SocGholish, one of the most elusive malware, continues to thrive in the ever-evolving threat landscape. In the last 24 hours, researchers have uncovered multiple attack campaigns attributed to the malware. In one campaign, shady URLs, and fake WordPress themes and plugins were used to deliver the malware. In another, malvertising and SEO poisoning tactics were leveraged for propagation.
A surge in Black Basta ransomware campaigns aimed at organizations in the U.S. has also made the headlines in the last 24 hours. The ransomware is using QakBot for the initial entry point and to move laterally within an organization’s network. Furthermore, a new variant of WannRen ransomware was observed targeting entities in India.
Top Breaches Reported in the Last 24 Hours
Misconfigured database leaks data
An unprotected database containing over 16,000 records was exposed online. These records contained highly sensitive PII such as names, dates of birth, patient ID, physical addresses, medical diagnoses, and special needs of thousands of children. Investigators revealed that the database belonged to Tridas Group LLC based in Tempa.
BlackBasta targets U.S. organizations
Affiliates of the Black Basta ransomware group used QBot for initial access to target organizations in the U.S. Researchers found that attackers disabled DNS services to lock victims out of their networks. In the last two weeks, the experts observed such attack attempts against more than 10 organizations.
Top Malware Reported in the Last 24 Hours
Gamers targeted with info-stealers
Windows gamers and power users were infected with XMRig miner and RedLine information-stealer in a recent campaign that lasted for three months. The attackers created over 50 sites to impersonate the MSI Afterburner download portal to trick users and push the malicious payloads onto their systems.
WannaRen ransomware re-emerges
A new variant of WannaRen ransomware has emerged to target organizations in India. The ransomware variant is distributed as a malicious PowerShell code bundled with activation tools. Unlike its previous version, the new variant uses a batch of files to download and execute WINWORD.exe to perform DLL side-loading attacks.
SocGholish observed in multiple attacks
A new wave of attacks that resulted in the injection of the SocGholish malware framework into web pages was observed recently. In one attack campaign, researchers from Sucuri observed that payloads, including SocGholish script, were embedded within WordPress theme files and fake plugin files. In another campaign, the malware was identified on nearly 300 websites in multiple countries including Poland, Italy, France, Iran, the U.K, and the U.S. These websites were infected with the malware via SEO poisoning or malvertising.
Top Vulnerabilities Reported in the Last 24 Hours
Misconfigured ConnectWise Control
A misconfiguration issue in ConnectWise Control can allow threat actors to compromise systems easily. The issue exists in the fully-featured 14-day trial option. After signing up for a free trial with an anonymous email account and fake personal details, attackers can use the platform to build a convincing support portal reflecting a specific brand name. Once the fake portal is created, threat actors can send a fake invoice for some service to victims and wait for them to go to the fake portal and enter the invoice code, which actually triggers the installation of a RAT.
Millions of Android devices exposed to attacks
Millions of Android devices are potentially exposed to attacks due to a set of five vulnerabilities affecting Arm’s Mali GPU driver. Devices from Google, Samsung, Xiaomi, and Oppo are waiting for patches for the flaws that were reported between June and July. The flaws are collectively tracked as CVE-2022-33917 and can allow non-privileged users to make improper GPU processing operations and gain access to free memory sections.
Top Scams Reported in the Last 24 Hours
Phishing campaign steals credentials
A phishing campaign aimed at harvesting an employee’s Microsoft credentials was reported by Cofense researchers. The attackers leveraged a malicious HTML attachment containing spliced code to pilfer the credentials. To make it look convincing, the attachment used the name Proofpoint Secure Share, a cloud-based solution that enables organizations to exchange large files in a secure manner.