaign was executed in December 2021 in two phases. The initial phase aimed at reconnaissance and leveraged specially designed phishing emails to track users, whereas the second phase consisted of waves of emails tempting users to click on malicious links.
Top Malware Reported in the Last 24 Hours
New xPack backdoor malware
A Chinese threat actor group tracked as Antlion has been using a new custom backdoor called xPack to target organizations in the financial and manufacturing sectors. The backdoor allows attackers to run WMI commands remotely. The ultimate goal of the campaign, which has been active for 18 months, is to exfiltrate data from infected networks.
New Sugar ransomware
The relatively new Sugar ransomware is being made available to cybercriminals as a Ransomware-as-a-Service (RaaS). Written in Delphi, the ransomware borrows its code from several other ransomware. It employs a modified version of the RC4 encryption algorithm along with a crypter that is being offered to affiliates as part of the service.
Top Vulnerabilities Reported in the Last 24 Hours
ESET patches a flaw
ESET has published patches for a local privilege escalation vulnerability affecting all the clients of its Windows products. The flaw is tracked as CVE-2021-37852 and can enable threat actors to escalate privileges and execute arbitrary code.
CISA warns about flaws in Mimosa equipment
CISA has issued a warning about multiple vulnerabilities affecting Airspan Networks Mimosa equipment. Successful exploitation of these vulnerabilities can allow attackers to gain user data, compromise Mimosa’s AWS cloud EC2 instances and S3 buckets, and conduct remote code execution on all cloud-connected Mimosa devices. Some of these flaws have earned CVSS scores of 10.