Go to listing page

Cyware Daily Threat Intelligence, September 28, 2021

Cyware Daily Threat Intelligence, September 28, 2021

Share Blog Post

The Nobelium hacker group that targeted SolarWinds continues to cause more grief. In a new discovery, the APT group has added a new custom backdoor called FoggyWeb to its arsenal to deploy malicious payloads on Windows systems. The malware is distributed via DLL side-loading technique. 

The ever-evolving Mirai has also got a new sibling named Mirai_ptea_Rimasuta that exploits a zero-day vulnerability in RUIJIE NBR700 series routers. It uses the TEA algorithm to establish communication with C2 channels.  

A piece of caution! Look out for a fishy email from Zix that is being actively used in a spearphishing campaign that has affected almost 75,000 emails across the globe.  

Top Breaches Reported in the Last 24 Hours

FarFaria exposes data
A misconfigured MongoDB database belonging to FarFaria has exposed 38 GB of data with contact information and login credentials of 2.9 million users. The compromised data includes IP addresses, email addresses, encrypted passwords, and social media tokens of users. 

DDoS attacks
Around 15 Russian financial organizations were targeted in DDoS attacks between August and September this year. While the attacks were serious, the attackers failed to disrupt the performance of credit institutions.  

Giant Group targeted
Giant Group was forced to shut down its whole network including its phone and email systems following a sophisticated cyberattack. The scope of the attack is yet to be ascertained.  

Top Malware Reported in the Last 24 Hours

BloodyStealaer malware
Gamers in Europe, Latin America, and the Asia-Pacific region are being targeted by BloodyStealer malware that steals their passwords, bank cards, and login details. The malware is available on underground forums for a price of $40. It includes several evasion techniques.

FoggyWeb malware
A new custom malware dubbed FoggyWeb was used by the Nobelium threat actor group to deploy additional payloads and steal sensitive information from Active Directory Federation Services servers. The attackers used DLL side-loading technique to load the backdoor.
 
Mirai_ptea_Rimasuta botnet
A new variant of Mirai dubbed Mirai_ptea_Rimasuta has been found exploiting a zero-day vulnerability in RUIJIE NBR700 series routers. It uses the TEA algorithm to establish communication with C2 servers.  

Top Vulnerabilities Reported in the Last 24 Hours

Cisco fixes flaws
Cisco has fixed multiple vulnerabilities affecting its IOS XE software and SD-WAN vEdge. An attacker can exploit these vulnerabilities and potentially take over affected devices. 

QNAP fixes flaws
QNAP has addressed three command injection vulnerabilities in its QVR software. The flaws are tracked as CVE-2021-34351, CVE-2021-34358, and CVE-2021-34349. While two of these flaws have a severity score of 9.8 out of 10, the third one has a CVSS score of 7.2.  

RCE flaw in Visual Studio
An RCE flaw in Visual Studio Code Remote Development Extension can lead to the execution of arbitrary commands on targeted systems. Tracked as CVE-2021-17148, the flaw can be abused by sending a specially crafted link to the user.  

Top Scams Reported in the Last 24 Hours

Spearphishing attack
An ongoing spearphishing attack designed to spoof an encrypted Zix email is stealing the credentials of employees. The attack has targeted close to 75,000 inboxes, slipping past security controls across Office 365, Google Workspace, Exchange, Cisco ESA, and others. Companies in the government, education, financial, healthcare, and energy sectors have fallen victim to the attack.  

Social media scams
Social engineering scammers are using Twitter bots to trick unsuspecting users into making payments to PayPal and Venmo accounts that are under their control. The scammers are impersonating the social handle of other users to hide their identities.  

 Tags

qnap device
nobelium apt group
foggyweb malware
mirai ptea rimasuta botnet

Posted on: September 28, 2021


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.