Go to listing page

Cyware Daily Threat Intelligence, February 17, 2023

Cyware Daily Threat Intelligence, February 17, 2023

Share Blog Post

Cybercriminals are back at manipulating Google search results to download malicious installers. Chinese speakers in Southeast and East Asia are being specifically targeted in a campaign that leads to the delivery of FatalRAT. Researchers clarified that none of the malware or network infrastructure could be related to any known activities of any familiar groups. The highly anticipated Harry Potter video game Hogwarts Legacy has been released and hackers have started to exploit the opportunity in a scam campaign that distributes cracked versions of the game. 

Moving on, Mozilla has rolled out some critical updates for Firefox. The browser firm introduced Firefox 110 and Firefox ESR 102.8 that arrived with patches addressing several high-severity, medium- and low-severity flaws.

Top Breaches Reported in the Last 24 Hours

Atlassian suffers third-party breach
Atlassian confirmed a breach incident that occurred via a third-party application after hackers leaked stolen data on Telegram. Threat actors reportedly hacked into Envoy, an app that helps companies organize office spaces, to steal Atlassian data. The information pilfered by criminals include employee records, building floor plans, and more. Envoy’s other high-profile clients include Slack, the Golden State Warriors, Pinterest, and others.

Cutout left user data unsecured
Cutout, a web-based AI image editing tool, was spotted exposing 22 million log entries containing 9 GB worth of customer data via an open ElasticSearch instance. The data exposed include user images, usernames, and email addresses. The research team also stumbled across two image editing apps in the open database: Vivid and AYAYA.

Cyberattack on snowboard manufacturing firm 
The processing of online orders came to a halt at snowboard manufacturing company Burton Snowboards in the wake of a cyberattack. The victim firm said it is PCI compliant so it doesn’t save credit card details or bank account numbers during the order process or post-order processes. The nature of the attack remains unknown.

Top Malware Reported in the Last 24 Hours

FatalRAT targets Chinese-speaking individuals
Security analysts at ESET unearthed a malware campaign targeting Chinese-speaking people in Southeast and East Asia. The unknown hacker group has created copycat websites of popular apps, such as Firefox, WhatsApp, and Telegram. Along with legitimate software, cyber foes also deliver FatalRAT to take over the system of a victim.

Frebniis - New malware threat to Microsoft’s IIS
There’s a new malware threat to Microsoft Internet Information Services (IIS) servers dubbed Frebniss. Discovered by Symantec's Threat Hunter Team, the malware abuse 'Failed Request Event Buffering' (FREB) feature of IIS that is responsible for collecting request metadata such as IP addresses, HTTP headers, and cookies. By abusing the FREB component, it becomes relatively easier for hackers to evade detection. 

Top Vulnerabilities Reported in the Last 24 Hours

Vulnerable top npm package
Supply chain security company Illustria reported a flawed npm package that allows a threat actor access to the GitHub account of the package. The package, which witnesses over 3.5 million weekly downloads, can be taken over by retrieving an expired domain name for one of its maintainers and resetting the password. The research team haven’t disclosed the name of the module.

Firefox receives major updates
Mozilla addressed 10 high-severity flaws with the release of Firefox 110 and Firefox ESR 102.8. The latest versions of Firefox also fix a security hole related to screen hijacking via the browser fullscreen mode. Another bug, identified as CVE-2023-25728, could allow an attacker to leak a child iframe’s unredacted URI. Additionally, the firm issued patches for memory safety bugs affecting Firefox 109 and Firefox ESR 102.7.

Routers reached EOL, vulnerable
Outdated Arris routers have left users vulnerable to authenticated RCE exploits. Security researcher Yerodin Richards revealed three models of Arris routers, including TG2482A, TG2492, and SBG10, which are running firmware that have reached end-of-life. He published a Proof-of-Concept (PoC) to demonstrate the bug abuse. He further added that there is no HTTPS setting to secure credentials in transit.

Top Scams Reported in the Last 24 Hours

Extortion through PayPal
Check Point-owned Avanan found a campaign sending malicious invoices through PayPal to users, threatening them with fraudulent activities on their accounts. Scammers pretend to impose a fine of $699.99 on users. Security experts claimed that this campaign is different than other scams spoofing PayPal.

Smishing campaign targeting Romanians
An unknown hacker group is attempting to harvest Romanian telecom customers’ PII in a fake customs invoice smishing campaign. The scam begins with the user receiving an SMS regarding the status of a fictional package, presumably ordered from a different country. It contains a malicious URL that redirects users to a page that resembles the Romanian National Post’s official website.

Cracked version of Hogwarts Legacy
Scammers have erected websites to peddle cracked versions of the game known as Hogwarts Legacy, for free. These fake sites take visitors to different landing pages and request their personal data by hiding behind a survey form. In a different scenario, researchers observed that the downloaded file was a Trojan dropper, dropping adware on a victim’s systems.


arris routers
burton snowboards
npm packages
mozilla firefox
hogwarts legacy
frebniis malware

Posted on: February 17, 2023

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

The Virtual Cyber Fusion Suite