Go to listing page

Cyware Daily Threat Intelligence, July 25, 2022

Cyware Daily Threat Intelligence, July 25, 2022

Share Blog Post

Software cracks and keygen sites could be attractive but it’s extremely unsafe. A malware campaign by SmokeLoader operators was spotted dropping the Amadey Bot, a rarely used malware since 2020, via similar lures. On the other side, LockBit added two new victims to its leak site - the Italian Revenue Agency and a Canadian city. The attack on the revenue agency withholds nearly 78GB of data.

A couple of vulnerabilities in the FileWave MDM product pushed servers of more than 1,100 organizations to the verge of serious breaches. Attackers could have easily abused these flaws to access internal networks of the firms and to install malware across macOS, iOS, Windows, and Android devices.

Top Breaches Reported in the Last 24 Hours


Millions of Twitter accounts impacted
A hacker known by the moniker ‘devil’ claims to have exploited a bug to steal phone numbers and email addresses of about 5.4 million Twitter accounts. The stolen data—belonging to celebrities, companies, OGs, and other individuals—is listed for the price of $30,000. The threat actor reportedly abused the vulnerability in December 2021.

Insurance provider hit by cyberattack
An unidentified hacker group infiltrated the networks of PB Fintech, an online insurance broker and comparison platform. Officials claimed that no sensitive data of customers was exposed during the incident. They declared that the bugs in the company’s systems were identified. The investigation into the matter continues.

78GB data lost by Italian Revenue Agency
LockBit ransomware group announced that it pilfered 78GB of data from Agenzia delle Entrate (Italian Revenue Agency). It has revealed its plan to release file samples soon that is expected to include sensitive company documents, scans, financial reports, and contracts. The LockBit gang had recently released LockBit 3.0.

Hackers targeted Entrust
Security giant Entrust disclosed that cybercriminals harvested data from its internal servers. Entrust services are leveraged by several US government agencies. This attack, depending on data acquired by the hackers, could have a major impact on organizations leveraging the Entrust platform for ID management and authentication.

Canadian town network encrypted
The town of St. Mary’s in Ontario, Canada, appears to have suffered a ransomware attack that affected its internal systems. The LockBit ransomware group recently listed townofstmarys[.]com on its leak site. Authorities admitted to receiving a ransom demand but have not paid anything yet. The leak includes confidential information from multiple departments of the town.

Top Malware Reported in Last 24 Hours


Amadey Botnet re-emerges with new face
AhnLab uncovered a new version of the Amadey Bot. The version dubbed 3.21 can identify at least 14 antivirus products and fetch payloads that can evade the active ones. The malware is being propagated through the SmokeLoader malware posing as a software crack or keygen.

Konni RAT used against European entities
A new campaign by the North Korean threat group APT37 was found targeting credible organizations in the Czech Republic, Poland, and other European countries using Konni RAT. The attack tactic involves a phishing email containing a Word document (missile.docx) and a Windows Shortcut file (_weapons.doc.lnk.lnk). The malware can capture screenshots and extract credentials saved in browsers. 

QBot’s new infection technique
Security experts at ProxyLife have found QBot operators abusing the Windows 7 Calculator app for DLL side-loading attacks in its latest malspam campaigns. The exploitation is believed to have begun on at least July 11. The emails were observed carrying an HTML file attachment, which downloads a password-protected ZIP archive with an ISO file inside.

Top Vulnerabilities Reported in the Last 24 Hours


Flaws in Cisco Nexus Dashboard
Three bugs in Cisco Nexus Dashboard were found enabling hackers to execute arbitrary commands or launch cross-site request forgery attacks. Cisco is unaware of any exploitation of one critical and two high-severity bugs in the wild. The most critical of them is CVE-2022-20857, with a CVSS score of 9.8. The other two are tracked as CVE-2022-20861 and VE-2022-20858 with CVSS scores of 8.8 and 8.2, respectively.

FileWave’s MDM was insecure
Security holes in mobile device management (MDM) product from FileWave jeopardized servers at over 1,100 organizations. Researchers identified an authentication bypass issue, CVE-2022-34907, and a hardcoded cryptographic key, CVE-2022-34906, in the FileWave product. Cybercriminals could steal sensitive data and deliver payloads to targeted organizations.

Drupal flaws receive patch
Drupal developers and the CISA have informed users to install security updates to fix vulnerabilities in the popular CMS. The most severe of these is an arbitrary PHP code execution, identified as CVE-2022-25277. The other three moderately critical bugs lead to XSS attacks, information disclosure, or privilege escalation.

An SQLi bug found in SonicWall products
SonicWall’s Analytics On-Premise and Global Management System products have suffered a critical SQL injection flaw. Tracked as CVE-2022-22280, it has been assigned the CVSS score of 9.4 and is urging customers to patch it immediately. The firm clarified that it hasn’t discovered any instance of active exploitation of the flaw.

 Tags

drupal flaw
town of st marys
twitter accounts
qbot
konni rat
amadey botnet
pb fintech
entrust
apt37
cisco nexus dashboard
agenzia delle entrate
sqli bug
lockbit 30
filewave mdm
dll side loading attack

Posted on: July 25, 2022


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.