Go to listing page

Cyware Daily Threat Intelligence, November 19, 2021

Cyware Daily Threat Intelligence, November 19, 2021

Share Blog Post

Looks like the Aggah threat actors are aiming to become crypto-rich using the infamous clipboard hijacking technique. Researchers have uncovered a new attack campaign leveraging the technique to replace cryptocurrency addresses for seven different cryptocurrencies. Meanwhile, a new terror has unfolded in the ransomware threat landscape with the discovery of a new malware strain named Memento. The interesting aspect of this ransomware is that it copies files in  WinRAR before encrypting them.  

Attention online shoppers! Digital card skimming attacks just got more sophisticated as cybercriminals are turning to a new Golang malware to evade detection. The malware, dubbed linux_avp backdoor, is being deployed along with the card skimmer on compromised websites. 

Top Breaches Reported in the Last 24 Hours

Pizza Kitchen data breached
California Pizza Kitchen (CPK) revealed a data breach that exposed the SSNs of over 100,000 current and former employees. The organization learned about the attack on September 15, in which attackers had infiltrated its systems and gained access to certain files.  

North Korea hackers intensify attacks
North Korean attackers have intensified their espionage campaigns in 2021. According to researchers, three different actors, named TA406, TA408, and TA427, have been actively targeting organizations in the education, media, and research sectors to harvest credentials. A majority of these attacks have been launched by TA406, with targets involving firms across the U.S., Russia, and South Korea.

Frontier Software suffers an attack
Frontier Software is experiencing a cyber incident that limited access to some of the computer systems. The incident is currently under investigation.

New Aggah campaign discovered
A new campaign linked to the Aggah threat actor group hijacks clipboards to replace cryptocurrency addresses. The new campaign uses clipboard hijacking code that is installed into the victim’s host registry. So far, malicious code has been used to replace cryptocurrency addresses for seven different cryptocurrencies.   
Top Malware Reported in the Last 24 Hours

11 malicious libraries removed
The operators of the Python Package Index (PyPI) removed 11 Python libraries designed to collect user data, passwords, and Discord access tokens from infected systems. These libraries were downloaded more than 30,000 times. One of these libraries abused the dependency confusion technique. 

New Memento ransomware
A new ransomware, dubbed Memento, takes advantage of the vCenter vulnerability CVE-2021-21971 to spread across systems. After the reconnaissance stage, the attackers use WinRAR to create an archive of the stolen files and exfiltrate it. In the final stage, it encrypts the passwords and deletes the original files.

New linux_avp backdoor spotted
In a new card skimming attack, threat actors are found deploying a Linux backdoor named linux_avp backdoor after injecting a credit card skimmer into the compromised website. Written in Golang, the malware helps attackers to evade detection. 

Top Vulnerabilities Reported in the Last 24 Hours

A new variant of DNS poisoning attack
A new variant of SAD DNS cache poisoning attack can allow attackers to poison DNS servers and reroute traffic to malicious sites. The flaw affects Linux kernels, and DNS software such as BIND, Unbound, and dnsmasq running on Linux. Therefore, administrators and end-users should ensure that their Linux kernel and BIND/Unbound are updated. 


dns system
card skimmer
california pizza kitchen cpk
memento ransomware
linux avp backdoor

Posted on: November 19, 2021

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.