Go to listing page

Cyware Daily Threat Intelligence, February 01, 2023

Cyware Daily Threat Intelligence, February 01, 2023

Share Blog Post

After nearly two months, the security of the servers of MegaRAC BMC is once again under scrutiny. Two vulnerabilities have been reported in AMI’s software, one of which can be exploited to initiate a password reset through social engineering attempts. Three security flaws were brought to light in the same product two months back. Moving on, the threat actors behind Nevada Ransomware look supercharged with full-fledged network intrusion readiness to cause maximum damage to their targets. They supposedly have a dedicated team for performing post-exploitation operations.

Meet LockBit Green! After LockBit Red and LockBit Black, there’s another version of LockBit, reportedly meant to target cloud-based services. Moreover, security analysts observed a similarity of 89% with the leaked Conti ransomware variant.

Top Breaches Reported in the Last 24 Hours

Ukrainian IT Army intrudes Russian energy firm
The IT Army of Ukraine claimed to have penetrated the systems of Russian energy giant Gazprom and extracted data in a 1.5 GB archive. The archive allegedly contains over 6,000 files of the companies associated with the Gazprom group. The information accessed by the hackers may include financial and economic activities, reports on testing and drilling, along with implementation and adjustment of automated systems at the Koviktinsky well.

Hacker targets Massachusetts school
Nantucket Public Schools in Massachusetts suffered a ransomware attack that disrupted the entire island’s public school internet system. Students and staff were dismissed earlier than normal timings. Officials have announced that nobody should use school-issued devices at home until further notice. 

Planet Ice breached
Hackers infiltrated the systems of Planet Ice and managed to harvest the personal details of more than 240,000 individuals. The cyberattack forced it to shut down its booking website. The exposed personal data includes dates of birth, names, email addresses, passwords, phone numbers, physical addresses, purchase data, and more.

Google Fi’s customer data leak
Customers of the Google Fi telecommunications service were informed regarding a security breach after an unauthorized user gained access to a third-party customer support system. Experts surmised that the incident could be related to the recently disclosed T-Mobile cyberattack. The list of impacted data contains phone numbers, account activation dates, SIM card serial numbers, mobile service plans, and account status.

Top Malware Reported in the Last 24 Hours

TZW ransomware arrives as Boot info
The ASEC analysis team stumbled across a variant of TZW ransomware that was being propagated with the version info marked as ‘System Boot Info’. The malware camouflaged itself as a general program file related to boot information. Hackers reportedly encrypt all folders aside from the Windows folder, and post-encryption, volume shadow copies are deleted to disable the recovery process.

Fake OAuth Apps stealing and prying
Security experts at Proofpoint disclosed that cyber adversaries are using malicious OAuth applications to abuse Microsoft's "verified publisher" status. The activity is intended to gain access to the cloud environments of targeted organizations, pilfer data, and also scan through users' mailboxes, calendars, files, and more. The early signs of the campaign, involving consent phishing, were spotted in December 2022.

Nevada Ransomware is all buzz in dark web
A new version of Nevada Ransomware has emerged on underground forums. The actors behind this variant, as experts with Resecurity confirmed, have an affiliate platform first introduced in the RAMP underground community. The group recently distributed an updated locker—written in Rust— supporting encryption of Windows and Linux/ ESXi systems.

Another LockBit version out
Operators of the LockBit ransomware rolled out a new version of their malware, dubbed LockBit Green. It is the modified version of the ESXI ransomware variant and is created to launch attacks against cloud-based services. Moreover, researchers highlighted that the new LockBit variant has a significant overlap with the Conti(v3) ransomware, whose source code was leaked last year.

Top Vulnerabilities Reported in the Last 24 Hours

Full takeover of pesign script
Researcher Marco Benatto uncovered a local privilege escalation vulnerability, CVE-2022-3560, in pesign, a command line tool for manipulating signatures and cryptographic digests of UEFI applications. There’s a pesign-authorize script that runs with root privileges and grants an unauthenticated user full access to pesign via POSIX access control lists.

Servers of MergaRAC BMC at risk
Firmware security firm Eclypsium shared details about two supply chain security flaws in AMI MegaRAC Baseboard Management Controller (BMC) software. The bugs, tracked as CVE-2022-26872 and CVE-2022-40258, allow an actor to obtain remote access and run arbitrary commands with superuser permissions. The former is a password reset interception issue, while the latter is a weak password hashing issue.


tzw ransomware
lockbit green
oauth applications
nantucket public schools
ami megarac
nevada ransomware
ramp marketplace
planet ice
google fi

Posted on: February 01, 2023

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

The Virtual Cyber Fusion Suite