Go to listing page

Cyware Daily Threat Intelligence, October 26, 2022

Cyware Daily Threat Intelligence, October 26, 2022

Share Blog Post

Cryptojacking incidents are taking the crypto world by storm. Of late, researchers took the wraps off of a highly sophisticated cryptomining campaign that leverages freejacking techniques. Threat actors abused more than two dozen GitHub accounts, 2,000 Heroku accounts, and 900 Buddy accounts to borrow free computing power. In another similar incident, “Kiss-A-Dog” campaign has emerged as a cryptojacking scheme taking over vulnerable Kubernetes and Docker instances. Herein, the attackers also demonstrated the ability to detect and uninstall third-party cloud monitoring services.

Meanwhile, Microsoft has addressed a vulnerable driver blocklist issue that prevented software updates from syncing with systems running older Windows versions. The security gap could have led to serious implications for Windows users.

Top Breaches Reported in the Last 24 Hours


All customer data exposed by Medibank
Australian health insurer Medibank announced that the recent breach compromised the PHI for all of its 3.9 million customers. The insurer firm said it has not yet understood the full scope of data that was stolen for each of its customers. However, the information contains full names, phone numbers, Medicare and policy numbers, health claims, and other diagnostic data.

Skimmer on See Tickets 
Ticketing service provider See Tickets informed its customers about cybercriminals taking over its website to obtain payment card details. The storage blob had remained exposed for over 2.5 years. Compromised data include full names, physical addresses, ZIP codes, payment card numbers, card expiration dates, and CVV numbers. 

Top Malware Reported in the Last 24 Hours


Vice Society vs U.S. education sector
Microsoft exposed targeted attack campaigns against the education sector in the U.S. by Vice Society between July and October. The hacker group notably switched ransomware payloads in its attacks toward the sector across the U.S. and worldwide. In some instances, it pursued double extortion attacks, and in other cases, it performed extortion using exfiltrated stolen data while not encrypting them on compromised systems.

Sophisticated cryptomining operations
The threat research team at Sysdig unearthed an active cryptomining operation, by the Purpleurchin threat actor, prospering via freejacking. The campaign uses some of the largest cloud and continuous integration and deployment (CI/CD) service providers, such as GitHub, Buddy[.]works, Heroku, to build, execute, and scale the operation. Researchers found over 30 GitHub accounts, 2,000 Heroku accounts, and 900 Buddy accounts.

"Kiss-A-Dog" cryptojacking scheme
CrowdStrike stumbled across a new attack targeting cloud infrastructure around the world, including vulnerable Docker and Kubernetes instances. Called Kiss-A-Dog, actors in this campaign leveraged multiple C&C servers to escape containerized environments to gain root privileges. The situation can be exploited to use kernel and user rootkits for obfuscation, creating backdoors, lateral movement, and persistence.

LV ransomware infiltrates Jordan company
Trend Micro findings spotted an LV ransomware strain intrusion on the networks of a  Jordan-based company. Hackers used the double-extortion technique to extort their victims. It threatened to release the stolen data after encrypting the victim’s files. Attacks by LV ransomware have been increasing since the second quarter of 2022, experts noted.

Top Vulnerabilities Reported in the Last 24 Hours


Bug unpatched since 2000
Security expert Andreas Kellas uncovered details about a 22-year-old high-severity bug in the SQLite database library. Assigned CVE-2022-35737, the flaw is an integer overflow issue that impacts SQLite versions 1.0.12 through 3.39.1. A hacker can trigger the issue to execute arbitrary code on the affected system when the library is compiled without stack canaries.

VMware patches critical flaw
A critical RCE flaw has been reported in the VMware Cloud Foundation product, which is caused due to an unauthenticated endpoint that utilizes XStream for input serialization. The bug is tracked as CVE-2021-39144 and rated 9.8 out of 10 on the CVSS scale. The vendor has also made a patch available for end-of-life products. VMware also addressed CVE-2022-31678, an XML External Entity (XXE) vulnerability, that can trigger DoS conditions.

Vulnerable driver blocklist sync issue
A researcher disclosed that Microsoft has been providing an outdated list of vulnerable drivers from December 2019 even to Windows 10 and Windows Server systems. The issue, however, was that the vulnerable driver blocklist was not synced to systems running older Windows versions. This posed the risk of vulnerable drivers being exploited for privilege escalation in the Windows kernel and execution of malicious code. The firm has addressed this issue.

 Tags

vulnerable driver blocklist
sqlite library
xml external entity attack
kiss a dog
medibank
lv ransomware
purpleurchin
education sector
vmware cloud foundation
see tickets
cve 2022 35737
vice society

Posted on: October 26, 2022


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.