Go to listing page

Cyware Daily Threat Intelligence, May 02, 2022

Cyware Daily Threat Intelligence, May 02, 2022

Share Blog Post

As Black Basta ransomware springs into action to launch destructive attacks against organizations, some researchers believe that there may be a connection to the notorious Conti group. The assumption is based on similarities between their leak sites and payment sites. In another update, a new variant of AvosLocker ransomware, that includes new evasion capabilities, has emerged in the threat landscape. The variant is also capable of scanning multiple endpoints for the Log4j vulnerability using Nmap NSE script.

Instances of threat actors scanning AWS projects for malicious operations were observed during the weekend. The attackers were found leveraging two malicious versions of AWS packages to exfiltrate system information.

Top Breaches Reported in the Last 24 Hours

Over $80 million stolen from DeFi platforms
Rari Capital and Fei Protocol suffered a major loss after threat actors stole more than $80 million from both platforms. The hackers exploited a reentrancy vulnerability in Rari’s Fuse lending protocol to hack the platforms. Rari Capital acknowledged the hack, adding that borrowing has been paused globally and no further funds were at risk.

Onleihe struggling to recover
Onleihe, a popular German library service, notified its users about a potential cyberattack that affected its website and app. The incident occurred after the LockBit ransomware group targeted its service provider EKZ last month. The firm is yet to ascertain whether any personal data was stolen in the attack.

Top Malware Reported in the Last 24 Hours

New AvosLocker variant
Researchers observed a new variant of AvosLocker ransomware that makes use of a legitimate driver file to disable anti-virus solutions. In addition, the ransomware is also capable of scanning multiple endpoints for the Log4j vulnerability using Nmap NSE script. In one instance, the ransomware variant had leveraged a flaw in Zoho ManageEngine ADSelfService Plus to gain initial entry.

Malicious packages removed
Researchers identified and blocked two malicious versions of Amazon Web Services (AWS) packages recently. One of them was tracked as hl7.fhir.r3.core and was uploaded as a test by the malicious actor. The other malicious package was named @aws-cdk-example-dynamic-web-config/shared and contained malicious code that exfiltrates user information such as env variables, operating system, and hostname.

Update on new BlackBasta ransomware
Researchers believe that the new Black Basta ransomware is possibly linked to the notorious Conti group. The assumption is based on similarities between their leak sites, payment sites, and the way their support employees talk and behave.

Top Scams Reported in the Last 24 Hours

Fraudster convicted
The U.S. Department of Justice (DoJ) has convicted a fraudster for launching phishing attacks against the Department of Defense (DoD). The fraudster managed to steal $23.5 million by diverting the DoD fund meant for a jet fuel supplier to his personal bank account.

 Tags

rari capital
avoslocker ransomware
notorious conti group
apache log4j vulnerability
black basta ransomware
malicious aws packages

Posted on: May 02, 2022


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.