Go to listing page

Cyware Daily Threat Intelligence, November 25, 2021

Cyware Daily Threat Intelligence, November 25, 2021

Share Blog Post

The success of Iranian hacking groups in the cybercrime world is no surprise. Days after Microsoft warned of their evolving tactics and procedures, a new threat has come into the limelight. Now, researchers have uncovered a new Iran-based threat actor that has been actively targeting an MSHTML RCE flaw to spy on Farsi speakers. The most interesting piece of this whole campaign is the newly found PowerShortShell stealer that is used to pilfer Google and Instagram credentials.

The holiday seasons are just as popular among cybercriminals as it is with shoppers, and this includes game enthusiasts who are on the lookout for free versions of popular games. So, beware, as scammers are running a wide-scale phishing campaign that uses dubious YouTube videos offering free versions of CSGO, PUBG, Cyberpunk, Call of Duty, GTAV, Fallout 4, and more. For online shoppers, the FBI has issued an advisory that details brand impersonation attacks that can be delivered via spam emails, text messages, and mobile apps. 

Top Breaches Reported in the Last 24 Hours

True Health suffers a cyberattack
New Mexico-based True Health has issued a notification about a breach incident that affected the personal information of over 62,000 U.S. citizens. The incident occurred after attackers gained unauthorized access to the organization’s IT systems in October.

Cronin leaks 92 million records
The Cronin digital marketing agency suffered a major data leak due to an unprotected database. The database contained 92 million records that included Google analytics data, session ID, Client ID, and other identifying information of users. Usernames, email addresses, and hashed passwords of Cronin employees were also part of the exposed data.

Top Malware Reported in the Last 24 Hours

New Babadeda crypter
Malware authors are targeting cryptocurrency enthusiasts using a new crypter dubbed Babadeda. The crypter has been active since May 2021 in multiple campaigns targeting crypto, NFT, and DeFi-related communities on Discord. It is capable of bypassing signature-based antivirus solutions.

Top Vulnerabilities Reported in the Last 24 Hours

Microsoft MSHTML flaw exploited
A newly discovered Iranian threat actor has been found exploiting Microsoft MSHTML remote code execution flaw (CVE-2021-40444) to distribute a PowerShell-based stealer dubbed PowerShortShell. The infostealer pilfers Google and Instagram credentials from Farsi-speaking targets. It is also used for Telegram surveillance and collecting system information from compromised devices.

VMware ships updates
VMware’s vCenter Server and Cloud Foundation are affected by arbitrary file read and server-side request forgery vulnerabilities. The flaws are tracked as CVE-2021-21980 and CVE-2021-22049 and can be abused by attackers to gain access to sensitive information. While the patches have been released for affected vCenter Server versions, Cloud Foundation remains vulnerable. 

Top Scams Reported in the Last 24 Hours

Gamers targeted by scammers
Scammers are targeting gamers with a malware named Trojan.Malpack under the pretext of delivering free versions of popular games. They have created many dubious videos to lure victims with free versions of Skyrim, CSGO, PUBG, Cyberpunk, Call of Duty, GTAV, Fallout 4, and DayZ. In all cases, the videos are running under the name of ‘free Steam keys’ and include a link to the fake game. The ultimate purpose of the scam is to steal the data of gamers.

FBI warns about brand impersonation
The FBI has issued warnings on recently detected spear-phishing email campaigns targeting customers of branded companies. The campaigns leverage spam emails, text messages, and mobile apps that may spoof the identity of the targeted company’s official site.


babadeda crypter
vmware cloud foundation software
vmwares vcenter server
true health
mshtml rce flaw

Posted on: November 25, 2021

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.