Go to listing page

Cyware Daily Threat Intelligence, March 24, 2023

Cyware Daily Threat Intelligence, March 24, 2023

Share Blog Post

BlackGuard stealer is becoming more sophisticated than ever. The new malware variant boasts persistence mechanisms, USB propagation, additional payload delivery, and the ability to target more crypto wallets. Researchers note that the malware is witnessing a decent adoption rate owing to extensive app-targeting capabilities as well as the closing of the original Raccoon Stealer MaaS operation. Meanwhile, a backup service bug (CVE-2023-27532) in Veeam's Backup & Replication (VBR) needs your utmost attention. Though the company released security updates for VBR V11 and V12 two weeks ago, unpatched users are at a greater risk of exploitation as the exploit code is out to the public.

In another headline, security experts have warned against a high-severity vulnerability within the WooCommerce Payments plugin. Automattic, the company behind WordPress and WooCommerce, has urged users to update to plugin version 5.6.2.

Top Breaches Reported in the Last 24 Hours


Three more victims of GoAnywhere MFT breach
The City of Toronto, Virgin Red (U.K), and Pension Protection Fund (U.K) also fell victim to the attack by the Clop ransomware group, who allegedly successfully abused the Fortra GoAnywhere MFT zero-day. The vulnerability, now identified as CVE-2023-0669, allows for remote code execution on unpatched GoAnywhere MFT systems with exposed-to-internet administrative consoles. Other victims include Investissement Québec, Pluralsight, and Rio Tinto.

Health data compromised in two instances
Kroger’s Postal Prescription Services exposed the names and email addresses of more than 82,000 patients owing to an internal error. Patients who created an online PPS account between July 2014 and January 13, 2023, were impacted by the internal error. Meanwhile, video software firm SundaySky disclosed a data breach to HHS that concerns over 37,000 individuals. 

South Korean beauty content platform attacked
PowderRoom, allegedly the biggest online beauty community in South Korea, was discovered blurting out full names, phone numbers, emails, Instagram IDs, and home addresses of about a million users via an unsecured database. Security analysts also found a million tokens used for authentication and warned that accessing the website that could lead to the hijacking of user accounts.

Top Malware Reported in the Last 24 Hours


New variant of BlackGuard stealer
BlackGuard, which was first spotted in March 2022, has experienced an upgrade with several new capabilities. It added a crypto wallet hijacker module that has hardcoded addresses and support for multiple cryptocurrencies. The stealer can now propagate via USB and other removable devices to infect new hosts. Also, it can now steal data and drain crypto assets from 12 more cryptocurrency browser extensions and wallets.

AresLoader: The new MaaS
Russian cybercriminals were seen leveraging the new malware-as-a-service (MaaS) AresLoader to target victims. They are distributing the malware packaged as installers for popular software. An optional binder service is provided by the AresLoader panel, which combines a legitimate file with a malicious loader. It gives attackers remote access to systems and the ability to deliver other payloads.

Top Vulnerabilities Reported in the Last 24 Hours


Bug in WooCommerce Payments
Security expert Michael Mazzolini uncovered a critical bug within the WooCommerce Payments plugin that has amassed over half a million active installations. The flaw enables an unauthenticated user to take control of websites. Experts have urged users to scan for suspicious activities within their WordPress websites. The bug was disclosed through HackerOne.

Exploit code for VBR
Two weeks after Veeam released patches for a sensitive backup service bug in Veeam's Backup & Replication software, the exploit code for the same is out. The bug, tagged CVE-2023-27532, impacts all VBR versions. Once exploited, cybercriminals can damage the backup infrastructure via stolen plaintext credentials and RCE attacks.

ICS vulnerabilities in WellinTech’s software
Cisco’s Talos shared details about two critical vulnerabilities that were reported in WellinTech’s KingHistorian industrial data historian software. The first bug, earmarked CVE-2022-45124, makes way for an attacker to access the username and password of a legitimate user. The second issue, CVE-2022-43663, can be abused for arbitrary code execution or to trigger a DoS condition.

 Tags

clop ransomware group
goanywhere mft
clop ransomware
pension protection fund
city of toronto
blackguard stealer
backup replication
wellintech
virgin red
powderroom
woocommerce payments
rio tinto
pluralsight
aresloader

Posted on: March 24, 2023


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

The Virtual Cyber Fusion Suite