Go to listing page

Cyware Daily Threat Intelligence, March 03, 2023

Cyware Daily Threat Intelligence, March 03, 2023

Share Blog Post

The China-aligned threat actor Mustng Panda, known for using the PlugX trojan, has unveiled its own backdoor named MQsTTang. Unsure of the targets, researchers claim that the campaign is in line with the group's previous campaigns against European entities. The sale of stolen credentials is a popular business over the dark web and firms have to be over-cautious about it. Of late, a U.S. fast-food chain disclosed a network intrusion by cybercriminals who performed a credential stuffing attack to abuse users’ stored rewards balances and obtain other personal records.

Moving on! The CISA warned organizations in the public and private sectors of the attack attempts from the Royal ransomware group in a new advisory. Victims of the group usually face ransom demands ranging from about $1 million to $11 million in BTC.

Top Breaches Reported in the Last 24 Hours

Gun trading site exposes user data
GunAuction[.]com, a website for trading guns, was infiltrated by a cybercriminal group. Attackers may have extracted more than 565,000 users' sensitive personal information, according to TechCrunch. The impacted data include full names, phone numbers, residential addresses, email addresses, and plaintext passwords. The attack originally occurred in December 2022.

DDoS attack on Poland’s govt site
A DDoS attack has struck Poland’s tax service website, blocking people from accessing the tax filing services. Days ago, a pro-Russian hacker group that goes by the moniker NoName057(16) shared info about an impending attack on the website. Officials confirmed that no data has been leaked as a result of the attack. 

Months-long credential attack
Fast food chain Chick-fil-A revealed experiencing a months-long credential stuffing attack between December 18th, 2022, and February 12th, 2023. Criminals reportedly used stored rewards balances and accessed the personal data of the victims. The stolen accounts were also being offered to other adversaries for a price decided on the basis of the rewards account balance and linked payment methods.

Cyberattacks hits a pair of universities 
IT systems of two U.S. universities, namely Tennessee State University and Southeastern Louisiana University, were knocked offline in a cyberattack. More than 8,000 students at Tennessee State University were notified of the interruption caused by the ransomware incident, meanwhile, the other university didn’t confirm the nature of the attack.

One more fallout from GoAnywhere MFT breach
A cyberattack targeting Hatch Bank, a fintech banking platform, resulted in the exposure of the personal information of about 140,000 clients. Notably, the attack is only the aftermath of the zero-day exploit against Fortra GoAnywhere MFT secure file-sharing platform. Hatch Bank confirmed that customers' names and SSNs were stolen by the attackers. Cl0p ransomware is allegedly behind the attack.

Top Malware Reported in the Last 24 Hours

CISA warns against Royal ransomware
The CISA released a joint Cybersecurity Advisory (CSA) to provide organizations, TTPs, and IOCs associated with the human-operated Royal ransomware family. The ransomware has previously targeted numerous critical infrastructure sectors including, communications, manufacturing, healthcare and public healthcare (HPH), and education. Its ransom demand ranges from approximately $1 million to $11 million USD worth of Bitcoin.

MQsTTang backdoor by Mustang Panda
As part of an ongoing social engineering campaign, the China-aligned Mustang Panda threat group has been seen using a previously unknown custom backdoor dubbed MQsTTang. It’s unclear who the cybercriminals are targeting. A rare observation in the implant is the use of MQTT, an IoT messaging protocol, for C2 communications.

Top Vulnerabilities Reported in the Last 24 Hours

Sensitive flaw in Gitpod
Cloud security company Snyk uncovered a severe flaw in Gitpod, a well-known cloud development environment. The bug, CVE-2023-0957, is a cross-site WebSocket hijacking issue that would have allowed a cybercriminal to completely take over the account and remotely execute arbitrary code on targeted systems. Experts suggest implementing WebSocket connections with additional authentication.


ddos attack activities
mustang panda
royal ransomware
chick fil a
cisa advisory
cve 2023 0957
tennessee state university
mqsttang backdoor
hatch bank
southeastern louisiana university

Posted on: March 03, 2023

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

The Virtual Cyber Fusion Suite