Go to listing page

Cyware Daily Threat Intelligence, September 14, 2022

Cyware Daily Threat Intelligence, September 14, 2022

Share Blog Post

Malware actors continue to work in silence and develop replacements for their old and outdated hacking tools. For instance, Palo Alto Networks Unit 42 has deeply researched how OriginLogger malware works, which is the likely successor to Agent Tesla malware. The latter was in action until March 2019 and had to stop operations following legal battles, and OriginLogger was first discovered a year earlier. In other news, the Wordfence Threat Intelligence team issued a caution as hackers abused a zero-day in a WordPress premium plugin to actively target over 280,000 sites using it.

Moreover, two more flaws were discovered in Contec wireless LAN equipment. The Japan-based company, which specializes in embedded computing, industrial automation, and IoT connectivity technology, acknowledged in its advisory that hackers could exploit these weaknesses.

Top Breaches Reported in Last 24 Hours

Buenos Aires suffers cyberattack
Buenos Aires City Legislature has confirmed suffering a ransomware attack. The attackers managed to compromise the assembly’s operating systems and took down the Wifi connectivity, among other systems. The government is looking to restore normalcy at the earliest, though the legislature website continues to be down. No ransomware group has taken responsibility for the incident.

E-commerce software maker breached
FishPig, a provider of Magento-WordPress integrations, disclosed that threat actors exploited a security flaw on its distribution server to deploy the Rekoobe backdoor. The e-commerce platform is looking into how the attacker gained access to their systems and whether it was through a server or an application exploit. The platform is used by 200,000 websites and the company has urged all its users to update or reinstall their extensions.

Top Malware Reported in Last 24 Hours

The heir of Agent Tesla
Palo Alto Networks researchers have deemed the OriginLogger malware, first reported in May, to be the replacement for Agent Tesla RAT. It is delivered via infected Word documents. When opened, it contains Excel worksheets embedded within it. The worksheets invoke an HTML page to fetch two encoded binaries from Bitbucket. The malware can record keystrokes, take screenshots, steal credentials, upload data, and download additional payloads in numerous ways and try to avoid detection.

New Linux variant by Chinese actors
Cybersecurity firm ESET identified a malware strain deployed on the networks of a Hong Kong university by a Chinese nation-state actor known as SparklingGoblin. It is reportedly a Linux variant of the SideWalk backdoor. The custom Windows malware was also used against an unnamed U.S.-based retail company. Researchers linked its latest findings with another Linux malware variant called Specter RAT, which came to light in 2020.

Top Vulnerabilities Reported in the Last 24 Hours

Zero-day vulnerability exploited in WP sites
Hackers were observed exploiting a zero-day vulnerability in WPGateway, a WordPress premium plugin, that allows fake users to seize control of the affected sites. The flaw, tracked as CVE-2022-3180, lets an attacker add a fake admin account to the sites utilizing the plugin. The vulnerability affects over 280,000 sites using the plugin. 

Microsoft’s Patch Tuesday fixes zero-day
Microsoft addressed a sensitive zero-day flaw in its Windows CLFS Driver. The flaw, identified as CVE-2022-37969, was abused by hackers, who could execute code, gain SYSTEM privileges, and fully compromise the targeted machine. Also, the exploit code for this zero-day is publicly available. Microsoft, all in all, addressed 64 novel security flaws in its products, five of which were classified as critical, 57 as important, one as moderate, and one as low in severity.

Vulnerabilities in Airplane Wi-Fi devices
Researchers have unearthed two serious vulnerabilities in the Flexlan FX3000 and FX2000 series wireless LAN devices manufactured by Contec. The first flaw, identified as CVE-2022-36158, is used to execute Linux commands on the device with root privileges. The second vulnerability, CVE-2022-36159, is connected to a backdoor account carrying a weak password, and the attacker may use this account to gain control of the device.

New Threat in the Spotlight 

Multi-Persona Impersonation, a phishing technique 
TA453, an Iranian hacker organization, was found luring its victims with a so-called Multi-Persona Impersonation technique. In this technique, a phishing email is sent to the targets, while adding another email address in CC, again controlled by them. Hackers meticulously manipulate and engage victims in an elaborate realistic conversation through fake personas, or sock puppets. Consequently, the targets are made to download password-protected malicious files containing macros that exfiltrate stolen data through Telegram API.


rekoobe backdoor
airplane wi fi
buenos aires
zero day bug
wpgateway plugin
sidewalk backdoor
specter rat
sock puppet
cve 2022 36158
cve 2022 36159
ransomware attack
agent tesla
cve 2022 37969

Posted on: September 14, 2022

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.