Go to listing page

Cyware Daily Threat Intelligence, January 11, 2023

Cyware Daily Threat Intelligence, January 11, 2023

Share Blog Post

Another supply chain attack against PyPI users has been observed by researchers. Threat actors used malicious packages in a fresh round of attacks to drop an information-stealing malware, dubbed PoweRAT, on victims’ systems. The Gootkit loader was also spotted making a comeback in a new campaign that targeted the Australian healthcare industry. 

Meanwhile, the CISA has raised alarm about OWASSRF attacks on Microsoft Exchange servers as it adds the flaw to its Known Exploited Vulnerabilities Catalog. In a different vein, Microsoft has issued January 2023 Patch Tuesday updates with fixes for 98 security vulnerabilities across Windows, Exchange Server, Sharepoint Server, and more.


Top Breaches Reported in the Last 24 Hours


Websites of DEFRA hacked
The Department for Environment, Food & Rural Affairs (DEFRA) website in the U.K was hacked to redirect victims to a fake OnlyFans dating page. Threat actors exploited an open redirect that appeared to be a valid UK government URL to route users to another site. 

Banks sites targeted
Access to the websites of the Danish Central Bank and seven private banks were briefly disrupted following a DDoS attack. Attackers redirected unwanted traffic to the targeted servers in a bid to knock them offline. Among the banks affected were Jyske Bank and Sydbank.  


Top Malware Reported in the Last 24 Hours


PoweRAT used against PyPI users
A new round of supply chain attacks deploying PoweRAT malware on victims’ systems was observed. The attack leveraged several PyPI packages—EasyTimeStamp, Discorder, Discord-dev, Style.py, and PythonStyles—to drop the malware that is capable of stealing browser cookies, passwords, Discord tokens, and Telegram data. The harvested information is exfiltrated in a ZIP archive. 

GootKit loader spotted
Gootkit loader aka Gootloader resurfaced in a new spate of attacks that targeted the Australian healthcare industry. The malware operators leveraged SEO poisoning attacks for initial access. To push the infection to the next phase, the loader abused legitimate applications like VLC Media Player. 

Vidar malware returns
A massive campaign that redirects users to a Dropbox folder has been found dropping the Vidar malware onto victims’ systems. The ongoing campaign leverages 1,300 domains that impersonate official sites of AnyDesk, MSI Afterburner, 7-ZIP, Blender, Dashlane, Slack, VLC, and OBS. Many popular cryptocurrency trading apps are also being mimicked as part of the campaign. 


Top Vulnerabilities Reported in the Last 24 Hours


Microsoft releases patches 
To mark the January 2023 Patch Tuesday, Microsoft released patches for 98 security vulnerabilities, including one exploited in the wild (CVE-2023-21674) and one that’s been publicly disclosed (CVE-2023-21549). Some of the affected products include Microsoft Exchange Server, SharePoint Server, Windows SMB, and Windows Print Spooler. In another incident, the CISA added the OWASSRF vulnerability to its Known Exploited Vulnerabilities Catalog following the observation of its exploitation in the wild. 

New Class Pollution flaw
Researchers have discovered a new variant of a prototype pollution flaw that can allow attackers to perform pollution-like attacks on Python programs. Called class pollution, the flaw has been observed in the wild and can be triggered by manipulating the attribute values in Python classes. The abuse of the flaw can lead to remote code execution and overwriting of secret keys. 

Zoom patches high-risk flaw
Video messaging giant Zoom has released patches for security vulnerabilities that exposed both Windows and macOS clients to privilege escalation attacks. The flaws are tracked as CVE-2022-36930, CVE-2022-36929, and CVE-2022-36927, and affect Zoom Rooms for Windows Installers, Zoom Rooms for Windows clients, and Zoom Rooms for macOS clients.  

Patches issued by Siemens and Schneider
The year’s first bunch of patches were also released by Siemens and Schneider Electric as part of January 2023 security updates. A total of 27 vulnerabilities have been addressed by the firms that affect a wide range of ICS products. While Siemen has published advisories for 20 vulnerabilities, the remaining seven vulnerabilities were fixed in products by Schneider Electric.

 Tags

vidar malware
malicious pypi packages
powerat
schneider electric
gootkit loader

Posted on: January 11, 2023


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.