Go to listing page

Cyware Daily Threat Intelligence, January 13, 2023

Cyware Daily Threat Intelligence, January 13, 2023

Share Blog Post

An unknown yet sophisticated hacker group was seen exploiting a Fortinet FortiOS zero-day to target governments and other large organizations. A successful intrusion leads to the deployment of a generic Linux implant to download additional malware. Developers of Orcus RAT have also enhanced their malware and uploaded it to multiple file-sharing sites as a crack for Hangul Word Processor 2022. The infection, however, installs both Orcus RAT and XMRig CoinMiner on infected systems.

Are you upgrading your networking devices on time? Coz no security fixes and no workarounds are available for a critical bug in Cisco Small Business RV016, RV042, RV042G, and RV082 Routers. The products have reached their End of Life (EoL).

Top Breaches Reported in the Last 24 Hours

Hackers sell access to Telegram servers
A hacker claimed to have obtained access to Telegram's internal servers and is offering it for $20,000 on the dark web. To make it more convincing, the criminal alleged the access is a permanent one since insiders from the company are involved. Furthermore, the seller offered an archive containing the correspondence for a period of six months.

Multiple attacks by NoName057(16) 
Pro-Russian cybercriminal group NoName057(16) has been launching a barrage of DDoS attacks on Ukrainian and NATO organizations. The campaign, in fact, began in the early days of the Ukraine-Russia conflict. Of late, the group targeted the 2023 Czech presidential election candidates’ websites and Denmark’s financial services.

NFT investment firm suffered losses
Brit firm NFT Investments announced it was drained of $250,000 in assets in the wake of a cyberattack. The firm disclosed the breach through the London Stock Exchange’s Regulatory News Service. It reportedly fell victim to a fraudulent phishing attack from an unknown external source.

Top Malware Reported in the Last 24 Hours

Plyglot technique by malware duo
AI security platform Deep Instinct uncovered a campaign by the operators of the StrRAT and Ratty RAT. They are using polyglot MSI/JAR and CAB/JAR files to evade detection from security tools. The polyglots are spread via Sendgrid and URL-shortening services, such as Cutt.ly and Rebrand.ly. Meanwhile, both payloads were stored and served from Discord servers.

File-sharing sites dropping Orcus RAT 
A new Orcus RAT variant is being distributed via file-sharing sites camouflaged as a cracked version of Hangul Word Processor. The hackers involved have distributed BitRAT and XMRig CoinMiner earlier. Orcus RAT is a trojan malware that is being sold since around 2016.

IcedID hastens infection process
From gaining initial access to compromising the Active Directory domain of an unnamed target within 24 hours, a new IcedID malware attack was seen to be even more promising for hackers. The attackers used ISO and LNK files instead of traditional phishing-based attacks and delivered macro-based documents. They executed the same Cobalt Strike Beacon in all compromised workstations.

Preinstalled malware in Android TV Box
Security researcher Daniel Milisic uncovered preinstalled malware on the T95 Android TV Box he bought from Amazon. The malware, believed to be CopyCat, tries to connect to a number of IP addresses associated with it. The CopyCat malware has infected 14 million Android devices in its previous adware campaign.

Top Vulnerabilities Reported in the Last 24 Hours

Zero-day FortiOS bug under attack
Researchers released a critical advisory for CVE-2022-42475, a zero-day vulnerability in Fortinet’s FortiOS SSL-VPN devices fixed last month, being abused by an unknown hacker. The attack is aimed at the government and other large organizations and appears to be the work of an advanced actor. 

Sensitive CWP security hole
Hackers were observed attempting to gain remote access to unpatched Control Web Panel (CWP), a tool for managing servers, owing to a critical vulnerability. The bug, tracked as CVE-2022-44877, has a CVSS score of 9.8 and can allow remote code execution without requiring any user authentication.

Products reached EoL, patch it
A critical authentication bypass flaw, tracked as CVE-2023-20025, impacts Cisco Small Business RV016, RV042, RV042G, and RV082 routers, the firm highlighted. The affected products, notably, have reached EoL, thereby making a patch release unlikely. The flaw is due to improper validation of user input within incoming HTTP packets.

Exploitation of old Windows bug
The Scattered Spider threat group was discovered exploiting an old flaw in an Intel Ethernet diagnostics driver for Windows systems. It abused CVE-2015-2291 to deploy a malicious kernel driver that allows arbitrary code execution with kernel privileges. The attack was directed at telecom and BPO firms.

Top Scams Reported in the Last 24 Hours

MetaMask wallet address scam
MetaMask, the cryptocurrency wallet provider, disclosed a new scam baiting its users into sending funds to scammers’ wallet addresses. The address poisoning technique used by scammers relies on similarity to the original recipients’ addresses. Creating an address that closely matches a target address takes less than a minute, revealed experts.


global ddos attacks
hangul word processor
orcus rat
nft investments
nato countries
telegram servers
fortios ssl vpn
cisco router
zero day bug
android tv box
control web panel cwp
copycat malware
ratty rat
scattered spider
address poisoning

Posted on: January 13, 2023

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.