Go to listing page

Cyware Daily Threat Intelligence, June 14, 2022

Cyware Daily Threat Intelligence, June 14, 2022

Share Blog Post

The world of web3 is at the heart of yet another increasingly bizarre internet scam. There’s a SeaFlower operation that aims to infect web3 users through imposter websites and SEO poisoning and black SEO techniques promoting fake crypto wallets.

New cyber threats hover over Drupal users. Researchers have reported vulnerabilities in a third-party library that the platform leverages to handle HTTP requests and responses to external services. In another thread, a sensitive data leak event has hit the principal stock exchange in Uganda.



Top Breaches Reported in the Last 24 Hours


Healthcare institution’s networks compromised
Kaiser Permanente disclosed a data exposure incident that concerns PII and medical data of about 70,000 individuals. The information exposed in the attack includes the full names of patients, medical record numbers, dates of service, and laboratory test results. No sensitive information, such as SSNs and credit card numbers, were leaked. Hackers penetrated the systems by compromising an employee’s email account.

Uganda Securities Exchange laid bare sensitive data
A misconfigured database on the servers of Uganda Securities Exchange blurted out more than 32GB worth of data online. The leaked data included plain-text login credentials of customers and businesses using the Easy Portal of the exchange. Easy Portal is a self-service portal for users and trading partners to view stock performance, statements, and monitor account balance.

Top Malware Reported in the Last 24 Hours


Palo Alto Networks uncovers PingPull
Researchers at Unit 42 spotted the China-linked Gallium APT dropping PingPull, a previously undetected RAT, in a recent cyberespionage campaign directed at South Asia, Europe, and Africa. Written in Visual C++, the malware lets hackers access a reverse shell and run arbitrary commands on compromised systems. Researchers also noted PingPull’s variants using HTTPS and TCP for C2 communications instead of ICMP.

BlackCat operators eye Microsoft Exchange servers
According to Microsoft, vulnerable Microsoft Exchange servers are being targeted by BlackCat ransomware affiliates. In an incident, hackers exploited a victim’s Microsoft server to hold stolen credentials and data for extortion. Additionally, two of the most prolific affiliate groups—associated with the likes of Hive, Conti, and Ryuk ransomware—have switched to deploying BlackCat, says the report.

Highly-evasive malware for Linux systems 
A new Linux rootkit, dubbed Syslogk, was seen in attacks aiming to hide malicious processes while deploying a backdoor called Rekoobe on the device. Reports find that the malware is currently being developed by its authors, whose project is based on Adore-Ng, an old open-source rootkit. Syslogk rootkit has the ability to force-load its modules into the Linux kernel.

Fake cryptocurrency wallets out hunting
Trojanized mobile cryptocurrency wallet applications for MetaMask, Coinbase, TokenPocket, and imToken have surfaced lately. The campaign, dubbed SeaFlower by researchers at Confiant, has been labeled as one of the most technically sophisticated threats conspired against Web3 enthusiasts. The language used in the campaign hints at the involvement of Chinese actors.

Top Vulnerabilities Reported in the Last 24 Hours


Critical flaws impact Drupal users
Security experts at Drupal raised an alert around a pair of high-risk vulnerabilities that hackers can exploit to remotely hijack Drupal-powered websites. Tracked as CVE-2022-31042 and CVE-2022-31043, the flaws were fixed by Guzzle, the third-party library that Drupal engages with. Drupal has released an advisory stating that the flaws may affect some contributed projects or custom code on sites.

SynLapse is patched
Orca Security discovered SynLapse, a critical Synapse Analytics vulnerability in Microsoft Azure that also affects Azure Data Factory. An attacker can bypass tenant separation to obtain credentials to other Azure Synapse customer accounts, execute code on targeted machines, and even access customer credentials. Researchers suggest moving to a sandboxed environment and restricting API access.

DoS flaw on Envoy Proxy servers
JFrog stumbled across a DoS vulnerability in Envoy Proxy, an open-source edge and service proxy server designed for cloud-based applications and high-traffic websites. The flaw, identified as CVE-2022-29225, allows attackers to crash a proxy server and impact its performance. Users are requested to upgrade to Envoy versions 1.19.5, 1.20.4, 1.21.3, and 1.22.1.

 Tags

azure data factory
drupal site
gallium group
syslogk
uganda securities exchange use
cryptocurrency scams
metamask
seaflower
pingpull malware
envoy proxy
easy portal
kaiser permanente

Posted on: June 14, 2022


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.