Go to listing page

Cyware Daily Threat Intelligence, January 26, 2023

Cyware Daily Threat Intelligence, January 26, 2023

Share Blog Post

Government agencies make for lucrative targets, and attackers keep finding new ways to compromise their networks. In the latest such instance, the CISA, the NSA, and MS-ISAC alerted multiple federal civilian executive branch (FCEB) agencies that fell victim to an attack campaign that leveraged legitimate remote desktop tools for malicious purposes. Another large-scale campaign active for more than five years was also uncovered. The attackers compromised 4,500 WordPress sites with web injects to redirect users to black hat ad networks.  

Meanwhile, new malware threats continue to make headlines. A new Python-based RAT called PY#RATION was found utilizing WebSockets for both C2 communication and data exfiltration. In another developing story, the Kronos malware has resurfaced in a new campaign targeting financial institutions in Mexico, through a malicious Chrome extension.

Top Breaches Reported in the Last 24 Hours

Investment platform breached
Zacks Investment Research disclosed a data breach that may have affected the personal information of 820,000 customers. The unauthorized access to customer records occurred between November 2021 and August 2022. The exposed customer data may include names, addresses, phone numbers, email addresses, and passwords used for Zacks.com.

FCEB agencies targeted using RMM tools
The CISA, the NSA, and MS-ISAC released a joint advisory warning of attacks on U.S. federal agencies using legitimate remote monitoring and management (RMM) software. The CISA discovered malicious activity within the networks of multiple FCEB agencies using the EINSTEIN intrusion detection system in mid-October 2022. The attackers began sending help desk-themed phishing emails to federal employees’ government and personal email addresses since at least mid-June 2022.

WordPress sites hacked for ad fraud
A large-scale attack campaign believed to be active since 2017 has infected over 4,500 WordPress websites. The infections involve the injection of obfuscated JavaScript code hosted on a malicious domain named "track[.]violetlovelines[.]com". When users land on these infected sites, a redirect chain is triggered by means of a traffic direction system to take the victims to pages serving malicious or unwanted ads.

Clinic hit by tracking pixel breach
The Wisconsin-based BayCare Clinic notified the U.S. Department of Health and Human Services of a privacy breach affecting 134,000 of its patients. The breach was caused by the use of online tracking technology by a third-party firm that provided its electronic medical record system.

Top Malware Reported in the Last 24 Hours

New Python-based malware threat
PY#RATION, a new Python-based RAT, was discovered in an attack campaign that has been active since at least August 2022. The malware, which is under active development, comes with a range of capabilities to gain control over compromised systems and avoid detection. One noteworthy feature is the use of WebSockets for both command-and-control (C2) communication and data exfiltration.

Kronos gains more capabilities
Researchers discovered new activity by the Kronos banking trojan in a campaign targeting Mexican financial institutions with a malicious Chrome extension. The malware contains a configuration file to identify the targeted websites within a browsing session. When users visit the targeted websites, the malware initiates a call to an external resource to inject a malicious JavaScript payload.

Malware campaigns use Google Ads
A threat actor tracked as DEV-0569 was found using Google Ads in ongoing malvertising campaigns to distribute RedLine Stealer, Gozi/Ursnif, Vidar, and potentially, Cobalt Strike and ransomware payloads. The ads put up by the threat actors pretend to be websites for popular software programs, like LightShot, Rufus, 7-Zip, FileZilla, LibreOffice, AnyDesk, Awesome Miner, TradingView, WinRAR, and VLC.

Top Vulnerabilities Reported in the Last 24 Hours

Google patches six Chrome flaws
Google released a new update for the Chrome web browser that fixes six security vulnerabilities. These include two high-severity use-after-free issues, CVE-2023-0471 and CVE-2023-0472, affecting the WebTransport and WebRTC components. One of the medium-severity issues, CVE-2023-0473, is a type confusion in ServiceWorker API. None of the patched vulnerabilities are known to have been exploited in the wild.

CryptoAPI bug remains unpatched
Akamai researchers reported that a spoofing vulnerability in CryptoAPI (CVE-2022-34689) still remains unpatched across most Windows-powered data center systems and applications. This vulnerability can be exploited to digitally sign malicious executables so as to appear to be from trusted, legitimate sources.


us federal agencies
dev 0569
zacks investment research
google ads
baycare clinic
kronos malware
google chrome 109
cryptoapi spoofing flaw

Posted on: January 26, 2023

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

The Virtual Cyber Fusion Suite