Go to listing page

Cyware Daily Threat Intelligence, September 09, 2021

Cyware Daily Threat Intelligence, September 09, 2021

Share Blog Post

Operation Chimaera! That is how security experts are reporting the return of the notorious TeamTNT threat actor group. Windows users, alongside various Linux distributions—Alpine, AWS, Docker, and Kubernetes—are the target of this latest high-profile crypto mining attack campaign that is believed to be active since July. The attackers are managing to stay under the radar using open-source tools such as Lazagne.  

With advanced threats constantly knocking at the door, it has become an utmost priority to secure vulnerable products in time. Google has released a series of security updates to address 40 vulnerabilities affecting its Android systems. Zoho and Microsoft have also issued security patches for actively exploited flaws found in ManageEngine ADSelfService Plus and Azure Container Instances (ACI) respectively.       

Top Breaches Reported in the Last 24 Hours

Israelis’ data on sale
A cybercriminal who goes by the name ‘sangkanicil’ has put up the personal information of around seven million Israelis on hacker forums. The data was stolen by hacking a website handled by municipalities. 

Hospital’s data leaked
Personal details of over 40,000 patients at Bhumirajanagarindra Kidney Institute Hospital were stolen by a hacker from an unprotected database. It also included patients’ treatment history.  

Texas Right to Life website leaks data
The website of Texas Right to Life exposed the personal information of over 300 job applicants, following a security issue on the site. The resumes contained names, phone numbers, addresses, and details of a person’s employment history. 

VPN credentials leaked
The Groove ransomware group leaked a list of 500,000 Fortinet VPN credentials that can allow threat actors to breach corporate networks. The credentials were amassed by the attackers over the last few months by exploiting the Path Traversal flaw (CVE-2018-13379) in Fortinet FortiOS running on Fortigate appliances. 

Yandex targeted
Russian internet giant Yandex has been targeted in a massive DDoS attack. The attack started over the weekend. The firm continues to struggle with the recovery process.

Top Malware Reported in the Last 24 Hours

New cryptomining campaign
The TeamTNT threat actor group has been spotted in a new cryptomining campaign dubbed Operation Chimaera. The group is heavily targeting Windows, AWS, Docker, Kubernetes, and various Linux installations, including Alpine, to deploy XMRig miner. 
Top Vulnerabilities Reported in the Last 24 Hours

Vulnerable npm packages
GitHub security team has identified several high-severity vulnerabilities in npm packages - tar" and @npmcli/arborist. The vulnerabilities affect both Windows and Unix-based users. Developers must upgrade the affected packages to higher versions to mitigate the vulnerabilities.

Google issues security patches
Google has issued security patches for 40 vulnerabilities affecting its Android systems. Seven of these are rated critical. The most severe of these issues is a critical vulnerability in the Framework component that can enable a remote attacker using a specially crafted file to cause a permanent denial of service.

Mitigations for a flaw in Azure applied
Microsoft recently mitigated a vulnerability in the Azure Container Instances (ACI) that could potentially allow a user to access other customers’ information in the ACI service.

Vulnerable Zoho actively exploited
The CISA has warned that a zero-day flaw affecting Zoho ManageEngine ADSelfService Plus deployments is currently being actively exploited in the wild. The flaw is tracked as CVE-2021-40539 and is related to a REST API authentication bypass that can lead to arbitrary remote code execution. ADSelfService Plus builds up to 6113 are impacted by the flaw. 

Vulnerable Confluence servers
Over 8,000 Atlassian Confluence servers are still vulnerable to the recently discovered CVE-2021-26084 vulnerability. Described as an OGNL injection vulnerability, the flaw has a CVSS score of 9.8.  

Vulnerable HAProxy server
A critical vulnerability disclosed in the HAProxy server could be abused by adversaries to possibly smuggle HTTP requests. The flaw (tracked as CVE-2021-40346) is an Integer Overflow vulnerability and can allow unauthorized access to sensitive data and the execution of arbitrary commands. It affects the HAProxy versions 2.0.25, 2.2.17, 2.3.14, and 2.4.4.
Top Scams Reported in the Last 24 Hours

Ponzi Bitcoin free giveaway scam
Threat actors hacked the Russian official government website to promote Ponzi Bitcoin free giveaway scam. The scam promised users 0.025 BTC in exchange for installing a particular application in their system. In order to promote the scam, the actors further went on to promise to reward five random users with $1,000 worth of Bitcoins. 

An advanced fee fraud scheme
Researchers have identified an advanced fee fraud scheme that is being carried out via phishing emails containing login credentials for fake cryptocurrency exchange platforms. The ultimate purpose is to swindle unsuspecting victims out of Bitcoin.  


operation chimaera
fortinet vpn credentials
groove ransomware group
zohomanageengine adselfservice plus
teamtnt threat actor group

Posted on: September 09, 2021

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.