Go to listing page

Cyware Daily Threat Intelligence, March 08, 2022

Cyware Daily Threat Intelligence, March 08, 2022

Share Blog Post

Ragnar Locker ransomware has come under the FBI’s scrutiny as it widely targets several organizations in the U.S. In an advisory, the agency revealed that the ransomware has breached at least 52 organizations in critical infrastructure sectors as of January 2022. Meanwhile, the notorious Lapsus$ ransomware gang is once again in the headlines for targeting an Argentina-based e-commerce giant.

Several newly discovered vulnerabilities impacting different devices were also reported in the last 24 hours. The most severe of these is tracked as Access:7, a set of seven vulnerabilities that affects the IoT remote access tool Axeda agent and can put medical devices at risk. The other is dubbed Dirty Pipe that affects specific versions of the Linux kernel. Patches to address these flaws have been released by the vendors.

Top Breaches Reported in the Last 24 Hours

Ragnar Locker targets 52 organizations
The FBI disclosed that the Ragnar Locker ransomware has targeted at least 52 organizations across 10 critical infrastructure sectors in the U.S. These attacks have been identified since January 2022. The impacted ones include entities in the critical manufacturing, energy, financial services, government, and IT sectors. The alert shared IOCs to detect and block Ragnar Locker ransomware attacks.

Mercado Libre attacked
Argentina-based e-commerce giant Mercado Libre has confirmed a cyberattack that resulted in unauthorized access to a part of its source code. The announcement comes after the Lapsus$ gang threatened to leak data allegedly stolen from the firm. The firm has also activated security protocols to contain further spread of the attack.

Rompetrol affected
Rompetrol, the largest oil refinery in Romania, has suffered a major attack by Hive ransomware. Following the attack, the petroleum provider was forced to shut down its websites and the Fill&Go services at gas stations. Meanwhile, the group has demanded $2 million in ransom for the decryption key.

Top Malware Reported in the Last 24 Hours

Emotet trojan campaign detected
More than 500 Microsoft Excel files were used in a fresh campaign to deliver Emotet trojan on the victims’ devices. As part of the campaign, the attackers used VBS and PowerShell scripts to stay under the radar while continuing with the infection process. Additionally, the trojan uses anti-analysis techniques to prevent its code from being analyzed.

Agent Tesla trojan returns
A phishing campaign that deceived users with a fake purchase order for a Ukrainian manufacturing organization was used to deliver Agent Tesla trojan. The email contained a PowerPoint attachment that caused the download of the trojan.

Top Vulnerabilities Reported in the Last 24 Hours

Newly discovered Access:7 flaws
A set of seven vulnerabilities collectively tracked as Access:7 have been found in PTC’s Axeda agent that is used by over 150 connected devices from more than 100 vendors. Three of these flaws have a high severity score and could be exploited for remote code execution on devices running a vulnerable version of the Axeda agent. Axeda has addressed all vulnerabilities with the release of latest versions for the Axeda agent.

Microsoft fixes AutoWrap flaw
Microsoft has fixed a vulnerability in the Azure Automation service that allowed an attacker to take complete control of other Azure customers’ data. Dubbed AutoWrap, the flaw enabled the attackers to steal Azure customers’ Managed Identities authentication tokens from an internal server that manages the sandboxes of other users.

Flaws in TNAS devices fixed
Several critical security vulnerabilities discovered in Terramaster NAS (TNAS) devices could have allowed attackers to attain remote code execution attacks with the highest privileges. The issue resided in TOS and has now been fixed in TOS version 4.2.30. One of the issues, tracked as CVE-2022-24990, is related to information leakage in a component called webNasIPS.

RCE flaw in Citrix exploited
CrowdStrike researchers investigated an incident that involved the exploitation of a remote code execution vulnerability (CVE-2021-22941) impacting Citrix ShareFile Storage Zones Controller. The flaw was exploited by the PROPHET SPIDER threat actor group to compromise a Microsoft Internet Information Services (IIS) web server and deploy a webshell that enabled the downloading of additional tools.

Dirty Pipe flaw fixed
A Linux flaw, dubbed Dirty Pipe and tracked as CVE-2022-0847, can allow threat actors to gain root privileges on all major distros. The flaw affects versions after 5.8 of the Linux kernel. It has been fixed in versions 5.16.11, 5.15.25, and 5.10.102.

 Tags

access7 vulnerabilities
mercado libre
emotet trojan campaign
agent tesla trojan
ragnar locker ransomware
rompetrol

Posted on: March 08, 2022


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.