Go to listing page

Cyware Daily Threat Intelligence, January 18, 2022

Cyware Daily Threat Intelligence, January 18, 2022

Share Blog Post

Security researchers have unmasked two sophisticated attack campaigns that went undetected for a long time. One of these attacks is attributed to the Earth Lusca APT group that targeted high-profile organizations worldwide, supposedly for monetary gains. Another attack campaign, which is likely linked to the Fancy Bear and Konni threat actor groups, targeted organizations focusing on renewable energy. The campaign was designed to pilfer the credentials of employees.

In a major security update, Oracle has issued patches for over 400 security vulnerabilities affecting its products. Many of these flaws can be exploited remotely without authentication.

Top Breaches Reported in the Last 24 Hours

Earth Lusca APT goes global
A threat actor group called Earth Lusca has been observed targeting organizations worldwide in an attempt to reap monetary benefits. The list of victims includes governmental and educational institutions in Hong Kong, COVID-19 research organizations, and the media, among others. The group is believed to be a part of the larger China-based Winnti cluster. Earth Lusca’s intrusion routes are facilitated by spear-phishing emails and watering hole attacks.

Large-scale espionage campaign observed
A large-scale cyberespionage campaign primarily targeting renewable energy and industrial technology organizations has been found to be active since 2019. Threat actors behind the campaign used legitimate websites, DNS scans, and public sandbox submissions to steal login credentials of workers. The targeted organizations include Schneider Electric, Honeywell, Huawei, Telekom Romania, University of Wisconsin, Utah State University, and Taiwan Forestry Research Institute, among others.

Crypto exchange suffers outage
Major cryptocurrency exchange Crypto[.]com was forced to halt its operations following the discovery of suspicious activity on some users’ accounts. However, the firm reported that all funds were safe.

Top Malware Reported in the Last 24 Hours

Newly discovered White Rabbit ransomware
Researchers have tracked a new ransomware family, named White Rabbit, that targeted a local U.S. bank in December 2021. The new malware borrows some of its features from Egregor ransomware. The ransomware uses the double extortion strategy to threaten its victims. It appends the encrypted files with ‘.scrypt.txt’ extension. 

Top Vulnerabilities Reported in the Last 24 Hours

Oracle releases patches for 483 flaws
Oracle has issued security patches for 483 new security vulnerabilities as part of Critical Patch Update for January 2022. The patches address vulnerabilities affecting its Essbase, Graph Server and Client, Secure Backup, Communication Applications, Construction and Engineering, Enterprise Manager, Financial Services Applications, Fusion Middleware, and Insurance Applications. Many of these flaws can be exploited remotely without authentication.

Vulnerability in IDEMIA biometric devices
A critical vulnerability impacting multiple IDEMIA biometric identification devices can be exploited to unlock doors and turnstiles. The flaw, which has not yet received a CVE identification number, can also be exploited to cause a DoS condition. Affected products include MorphoWave Compact MD/MDPI/MDPI-M, VisionPass MD/MDPI/MDPI-M, all variants of SIGMA Lite/Lite+/Wide, SIGMA Extreme, and MA VP MD. The company plans to introduce the use of TLS in future firmware releases to eliminate the risk.

SAP fixes an improper patch
An improper security patch issued to address a critical vulnerability in SAP NetWeaver AS ABAP and ABAP Platform can be abused to launch supply chain attacks. The original flaw, tracked as CVE-2021-38178, was fixed in the October 2021 SAP Patch Day. Patches for the newly found vulnerability are now available from SAP.

VMWare issues patches
A Server-Side Request Forgery (SSRF) vulnerability in versions of VMWare’s authentication software could allow attackers to obtain administrative JSON Web Token (JWT). The vulnerability, tracked as CVE-2021-22056, has a CVSS score of 5.5. Another authentication bypass vulnerability (CVE-2021-22057) was found affecting VMWare Workspace ONE Access. VMWare has patched the issues in its latest versions of the software.


white rabbit ransomware
idemia biometric devices
sap netweaver as abap platform
earth lusca apt
utah state university

Posted on: January 18, 2022

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.