Go to listing page

Cyware Daily Threat Intelligence, March 20, 2023

Cyware Daily Threat Intelligence, March 20, 2023

Share Blog Post

New and old ransomware strains continue to pose an unprecedented level of threat to organizations worldwide! Firms in manufacturing, finance, construction, marketing, tech, and agriculture were found to be under attack by the new Trigona ransomware. The relatively new ransomware strain has claimed 15 victims in less than three months. In another thread, the U.S. feds warned businesses and critical U.S. infrastructure operators of LockBit 3.0 attacks. Also, a deadly banking trojan called Mispadu has been reported to have harvested the bank credentials of over 90,000 individuals via thousands of unique websites.

Meanwhile, Microsoft OneNote has caught the attention of an infamous malware threat known as Emotet as it has begun abusing the software for its distribution. As one of the most widely distributed malware in the past, it only relied on Microsoft Word and Excel attachments.

Top Breaches Reported in the Last 24 Hours


Cl0p adds another feather to its cap
Hitachi Energy is yet another victim of the fallout from Forta’s GoAnywhere MFT breach event, which the Clop ransomware gang exploited heavily. Infected systems were isolated from the rest of the system. The Clop ransomware group claimed in February that it had exploited a zero-day vulnerability to steal sensitive information from over 130 organizations. Forta recommends users review all administrative controls and monitor for unrecognized usernames, especially those created by “system.”

Ransomware attack on Dutch shipping firm
Dutch maritime logistics company Royal Dirkzwager was hit by the Play ransomware group. The incident came to light after threat actors listed the company on its Tor data leak site as a victim of its attack. It further claimed to have stolen a variety of confidential data, employee IDs, passports, and other data from the shipping firm.

Bitcoin ATM manufacturer compromised
Crypto ATM manufacturer General Bytes experienced a security incident on March 17 and 18 owing to a security vulnerability. This gave a remote hacker access to the master service interface and allowed them to transfer funds from users’ hot wallets. The hacker was able to withdraw 56.28 bitcoins, valued at nearly $1.5 million, from 15 to 20 crypto ATM operators located across the U.S.

Top Malware Reported in the Last 24 Hours


New ransomware, 15 victims
Trigona ransomware, which surfaced in December 2022, targeted at least 15 organizations across different sectors in the U.S., Australia, Italy, France, New Zealand, and Germany. The malware is capable of getting initial access, performing reconnaissance, transferring malware via a remote monitoring and management software, creating new user accounts, and dropping ransomware.

HinataBot: DDoS-focused botnet
Experts at Akamai uncovered a new Go-based botnet dubbed HinataBot, supposedly inspired by a character from the popular anime series, Naruto. During the first three months of the year, the botnet was updated several times by its authors. The malware was detected in HTTP and SSH honeypots exploiting several old vulnerabilities and weak credentials.

Warning against Lockbit 3.0 operation
A joint advisory by the FBI, CISA, and MS-ISAC, highlighted concerns about the LockBit 3.0 ransomware operation, infamous for targeting a wide range of businesses and critical infrastructure entities. It noted that the malware uses a hardcoded list of credentials for lateral movement into a compromised network, and can also spread via Group Policy Objects and PsExec, over the SMB protocol.

Emotet tests OneNote infections
Security researcher abel took the wraps off Emotet’s new distribution technique that allows it to propagate through Microsoft OneNote email attachments. The operators have a history of deploying malicious macros on infected systems via Microsoft Word and Excel attachments. This new method of infection will help criminals dodge Microsoft security checks and infect more targets.

Mispadu banking trojan
Multiple spam campaigns, which commenced in August 2022, managed to harvest over 90,000 bank account credentials from over 17,500 unique websites. The banking trojan used in the operation has been dubbed Mispadu. Cybersecurity firm Metabase Q uncovered more details and revealed that it targeted countries like Bolivia, Mexico, Peru, Chile, and Portugal.

Top Vulnerabilities Reported in the Last 24 Hours


Security hole in Microsoft 365 suite
A Microsoft Outlook bug has been discovered jeopardizing the security of the Microsoft 365 suite. Tagged as CVE-2023-23397, the bug enables a threat actor to access user credentials by passing along a specially crafted email package. It reportedly features a high ‘wormability’ factor with no user interaction required in most instances. The flaw affects several applications, including MS Office 2019, 2016, 2013, and LTSC. 

FortiOS flaw abused by Chinese hackers
Chinese cyber adversaries, tracked under the moniker UNC3886, were spotted exploiting a now-patched medium-severity vulnerability in Fortinet’s FortiOS software. The advanced espionage group could use the flaw, earmarked CVE-2022-41328, to access data and corrupt the OS and underlying files.

 Tags

goanywhere mft
emotet
general bytes
fortinets fortios
mispadu
hinatabot
unc3886
hitachi energy
royal dirkzwager
microsoft outlook
lockbit 30
microsoft onenote
trigona ransomware
cve 2023 23397
microsoft 365 suite

Posted on: March 20, 2023


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

The Virtual Cyber Fusion Suite