Go to listing page

Cyware Daily Threat Intelligence, February 14, 2023

Cyware Daily Threat Intelligence, February 14, 2023

Share Blog Post

The software development world relies on numerous open-source packages and hackers are keeping a track of them. In two different research reports, security experts laid bare nearly 1000 rogue PyPI and npm packages containing crypto-miners, RATs, and more. Speaking of malware threats, cybercriminals have once again emphasized the importance of the Shadowpad modular backdoor in their campaigns. The recent campaign targets diplomatic entities in South America. The group has a history of targeting government agencies and think tanks in Asia and Europe.

In its first zero-day patch revelation for the year, Apple also disclosed that hackers are already exploiting the flaw. The flaw, a WebKit confusion issue, enables a threat actor to trigger OS crashes and execute arbitrary code on compromised devices. 

Top Breaches Reported in the Last 24 Hours

University data exposed by ransomware group
The BlackCat ransomware group leaked over 6 GB of data pertaining to Ireland's Munster Technological University. The data dump includes student bank account information, staff medical diagnoses, and other sensitive data. The university disclosed the cyber incident last week after hackers interrupted its IT systems, postponing classes at its Cork campuses.

Obtain orchestra ticket offline
Cyber adversaries knocked the websites of Philadelphia Orchestra and its home venue offline in a cyberattack. The orchestra and the Kimmel Center revealed that the attack has impacted their ticket sales. Meanwhile, the organizations stated that physical tickets are still available, and a temporary gateway was set up to make ticket purchases easier.

‘Al-Toufan’ impairs critical entities in Bahrain
A cybercriminal group calling itself Al-Toufan targeted the websites of Bahrain International Airport and the state-run Bahrain News Agency. Hours earlier, the group attacked and changed articles on the website of Akhbar Al Khaleej, a pro-government newspaper in Bahrain, suggest experts. Hackers claimed that the attack was to mark the anniversary of the Arab Spring.

Top Malware Reported in the Last 24 Hours

Delivering Clipper malware to steal crypto
Researchers at Phylum uncovered over 451 unique Python packages typosquatting popular packages such as beautifulsoup, bitcoinlib, pandas, pytorch, cryptofeed, matplotlib, scikit-learn, scrapy, and others. Threat actors deploy a clipper malware that is designed to function as a clipboard-based crypto wallet address replacing malware. Additionally, hackers have adopted a new obfuscation technique to conceal the JavaScript code.

DEV-0147 drops ShadowPad and QuasarLoader
China-based espionage actor, tracked as DEV-0147 by Microsoft’s Security Intelligence team, has been observed targeting diplomatic entities in South America with ShadowPad aka PoisonPlug. The malware is considered a successor to the PlugX malware. Another malicious tool the hackers are using is QuasarLoader that allows deployment of additional payloads onto the compromised hosts.

Malicious npm and PyPI packages
Security vendor Sonatype reported 691 malicious npm packages and 49 malicious PyPI components that could prove fatal for a developer environment. Several packages were discovered containing the same package.go file – a Trojan that helps mine cryptocurrency from Linux systems. Researchers also spotted a new Python malware that combined the capabilities of a RAT and an information stealer.

MortalKombat and Laplas clipper in one
There’s a new financially motivated campaign utilizing MortalKombat ransomware and the Laplas clipper. While the former is a variant of the Xortist commodity ransomware, the latter is a cryptocurrency hijacker that monitors the Windows clipboard for crypto addresses. The campaign’s focus remained on the U.S., with a handful of victims spread across the U.K, Turkey, and the Philippines.

Top Vulnerabilities Reported in the Last 24 Hours

Apple addressed critical zero-day
Apple has issued a security fix for a zero-day affecting iOS, iPadOS, and macOS. The bug, CVE-2023-23529, is a type confusion issue in the WebKit browser engine of Safari and is being actively exploited in the wild. Hackers can abuse it through maliciously crafted web content, resulting in arbitrary code execution. However, researchers were unsure how the flaw is being exploited in real-world attacks.


al toufan
shadowpad backdoor
pypi repository
philadelphia orchestra
laplas clipper
munster technological university mtu
bahrain news agency
bahrain international airport
apple zero day vulnerability

Posted on: February 14, 2023

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

The Virtual Cyber Fusion Suite