Go to listing page

Cyware Daily Threat Intelligence, February 08, 2023

Cyware Daily Threat Intelligence, February 08, 2023

Share Blog Post

Is Medusa evil or good? In this case, definitely evil. Medusa botnet has made a comeback acquiring a range of skills from featuring ransomware capabilities to now being recognized as a DDoSMaaS. Attackers are increasingly using Microsoft OneNote to deliver a variety of malware. QBot banking trojan has joined one such league of threats. Now, cybercriminals can embed almost any file type when creating malicious OneNote documents, such as LNK or VBS attachments.

Ukraine faces a new cyber threat in the form of info-stealing malware dubbed Graphiron. Nodaria, an APT linked to the WhisperGate wiper attacks, is supposedly behind this operation. Nodaria was mostly unheard of before the Russian invasion of Ukraine.

Top Breaches Reported in the Last 24 Hours

German universities under attack
A significant cyberattack crippled the IT infrastructure of Ireland-based Munster Technological University’s campuses, in Cork. The attack marks the latest in a string of similar incidents targeting German-speaking universities. Officials have urged staff and students to watch emails for further information. It’s unknown how quickly MTU anticipates to restart them.

e-Commerce site exposed years of data
Cybernews experts spotted Elevel-owned online shop e.way exposing personal details and PII of customers via an open dataset containing 1.1TB of data. Two years worth of private information, including customer names, surnames, phone numbers, emails, and delivery addresses, were exposed. The Russia-based shop further exposed login data and passwords in URL encoding.

Top Malware Reported in the Last 24 Hours

CISA undo ESXiArgs impact
ESXiArgs ransomware attack began on vulnerable VMware ESXi servers last week. Now, the CISA has released a script that organizations can use to restore their VMware ESXi servers encrypted during the widespread ESXiArgs ransomware assaults. According to a list of bitcoin addresses compiled by CISA technical advisor Jack Cable, the attacks have since encrypted 2,800 servers.

Medusa undergoes a major overhaul
Researchers at Cyble uncovered a new Medusa DDoS botnet version based on the leaked Mirai source code. With this, it has appropriated Mirai's DDoS attack choices and Linux targeting capabilities. It comes with a ransomware module and Telnet brute-forcer. Additionally, a dedicated portal now advertises Medusa as a malware-as-a-service for DDoS or mining.

QBot adopts OneNote to propagate
A large-scale QakNote campaign is ongoing that drops QBot banking trojan on systems via malicious Microsoft OneNote attachments. The phishing emails contain OneNote files that have an embedded HTML application (HTA file) that retrieves the QBot malware payload. The adoption signals “a much more automated, streamlined fashion” as opposed to previous small-scale malware attacks.

Ukraine faces Graphiron attack
Researchers from Broadcom Symantec took the wraps off of an information-stealing malware known as Graphiron. Russia-affiliated ATP group Nodaria is using it in operations against Ukraine. Written in Go programming language, the malware enables operators to gather a variety of data from the infected systems, including screenshots, files, system information, and login passwords.

Top Vulnerabilities Reported in the Last 24 Hours

Toyota blurts out sensitive data
US-based researcher Eaton Zveare discovered a bug in Toyota's GSPIMS web portal that gave him access to private data. The issue reportedly stems from the use of JWT (JSON Web Token) authentication and might give anyone with a working email address access to any account. The portal contained a function that would allow users to generate a JSON Web Token based on the provided email address.

Flawed Gartner Peer Insights widget
A DOM XSS flaw was discovered in the Gartner Peer Insights widget that is believed to have existed since the software's inception. When the widget was available, several websites were vulnerable to DOM-based cross-site scripting (XSS). This is a client-side attack taking place within a browser window. Proof-of-Concept (PoC) code, exploit test pages, and a YouTube video demonstrating the bug have been made public.

ICS bugs in Siemens ALM 
Industrial cybersecurity firm Otorio laid bare two critical flaws in the Siemens Automation License Manager (ALM) that could be combined to compromise industrial control systems. The first bug, CVE-2022-43513, may allow a remote, unauthenticated attacker to change and relocate license files while logged in as the System user. The second flaw, CVE-2022-43514, lets attackers manipulate files that are not located in the designated root folder.


ukraine conflict
qakbot trojan
medusa botnet
munster technological university mtu
toyota gspims
nodaria apt
siemens automation license manager
gartner peer insights
dom xss flaw

Posted on: February 08, 2023

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

The Virtual Cyber Fusion Suite