Go to listing page

Cyware Daily Threat Intelligence, March 07, 2023

Cyware Daily Threat Intelligence, March 07, 2023

Share Blog Post

Security researchers took the wraps off of a complex attack campaign targeting business routers with a couple of payloads - HiatusRAT and a variant of tcpdump. A majority of compromised systems were located in Europe and Latin America. In other headlines, experts warned of the ongoing exploitation of a sensitive vulnerability in VMware Cloud Foundation and NSX Data Center for vSphere. As per reports, adversaries are scanning for bugs from data centers, such as those of Linode and Digital Ocean.

What more? A honey-trap romance scam is targeting Android users in Southeast Asia. Potential targets are first contacted on a different platform and then lured into downloading “more secure” messaging apps containing the Android CapraRAT backdoor.

Top Breaches Reported in the Last 24 Hours

Brazilian conglomerate targeted
A cyber raid by unknown criminals allegedly compromised three TB of corporate and employee information of Brazilian multinational firm Andrade Gutierrez. A hacking group calling itself “Dark Angels”  has claimed responsibility for the attack. The data impacted included personal details, as well as payment info, tax ID numbers, and health insurance information of thousands of employees.

HAW Hamburg suffered ransomware attack
Vice Society pilfered “significant amounts of data from various areas” of the Hamburg University of Applied Sciences (HAW Hamburg). Cybercriminals accessed usernames, email addresses, “cryptographically secured” passwords, and mobile phone numbers of individuals. The university was recently added to the attackers’ leak site, however, the breach occurred last year.

Top U.S tech firm under the scanner
Acer Inc. purportedly suffered a theft of 160GB data of 655 directories and 2869 files to threat actors in a breach incident from mid-February 2023. An actor going by the moniker ‘Kernelware’ was seen offering ??the stolen data trove to interested people and convincing them by saying it contains a myriad of valuable files and documents. They further leaked sample data to back their claim.

BlackCat blackmail’s victim
The BlackCat ransomware group has started to leak the data it harvested from the Lehigh Valley Health Network (LVHN) in a cyberattack. The Pennsylvania-based healthcare group was threatened by posting a sample of data that contained photos of breast cancer patients from the waist up. LVHN has reportedly refused to pay the ransom and that’s why the leak.

Top Malware Reported in the Last 24 Hours

Remcos RAT in phishing emails
SentinelOne uncovered a phishing campaign infecting organizations in Eastern European countries with Remcos RAT. Cybercriminals are, reportedly, exploiting an old Windows User Account Control bypass issue disclosed over two years back. They send emails via top-level domains that are typically camouflaged as tender documentation, invoices, and other financial documents.

Romance scams drop CapraRAT
APT actor Transparent Tribe has been spotted launching romance scams against Indian and Pakistani Android users. Adversaries urge users to download secure messaging and calling apps custom branded as MeetUp and MeetsApp, which leads to the download of the CapraRAT backdoor.

New threat to business-grade routers
Experts at Lumen Black Lotus Labs stumbled across a campaign dubbed Hiatus dropping a pair of payloads to infect business routers. The payloads include HiatusRAT and a variant of tcpdump (which enables packet capture on the target device). With HiatusRAT, criminals can turn a compromised machine into a secret proxy system. Researchers identified at least 100 infected systems, with most of the infections in Europe and Latin America.

New stealer targets Facebook business accounts
A new information stealer, dubbed SYS01stealer, has surfaced to target individuals working at manufacturing companies, critical government infrastructure, and other sectors. Attackers target Facebook business accounts with themes, such as ??games, adult content, and cracked software, to trick victims into downloading a malicious file.

Top Vulnerabilities Reported in the Last 24 Hours

VMware flaw under active exploitation
A much critical bug, tracked as CVE-2021-39144, in VMware Cloud Foundation and NSX Data Center for vSphere (NSX-V) is being targeted by bad actors. Abusing the bug, an attacker can pull off an RCE attack in the context of ‘root’ on the appliance. The vulnerability impacts XStream version 1.4.17 and older. Note that the affected product reached its end-of-life (EOL) status in January 2022.

Android patches over 50 security holes
Google released security fixes for over 50 vulnerabilities in its Android platform in the latest round of updates. A total of 18 bugs were addressed in the System component, with 16 of them rated ‘high’ on the severity scale. Experts say two remote code execution (RCE) flaws in the System component were the most severe of all.

Top Scams Reported in the Last 24 Hours

ChatGPT apps with ever-convincing baits
Online fraudsters abused ChatGPT once again to collect users’ personal data while targeting their wallets. Security experts discovered an imitated version of ChatGPT baiting users with financial lures that could pay up to $10,000 per month. Hackers are using different subject lines in such scams. The scam is prevalent in Denmark, Ireland, Germany, Australia, and the Netherlands.


dark angels
blackcat ransomware
nsx data center
andrade gutierrez
lehigh valley health network
android patches
hamburg university of applied sciences
acer inc
remcos rat
cve 2021 39144
vmware cloud foundation

Posted on: March 07, 2023

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

The Virtual Cyber Fusion Suite