Go to listing page

Cyware Daily Threat Intelligence, September 20, 2022

Cyware Daily Threat Intelligence, September 20, 2022

Share Blog Post

The cyber-physical war between Russia and Ukraine refuses to cease. In fact, it continues to escalate on and off the field. In the latest, the Russian state-sponsored hacker group Sandworm has been exploiting Ukrainian entities with malware by masquerading as telecommunication providers. In other news, IT giants VMware and Microsoft warned about a ChromeLoader malware campaign that drops a couple of malware families and has undergone a lot of changes and is unlikely to stop in the coming days.

Furthermore, a number of new high-severity versions of the Insecure Direct Object Reference (IDOR) vulnerability have been discovered in Harbor. IDOR is a high-severity vulnerability and is considered to be the most serious web application risk on the OWASP list.

Top Breaches Reported in Last 24 Hours

American Airlines systems intruded
Hackers breached American Airlines' systems and compromised employees' email accounts, giving them access to employees' and customers' personal information. The exposed data purportedly include names, email addresses, birth dates, license numbers, medical info, and passport numbers. The company is yet to disclose the number of affected customers. The company witnessed a breach last year in March as well.

Winterminute suffers breach worth $160 million
Hackers managed to breach and steal $160 million from cryptocurrency firm Winterminute. The bad actors managed to hit the company’s DeFi operations but were not able to affect its CeFi or OTC services. The hackers stole 90 assets, of which only two had a notional value of over $1 million. No additional details were given on the two tokens, but neither of them had a value of more than $2.5 million.

Bosnia and Herzegovina’s Parliament targeted
Hackers allegedly carried out a large-scale cyberattack on Bosnia and Herzegovina's parliament, affecting its operations. The official website was inoperative for close to two weeks. Several lawmakers were instructed to not turn on their computers and prohibited them from accessing their official documents and email accounts for now. Although there was no confirmation of the type of attack, sources claim it involved ransomware.

U.K fintech suffers data breach 
Revolut, a U.K-headquartered fintech company, has suffered a data breach, leaking the personal information of 50,150 users. The likely accessed information includes email addresses, full names, postal addresses, phone numbers, limited payment card data, and account data. Revolut added that card details, PINs, or passwords were not accessed and emphasized that the hackers could not gain access to customers’ funds.

Top Malware Reported in Last 24 Hours

Sandworm hackers target Ukranian entities
Russian Sandworm hackers, who are linked to the Cyclops Blink botnet, have been seen posing as telecommunications service providers to deploy malware like Warzone RAT and the Colibri Loader onto critical Ukrainian systems. The attackers target victims by luring them to visit the phishing domains, spoofing the portals for Datagroup, Kyivstar, and EuroTransTelecom. The language used on websites is Ukrainian, with military operations, reports, and administrative notices as the main topics.

VMware, Microsoft warn of malware attacks
VMware and Microsoft issued a warning about an ongoing Chromeloader malware operation that can deliver malicious browser extensions, node-WebKit malware, and ransomware. Microsoft uncovered the click fraud campaign and linked it to DEV-0796. Using stealthy installers, the attackers attempt to monetize clicks generated by node-webkit and malicious browser extensions.

Top Vulnerabilities Reported in Last 24 Hours

Security holes in Harbor
Oxeye security researchers discovered critical IDOR vulnerabilities in the CNCF-graduated project Harbor. The bugs are identified as CVE-2022-31666, CVE-2022-31671, CVE-2022-31669, CVE-2022-31670, and CVE-2022-31667. When exploited, the IDOR vulnerability gives an attacker unauthorized webhook policies, while another variant exposes job execution logs. Role-based access control, according to VMware researchers, is a solid security protection against IDOR vulnerabilities, although it is not foolproof.

Top Scams Reported in Last 24 Hours

E-mail scammers spoof U.S agencies
Hackers are attempting a phishing attack that spoofs multiple U.S. government entities while focusing on the energy and professional services sectors, specifically construction firms. Cofense reports that attackers are now spoofing the transportation and commerce departments. The emails pretend to solicit bids for government projects, however, direct recipients to credential phishing pages. Threat actors have included a captcha challenge to fool victims when entering Microsoft Office 365 account credentials.


us government agencies
node webkit
warzone rat
idor vulnerabilities
project harbor
ransomware attacks
american airlines inc
colibri loader
microsoft office 365 credentials

Posted on: September 20, 2022

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.