Go to listing page

Cyware Daily Threat Intelligence, February 03, 2023

Cyware Daily Threat Intelligence, February 03, 2023

Share Blog Post

Android users in Southeast Asia are facing heightened threats in the form of TgToxic malware that camouflages itself as banking and financial apps. It leverages an automation framework to meddle with the device UI and allow hackers to monitor user input and perform clicks and gestures. Meanwhile, the administrators of GoAnywhere MFT need to watch out for the presence of any dubious admin account. If so, hackers have managed to successfully abuse a recently uncovered zero-day for performing RCE attacks.

Hackers can’t keep calm! Researchers have observed instances of exploitation of a critical bug in Oracle E-Business Suite after the release of a POC exploit. Customers are urged to apply the available patches as soon as possible.

Top Breaches Reported in the Last 24 Hours

Cyberattack on Black & White Cabs
The services of Black & White Cabs in Australia were disrupted in wake of a cyber incident that knocked the company's phone and online booking system offline. The firm confirmed that it fell victim to the CryptoLocker ransomware. It’s not clear when the services will be up and running. The suspicious activity was first detected on Wednesday.

Vice Media exposed confidential data
A breach involving Vice Media as the victim laid bare the personal and financial data of more than 1,700 people. The media firm has made two separate filings. In the first one, it said the incident includes Social Security numbers of individuals, however, the latter one also mentions financial records on victims, such as account numbers, credit and debit card numbers, access codes, passwords, and PINs. 

Firebrick Ostrich - A potential BEC group
According to Abnormal Intelligence, Firebrick Ostrich, a BEC group that specializes in third-party reconnaissance attacks, has carried out over 350 BEC campaigns by impersonating 151 organizations and using 212 malicious domains in the process. Its key victims are based in the U.S., spanning retail, education, healthcare, transportation, and other sectors.

Top Malware Reported in the Last 24 Hours

Android trojan hunts in Southeast Asia
Trend Micro experts took the wraps off of an ongoing campaign that has been targeting Android users in Southeast Asia since July 2022. It involves embedding a trojan they named TgToxic for harvesting user data from multiple fake finance and banking apps, including cryptocurrency wallets. The samples of the malware have been identified in Taiwan, with its phishing lures detected in Thailand and Indonesia as well.

MalVirt loaders drop Formbook stealer
Cybercriminals were found distributing virtualized .NET malware loaders, dubbed MalVirt, in a Google Ads-based malvertising campaign to install the Formbook information stealer. The hackers used KoiVM virtualization technology to obfuscate their implementation and execution in their campaigns. The malware has keylogging, credential stealing, and additional malware loading capabilities.

Konami Code backdoor on the rise
Sucuri experts disclosed details related to Konami Code backdoor that was first detected in 2019 and whose usage has lately been growing in the hacker community. The backdoor purports to be a fake WordPress plugin. Over the past three months, these fake plugins were detected 15,000 times. Experts presume it’s likely being offered within a popular attack kit.

Top Vulnerabilities Reported in the Last 24 Hours

Bugs in EV charging system
Israel-based SaiFlow unearthed security holes in electric vehicle charging management systems. The problem is related to the use of WebSocket communications by the Open Charge Port Protocol (OCPP) and how it mishandles multiple connections. Hackers can abuse the flaw to launch DDoS attacks. Further exploitation may lead to energy theft or exposure of driver information and server credentials through the charging system management service (CSMS).

Multifaceted HPE bug
Hewlett Packard Enterprise (HPE) warned about a critical a use-after-free vulnerability that enables cyber adversaries to execute arbitrary code, access data, or even trigger a DoS condition on targeted systems. The flaw, CVE-2022-40674, lies in its OneView infrastructure management platform and is associated with the use of a third-party component called Expat XML parser.

Zero-day flaw in GoAnywhere MFT
The users of GoAnywhere MFT (by Fortra) were warned of a zero-day RCE exploit that malicious actors can target directly from the internet. However, the advisory doesn’t clarify whether the flaw has been exploited in the wild. The presence of suspicious administrator accounts is the key indicator of compromise in this case. Notably, the web client interface is not affected by the exploit.

Oracle bug exploited after PoC release
Nonprofit security organization Shadowserver detected hackers’ attempts to abuse a sensitive vulnerability in Oracle E-Business Suite soon after a proof-of-concept (PoC) exploit code was published online. The flaw, CVE-2022-21587, resides in the Web Applications Desktop Integrator of Oracle’s enterprise product. The bug was also added to the CISA’s KEV catalog.

Critical Atlassian flaw resolved
Atlassian addressed a critical security flaw, tracked as CVE-2023-22501, in Jira Service Management Server and Data Center. An attacker could take advantage of it to gain unauthorized access to susceptible instances. The flaw, as a case of broken authentication with low attack complexity, was introduced in version 5.3.0 and impacts versions 5.3.1, 5.3.2, 5.4.0, 5.4.1, and 5.5.0.

Risky F5 BIG-IP appliance
A high-severity flaw in F5 BIG-IP appliances, assigned CVE-2023-22374, could lead to DoS or arbitrary code execution. The format string vulnerability exists in iControl SOAP interface and affects versions 13.1.5, - 14.1.5, - 15.1.8, - 16.1.3, and 17.0.0. An unauthorized user can achieve root access by inserting arbitrary format string characters into a query parameter.


tgtoxic malware
ev charging infrastructure
atlassian jira
goanywhere mft
f5 big ip products
firebrick ostrich
black white cabs
konami code backdoor
formbook information stealer
oracle e business suite
open charge port protocol ocpp
icontrol soap
vice media
zero day
poc release

Posted on: February 03, 2023

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

The Virtual Cyber Fusion Suite