Go to listing page

Cyware Daily Threat Intelligence, January 24, 2023

Cyware Daily Threat Intelligence, January 24, 2023

Share Blog Post

Sliver gets mainstream! The exploitation of the cross-platform post-exploitation framework has soared owing to the features it offers to hackers. Hacker groups that have used this tool in the recent past include the APT29 group (aka Cozy Bear), TA551, and Exotic Lily. While it has added woes for the cybersecurity community, there is another malware threat from the Chinese 8220 Gang who are targeting public cloud environments with custom crypto miner PwnRig and Tsunami IRC bot.

Security researchers also laid bare two critical pre-authentication bugs in OpenText’s Enterprise Content Management (ECM) product. The security holes specifically impact the product’s Content Server component. A hacker could abuse it to pull off RCE attacks on vulnerable servers.

Top Breaches Reported in the Last 24 Hours


U.K’s car dealership firm attacked
The PLAY ransomware group added Arnold Clark, one of the U.K’s largest car dealerships, as a victim on its leak site. The firm did not confirm the nature of the attack in its tweet from January 3rd but claimed to have protected customer data after observing suspicious activities. Several types of sensitive documents, including National Insurance numbers (like SSNs in the U.S.), bank statements, passport data, and car finance documents were leaked.

Unsecured data on educational app
A security misconfiguration in Diksha, a public education app, exposed the PII of 1.6 million students. The app, which is operated by India’s Education Ministry, had an unattended database that was left exposed via an Azure server for over a year. It was launched in 2017. Diksha became a primary tool for students during the pandemic.

Top Malware Reported in the Last 24 Hours


Sliver grabs attention as a post-exploitation tool
Sliver, which began as an alternative to Cobalt Strike, is being used by several threat actors as a second-stage dropper. It's used to perform the next steps of the attack chain after hackers have infiltrated via the initial intrusion vectors such as spear-phishing or by abusing unpatched flaws. Its features, such as dynamic code generation, in-memory payload execution, and process injection, make it an attractive tool for criminals.

Deploy PwnRig and IRC bot for cryptomining
Chinese 8220 Gang was seen targeting public cloud infrastructures and poorly secured applications with PwnRig miner and Tsunami IRC bot for cryptomining purposes. Its activities came to light after it attempted to infect one of Radware's Redis honeypots earlier this month. Experts warned that the group’s attack significantly affects a system's performance while exposing systems to other security risks.

Vice Society enters manufacturing
According to Trend Micro’s telemetry data, the Vice Society ransomware group — infamous for launching attacks against the education and healthcare sectors — has ventured into the manufacturing sector. It is most likely buying access in the form of compromised credentials from underground hacker forums. Its samples were detected in Brazil, Argentina, Switzerland, and Israel.

SparkRAT tool abused by Chinese hackers
A series of attacks was discovered infecting organizations in East Asia with SparkRAT, originally an open source tool. TTPs of the attacks point toward the involvement of a Chinese-speaking threat actor dubbed DragonSpark. The Microsoft Security Threat Intelligence team reported about threat actors using SparkRAT for the first time in late December 2022.

Top Vulnerabilities Reported in the Last 24 Hours


Pre-authentication bugs in OpenText
Researchers at Sec Consult reported a couple of critical pre-authentication flaws in OpenText Extended ECM. The first bug, identified as CVE-2022-45923, is in the cs.exe component of the Extended ECM server. The other, CVE-2022-45927, resides in the Java frontend of the Extended ECM server that could allow an attacker to bypass authentication for remote code execution.

AWS addressed bypass bug
A vulnerability that attackers could exploit to circumvent CloudTrail API monitoring has been fixed by AWS. cybercriminals could perform reconnaissance activities while laying low in the IAM service. The Datadog Security Research Team, who discover the bug, said sound hackers could also use the same technique to bypass Amazon’s GuardDuty.

Top Scams Reported in the Last 24 Hours


QR code scam against Chinese speakers
FortiGuard Labs unearthed a phishing campaign aiming at Chinese language users through malicious QR codes. The email spoofs the Chinese Ministry of Finance and contains a Microsoft Word attachment that has a QR code enclosed. Unsuspecting users scanning it may lose their credentials to the websites owned by the threat actor.

 Tags

pwnrig
cloudtrail logs
manufacturing sector
sparkrat
amazon guardduty
tsunami irc bot
diksha education app
play ransomware
dragonspark
opentext extended ecm
arnold clark
vice society ransomware
8220 gang
chinese ministry of finance
qr code scams
sliver

Posted on: January 24, 2023


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.