Go to listing page

Cyware Daily Threat Intelligence, May 26, 2022

Cyware Daily Threat Intelligence, May 26, 2022

Share Blog Post

Cybercriminals are well-versed with the extensive use of VMware ESXi in enterprise settings for server virtualization. Recently, a new malware strain named Cheerscrypt has joined the league of ransomware actors attacking ESXi servers. Browsers worldwide are being hemmed in by the ChromeLoader malware that masquerades as cracked software for games and software.

Moving on, the Pantsdown bug embarrasses QCT servers! This high-severity bug can even be abused by an unsophisticated attacker with remote access to the operating system to execute arbitrary code within the BMC.

Top Breaches Reported in the Last 24 Hours

Medicine School blurts out PHI
A breach at St. Louis-based Washington University School of Medicine has potentially exposed PHI, as well other personal data of patients. An unauthorized person seemingly accessed the email accounts of certain employees between March 4 and March 28. The institution did not disclose how many patients were impacted by this incident.

Toronto health network compromised
Scarborough Health Network (SHN) disclosed an intrusion that may have impacted individuals who received in-patient care at any of the SHN hospitals prior to February 1. The hospital network comprises three hospitals and eight satellite sites. Furthermore, it warned victims that potential identity theft and phishing attempts may lurk in the wild.

Top Malware Reported in the Last 24 Hours

Cheerscrypt dispirits ESXi servers
Trend Micro has reported multiple deployments for a new ransomware family, dubbed  Cheerscrypt. It was targeting one of its customer’s ESXi servers that manage VMware files. The malware family employs the double extortion scheme to extort victims. Previously, other ransomware actors, including LockBit, Hive, and RansomEXX, have targeted a similar environment.

ChromeLoader swells as a browser threat
Red Canary researchers noted a surge in ChromeLoader malware that uses a malicious ISO archive file to infect its victims. It comes packaged as cracked executables for games or commercial software. In fact, researchers have also witnessed instances wherein hackers promoted cracked Android games and offered QR codes on Twitter, which lead to the malware-hosting sites.

ERMAC 2.0 is here
The infamous ERMAC Android banking trojan expanded its territory by increasing the number of applications targeted from 378 to 467 with the launch of its version 2.0. It is capable of stealing account credentials and crypto wallets, which are sent to threat actors to hijack victims’ banking and cryptocurrency accounts for financial theft and fraud.

Top Vulnerabilities Reported in the Last 24 Hours

Cisco Talos helps OAS patch bugs
Cisco Talos laid bare eight vulnerabilities in the Open Automation Software (OAS) Platform with two of them receiving severity scores of over 9.0. These flaws could be exploited to perform a myriad of malicious actions, from unauthenticated access to a targeted device to causing a denial of service. The driver under question is Open Automation Software OAS Platform, version 16.00.0112.

Pantsdown embarrasses QCT servers
Eclypsium found that Quanta Cloud Technology (QCT) servers are victims of the severe "Pantsdown" Baseboard Management Controller (BMC) flaw. An attacker may leverage this to laterally move its cyberattack to the server management network, thereby, crippling other servers by obtaining further permissions and access. The bug is tracked as CVE-2019-6260 and has a CVSS score of 9.8.

Clickjacking may hit Paypal
An independent security researcher, named h4x0r_dz, uncovered a new unpatched security vulnerability in PayPal’s money transfer program that could let attackers trick victims into initiating transactions with a single click, aka Clickjacking. The deception works by throwing an invisible overlay page or HTML element displayed on top of the actual page.


vmware esxi
scarborough health network shn
paypal phishing
cheerscrypt ransomware
clickjacking exploit
ermac 20
qct servers
washington university school of medicine

Posted on: May 26, 2022

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.