Go to listing page

Cyware Daily Threat Intelligence, February 10, 2022

Cyware Daily Threat Intelligence, February 10, 2022

Share Blog Post

Attention! The operators of the FritzFrog botnet have returned in a new P2P campaign, registering a 10x growth in the infection rate within only a month. Researchers claim the rise in attacks is due to a new version of the botnet that has managed to hit servers in healthcare, education, and government systems. The attacks are likely to get worse as researchers indicate that the operators are in the process of adding capabilities to target WordPress servers. 

Not just botnet attacks have grown in volume, there’s also a concerning update about web skimming attacks. More than 500 online stores running the outdated Magento 1 platform have been compromised to deploy nearly 19 backdoors. Additionally, the attackers behind Qbot and Lokibot trojans have updated their evasion techniques.  

Top Breaches Reported in the Last 24 Hours

Large-scale skimming attacks
More than 500 online stores running the outdated Magento 1 platform have been compromised in a large-scale digital skimming attack. Researchers indicate that nearly 19 backdoors have been deployed on compromised systems. All of these websites were compromised by exploiting a known vulnerability in the Quickview plugin. 

Top Malware Reported in the Last 24 Hours

FritzFrog botnet updated
A new variant of FritzFrog botnet, which comes with new features such as the use of the Tor proxy chain, has managed to make 24,000 attack attempts within a month. The target list includes organizations in the healthcare, education, and government sectors. Researchers claim that the operators are in the process of adding capabilities to target WordPress servers.  

Decryptors for ransomware released
Decryptors for three popular ransomware families - Maze, Egregor, and Sekhmet - have been recently released by an operator named ‘Topleak.’ Meanwhile, there is also a free Emsisoft decryptor for the above-mentioned ransomware.  

Regsvr32 used to drop Qbot
Threat actors are using a Windows living-off-the-land binary (LOLBin) known as Regsvr32 to drop trojans like Lokibot and Qbot. The tactic allows attackers to bypass application whitelisting during the execution phase of the attack. 

Top Vulnerabilities Reported in the Last 24 Hours

Flawed Nooie Cam software
Four different flaws have been detected in the Nooie Baby Cam software that has nearly 100,000 installs. One of these can be abused to achieve remote code execution and is tracked as CVE-2020-15744. Another flaw can enable attackers to access the camera feeds.  

A faulty WordPress plugin
WordPress plugin PHP Everywhere is affected by three critical issues that can be exploited to execute arbitrary code on affected systems. All of these issues have a CVSS score of 9.9. They are tracked as CVE-2022-24663, CVE-2022-24664, and CVE-2022-24665. 

 Tags

qbot
nooie baby cam
lokibot
magento 1 platform
fritzfrog botnet
living off the land binary lolbin
quickview plugin

Posted on: February 10, 2022


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.