Go to listing page

Cyware Daily Threat Intelligence, March 02, 2022

Cyware Daily Threat Intelligence, March 02, 2022

Share Blog Post

Phishing attacks against European countries have ramped up amidst the Ukrainian crisis. In a new finding, the infamous Ghostwriter hacking group has been associated with a series of email phishing attacks targeting NATO entities. The ultimate goal of the attack is to deploy Lua-based SunSeed malware downloader that unleashes other malicious payloads. There’s also an update about a new and third data-wiper malware dubbed IssacWiper which was used against Ukrainian organizations. Notably, the new malware includes a component to deliver the recently discovered HermeticWiper malware.

In other concerning threats, researchers deciphered a new form of TCP amplification attack that leverages vulnerable middleboxes and firewalls to intensify the volume of DoS attacks. Middlebox devices from the likes of Cisco, Fortinet, SonicWall, and Palo Alto Networks are vulnerable to this new attack method.

Top Breaches Reported in the Last 24 Hours

Aon attacked
Global insurance broker, Aon, is investigating a cyber incident that impacted some of its systems. The incident was detected on February 25. The U.S. Security Exchange Commission (SEC) has released complete details about the attack.

Top Malware Reported in the Last 24 Hours

TeaBot trojan upgraded
A new version of TeaBot is now targeting over 400 applications which include banks, crypto exchanges, and digital insurances. The attacks, driven via spam text messages, are being targeted against users in Russia, Hong Kong, and the U.S.

SunSeed malware
A phishing campaign has been found using compromised email accounts of Ukrainian armed services to spread Lua-based SunSeed malware. The campaign appears to target European government personnel who are involved in managing the logistics of refugees from Ukraine. Lately, the campaign has been upgraded to target NATO entities and is tentatively linked with the Ghostwriter hacking group.

Newly found HermeticRansom 
Researchers have demystified a newly found Golang ransomware dubbed HermeticRansom. Also called PartyTicket, the ransomware encrypts specific files and appends them with .encryptedJB extension. It uses AES and RSA-OAEP algorithms to encrypt files and later drops an HTML ransom note on the victim’s desktop.

New IssacWiper malware
ESET researchers uncovered a third new data wiper malware, dubbed IssacWiper, that was used against hundreds of machines located in Ukraine. According to the researchers, the malware has been active since February 24 and includes both a wiper and a worm component to spread HermeticWiper in local networks.

Top Vulnerabilities Reported in the Last 24 Hours

Flawed Skype extension plugin fixed
Microsoft fixed a privacy bug in its Skype extension for Chrome that left millions of users’ information at risk. The flaw resided in the extension’s identity-tracking functionality. The flaw allowed anyone to retrieve usernames and profile images on Skype.

Flawed PJSIP library fixed
As many as five security vulnerabilities were disclosed in the PJSIP open-source multimedia communication library. They could be exploited by attackers to trigger arbitrary code execution and denial of service in applications. The flaws were fixed by the developers with the release of new patches.

Chrome 99 fixed
Google has published a stable version of Chrome 99 with a total of 28 security patches. One of these is tracked as a heap-buffer overflow vulnerability (CVE-2022-0789). Other flaws are described as a use-after-free vulnerability, an out-of-bounds read issue, a data leak vulnerability, and an out-of-bounds memory access vulnerability.

Top Scams Reported in the Last 24 Hours

eBike-related phishing scams
A large-scale phishing campaign leveraging over 200 phishing sites has tricked users into making fake investments for buying e-bikes or registering for dealerships. The fraudulent operation relies on the abuse of Google Ads and SEO to draw victims. The campaign has caused financial damages of up to $1000,000 and a majority of the affected are Indians.

New Threat in Spotlight

New form of TCP Amplification attack 
Researchers detected a series of new TCP reflection/amplification attacks that leverage a new technique to knock websites offline. The amplification attack abuses vulnerable middleboxes such as firewalls via TCP to magnify denial of service attacks. Middlebox devices from the likes of Cisco, Fortinet, SonicWall, and Palo Alto Networks are vulnerable to this new attack method.

 Tags

cisco vpns
phishing scams
issacwiper malware
hermeticwiper malware
hermeticransom
tcp amplification attack
sunseed malware

Posted on: March 02, 2022


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.