Go to listing page

Cyware Daily Threat Intelligence, January 21, 2022

Cyware Daily Threat Intelligence, January 21, 2022

Share Blog Post

An anomalous spyware attack campaign has taken researchers by surprise as attackers managed to pilfer over 7000 corporate credentials on ICS networks in roughly 25 days. The highlight point of the campaign was the use of a variety of commodity malware, such as AgentTesla, HawkEye, Azorult, Formbook, and Lokibot, that were distributed via spear-phishing emails in short-lived attacks against a small number of targets.

Cybercriminals have found a new trick to dupe cryptocurrency enthusiasts and this involves creating a buzz around a never-heard-before Amazon crypto token. So, beware of such traps as this can lead to parting away with your funds. In another concerning news, the Google search engine has become a go-to attack vector for threat actors as Singapore Police Officer (SPF) revealed a nasty scam that caused a loss of over $300,000.

Top Breaches Reported in the Last 24 Hours

Anomalous spyware campaign
An anomalous spyware attack campaign, coined by Kaspersky, targeted industrial enterprises in a bid to steal email account credentials, and conduct financial fraud or resell them to other actors. The campaign was active for roughly 25 days, during which attackers distributed a variety of commodity malware, such as AgentTesla, HawkEye, Azorult, Formbook, and Lokibot via spear-phishing emails. At least 2000 compromised corporate email accounts were identified belonging to industrial companies and another 7,000 email accounts were put for sale on the web.

Breaching WordPress sites
AccessPress Themes plugin was abused to inject suspicious code into WordPress sites. The compromise took place in September last year. Attackers could breach the sites by exploiting vulnerabilities in the plugin.

Update on Molerats APT attack
A new research on the Molerats APT attack campaign, which was identified in December 2021, reveals that the campaign has been active since July 2021. The attackers only switched the distribution in December 2021 with minor changes in the .NET backdoor. The targets included the banking sector in Palestine, and human rights activists and journalists in Turkey.

Bank Indonesia hit by ransomware
Bank Indonesia (BI), confirmed a ransomware attack that hit its network last month. Following the attack, the attackers stole non-critical data belonging to the bank, CNN Indonesia reported. The incident was mitigated before impacting the bank’s public services.

Top Malware Reported in the Last 24 Hours

FBI updates on Diavol ransomware
The FBI formally announced that they have linked the Diavol ransomware operations to the TrickBot gang. They have shared an advisory that includes indicators of compromise seen in previous attacks. While ransom demands range from $10,000 to $50,000, the FBI has not yet observed Diavol leaking victim data. 

Top Vulnerabilities Reported in the Last 24 Hours

Flawed WP HTML Mail plugin
The WordPress WP HTML Mail plugin is vulnerable to a high-severity flaw that can lead to code injection and the distribution of convincing phishing emails. The issue lies in the plugin’s registration of two REST-API routes used to retrieve and update email template settings. The developers have fixed the flaw in version 3.1of the WP HTML Mail plugin.

McAfee issues patches
McAfee has issued patches for security vulnerabilities discovered in the company’s enterprise product component. The flaw could enable attackers to escalate privileges and execute arbitrary code with SYSTEM privileges. Tracked as CVE-2022-0166, the flaw has been patched with the release of McAfee Agent 5.7.5. Another flaw, tracked as CVE-2022-31854, can be exploited by a local user to inject arbitrary shell code into a file.

Top Scams Reported in the Last 24 Hours

Cryptocurrency-related scam
Cybercriminals are leveraging Amazon’s brand name to promote a new cryptocurrency-related scam. They are creating a sense of panic and anxiety among users by promising a lucrative investment opportunity. This involves publishing fake social media posts in groups that are interested in the cryptocurrency space. If users click on a post, they are redirected to a fake CNBC Decoded news website that includes an article on the soon-to-be-released Amazon crypto token.

Scammers abuse Google ads
Singapore Police Force (SPF) is warning users about a new scam tactic that leverages Google’s search platform. The scam targets users who are looking for a bank’s contact number on Google. The poisoned ads would show up on the first few search results and contain fake contact details for that bank. According to SPF, the scam has caused a loss of about $367,775 since December 2021.


hawkeye keylogger malware
agenttesla keylogger
amazon crypto token

Posted on: January 21, 2022

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.