Go to listing page

Cyware Daily Threat Intelligence, January 28, 2022

Cyware Daily Threat Intelligence, January 28, 2022

Share Blog Post

Another day, another Android security alert. Users are advised to delete a malicious app named 2FA Authenticator that propagates a new trojan dubbed Vultur. Embedded with screen recording and keylogging capabilities, the malware is being used to target online banking users in Italy, Australia, and Spain. 

Moving on to other threats, the infamous North Korean Lazarus APT group is back with yet another fake job-themed phishing campaign that targets job-seeking engineers. First detected on January 18, the campaign makes use of the Windows Update client and GitHub to execute malicious payloads. The notorious Conti ransomware group is also in the headlines for targeting a Taiwanese firm.

Top Breaches Reported in the Last 24 Hours

French Ministry of Justice targeted
Cybercriminals leveraged LockBit 2.0 to steal files after breaching systems belonging to France’s Ministry of Justice. While the Ministry has taken remedial measures to contain the attack, the attackers have begun leaking the stolen data on their Tor-based website. The attack was launched by exploiting a remote code execution vulnerability (CVE-2021-22986) in an F5 Networks product.

Lazarus returns with job-theme lures
The notorious Lazarus threat actor group has been associated with a series of spear-phishing attacks, detected on January 18. The campaign used job-themed lures impersonating Lockheed Martin aerospace company to target users. The attackers made use of the Windows Update service and GitHub to execute malicious payloads.

Delta Electronics hit by Conti
Delta Electronics fell victim to a cyberattack by Conti ransomware. While the firm is working to restore systems taken down during the attack, it has disclosed that the attack had no significant impact on its operations. However, the gang claims to have infected 1,500 servers and 12,000 computers of the firm.

Facebook accounts being hijacked
Finland’s National Cyber Security Centre (NCSC-FI) has issued a warning about an ongoing phishing campaign that attempts to hijack Facebook accounts. The campaign starts with threat actors impersonating victims’ friends and initiating a conversation on Messenger.

Top Malware Reported in the Last 24 Hours

Vultur banking trojan spotted
A trojanized 2FA Authenticator app has been removed from Google Play Store after it was found distributing a new malware dubbed Vultur. The malicious app had garnered over 10,000 downloads before it was taken down. The trojan is capable of collecting personal information, disabling keylock and password security, downloading external apps, and creating overlay windows over the mobile application windows. It was used against European banking institutions, as well as a range of cryptocurrency wallet platforms.

Top Vulnerabilities Reported in the Last 24 Hours

QNAP force updates NAS devices
QNAP has force-updated customers’ NAS devices following the rise in the attacks by newly discovered DeadBolt ransomware. The ransomware has already encrypted over 3,600 devices. The threat actors claim to be using a zero-day vulnerability to hack QNAP devices.

A critical flaw in the Swiss Railway system
A hacker has raised alarms about a vulnerability impacting Switzerland’s national railway system. The flaw allowed the hacker to gain access to the personal data of around 500,000 individuals, who purchased tickets to ride on Swiss Federal Railways.


qnap device
conti ransomware group
github account
lockbit 20
2fa authenticator app
lazarus apt group

Posted on: January 28, 2022

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.