Go to listing page

Cyware Daily Threat Intelligence, February 28, 2023

Cyware Daily Threat Intelligence, February 28, 2023

Share Blog Post

Security experts have spotted an emerging, potential post-exploitation framework, dubbed Exfiltrator-22, meant to target corporate networks. Threat actors assure uninterrupted updates and support to subscribers of their services. From lateral movement to ransomware dropping, the framework offers much more. In other headlines, the well-known WordPress premium plugin for real-estate websites Houzez is under attack. Researchers point toward two sensitive security holes that allow unauthenticated users to perform privilege escalation on vulnerable sites. 

Meanwhile, researchers warn Amazon Prime customers of Slinks, which are nothing but shortened Linkedin URLs. Scammers, with the ongoing campaign, attempt to harvest the sensitive personal data of the subscribers.

Top Breaches Reported in the Last 24 Hours

Another breach hits LastPass
LastPass suffered a second cyberattack after the system of a DevOps engineer working with the firm was hacked and implanted with keylogging malware. An unnamed threat actor reportedly combined data from the August breach with information gathered from a third-party data breach, and a security flaw in a third-party media software package to launch a coordinated attack.

Millions stolen from Boston-based fund
Pipefitters Local 537, a Boston-based labor union, suffered a $6.4 million loss in its health fund as a result of a cyberattack. According to an official, law enforcement is "optimistic" about recovering a majority of the stolen amount. In this attack, members' private information was not accessed by adversaries.

Top Malware Reported in the Last 24 Hours

EX-22 : New post-exploitation framework
Hackers in the underground marketplace have introduced a new Exfiltrator-22, or EX-22, post-exploitation framework. According to the CYFIRMA team, LockBit 3.0 affiliates or its members are most probably behind its development. The developers have used the same C2 infrastructure previously exposed in a LockBit 3.0 sample. In the latest instance, criminals displayed lateral movement and ransomware-spreading capabilities.

New update for RIG Exploit Kit (RIG EK)
RIG EK, infamous for distributing various malware families, such as SmokeLoader, Dridex, and RaccoonStealer, continues to abuse IE vulnerabilities, revealed security analysts at Prodaft. Actors using the kit attempt roughly 2,000 intrusions every day, with a success rate of about 30%. The success rate is the highest in its history owing to CVE-2021-26411 in IE.

Top Vulnerabilities Reported in the Last 24 Hours

 WordPress Houzez theme exploited
Cyber adversaries were found targeting two high-risk flaws in the WordPress Houzez theme and plugin, which are often used by real estate websites. The first security issue was addressed in version 2.6.4 in the August 2022 release, and the second one was fixed in version 2.7.2, in the November 2022 release. The flaws allow attackers to execute arbitrary commands, inject ads on the website, and even redirect user traffic to other phishing sites.

CISA adds ZK framework bug to KEV
The CISA listed a security bug in the open-source ZK Java Web framework in its Known Exploited Vulnerabilities (KEV) catalog. Tagged CVE-2022-36537, an attacker can abuse it to extract sensitive data through specially crafted POST requests sent to the component AuUploader. The vulnerability affects ZK Framework versions 9.6.1,,,, and It also affects ConnectWise R1Soft Server Backup Manager.

Flaws in online checkout platforms
Germany’s Federal Office for Information Security, popularly known as BSI, has singled out flaws in online shopping software used by the top 10 e-commerce platforms, including Magento, PrestaShop, and Zen Cart. While a majority of those didn't mandate the usage of strong passwords, some were found using software beyond their end-of-life dates. Some websites had CSRF and XSS bugs.

Top Scams Reported in the Last 24 Hours

Slinks as bait to Prime users
Scammers have been sending out phishing emails containing bogus, shortened Linkedin URLs, also called Slinks. Hackers use text lures mentioning the renewal of users’ Prime (Amazon) membership. The email purportedly has an ‘Update Now’ button, hosting the Slink URL. Clicking on it redirects a user to a phishing site resembling the Amazon login page.


e commerce
post exploitation framework
exfiltrator 22
prime membership
pipefitters local 537
rig ek

Posted on: February 28, 2023

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

The Virtual Cyber Fusion Suite