Go to listing page

Cyware Daily Threat Intelligence, July 06, 2022

Cyware Daily Threat Intelligence, July 06, 2022

Share Blog Post

Introducing a new ransomware strain right after the day another ransomware group (AstraLocker) announced shutting down its operations. RedAlert, aka N13V, targets both Windows and Linux VMWare ESXi servers located on corporate networks. The hacker group behind it expects ransom payments only in Monero. In another update, a high-severity threat in the form of a critical SpEL injection bug was patched in Spring Data MongoDB. The bug could pave the way for RCE attacks.

An American multinational company in the hospitality sector, which has suffered major data loss at least twice earlier, has once again fallen victim to a security breach. Hackers involved in this have allegedly been operating for the past five years.


Top Breaches Reported in the Last 24 Hours


Major data breach at Marriott International
Marriott International disclosed an extortion attempt by a cybercriminal group after it penetrated its networks and extracted nearly 20GB of personal data of guests and workers. Hackers reportedly used social engineering tricks to compromise one of the associate’s computers at one of its hotels. Hackers claimed they were an international cybercrime group working for about five years.

DeFi platform lost nearly $9 million
Crema Finance, a Solana-based liquidity protocol, lost over $8.7 million in a crypto hack. Hackers created a fake tick account, which is a dedicated account that stores price tick data in CLMM, and abused it by writing arbitrary commands and bypassing security measures. The DeFi platform had to suspend its smart contract after the flash loan attack.

Ransomware hit over 650 healthcare providers
Northern Colorado-based Professional Finance Company is notifying the patients of 657 healthcare providers in the U.S. about a ransomware attack that may have impacted their personal information. Exposed data includes names, birth dates, addresses, payment-related data, SSNs, and health insurance and medical treatment records.

Top Malware Reported in the Last 24 Hours


New double extortion ransomware spotted
Researchers discovered new ransomware named RedAlert, or N13V, aimed at Windows and Linux VMWare ESXi servers of corporate networks. Hackers publish stolen data on their data leak site that is downloadable by anyone. For payment from the victims, the group only accepts the Monero cryptocurrency, which is essentially a privacy coin.

Top Vulnerabilities Reported in the Last 24 Hours


Microsoft silently patched ShadowCoerce
As part of its June 2022 round of updates, Microsoft has addressed the ShadowCoerce vulnerability that could be abused to target Windows servers by pulling off NTLM relay attacks. This method can force unpatched Microsoft servers to authenticate against servers under the hackers’ control, hence, leading to a takeover of the Windows domain. The flaw, which saw no public announcement, is yet to receive a CVE ID.

Security Hole in VMWare’s Spring project
A critical Spring Expression Language (SpEL) injection flaw affecting Spring Data MongoDB was patched. Spring Data MongoDB provides object-document support and repositories for MongoDB, whereas SpEL supports the querying and manipulation of object graphs at runtime. The flaw, tracked as CVE-2022-22980, has been given a CVSS score of 9.8.

Top Scams Reported in the Last 24 Hours


Large-scale phishing campaign
CloudSEK researchers unraveled an extensive phishing operation impersonating the Ministry of Human Resources from the UAE. Hackers created dummy websites resembling legitimate domains as bait and exposed potential victims to 419 and BEC scams. In this campaign, attackers targeted various government and corporate entities, including finance, travel, legal, hospital, oil and gas, and consulting industries. 

 Tags

bec scams
personal data
marriott international
redalert
social engineering tricks
rce attacks
ntlm relay attacks
shadowcoerce vulnerability
ministry of human resources
vmware esxi servers
phishing campaigns
crema finance
professional finance company pfc usa
spel injection vulnerability
cve 2022 22980
defi platform
uae

Posted on: July 06, 2022


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.