Share Blog Post
SonicWall SMA appliance users are facing a new threat in the form of a custom malware implant. It’s not any random implant, say Mandiant experts. Threat actors appear to have a deep knowledge of how the appliance works and they may have exploited a known vulnerability. Heard of “Hadoken Security?” They are the developers of Xenomorph trojan who have bestowed their malware with a new Automated Transfer System (ATS) framework and could be offering it under a MaaS (Malware-as-a-Service) program. Also, the malware can now target 400 different banks as opposed to 56 European banks with its previous version.
Plus one new entrant to the Linux line of ransomware threats. Organizations in the media and entertainment sector are being targeted by IceFire ransomware that boasts of a Linux variant. It abuses a deserialization vulnerability in the IBM Aspera Faspex file-sharing software.
Top Breaches Reported in the Last 24 Hours
One million impacted at CHS
About one million individuals and employees of Community Health Systems have been impacted in a breach due to the Fortra GoAnywhere MFT zero-day exploit. Other than personal data, the leak includes SSNs, medical billing and insurance information, certain medical information such as diagnoses and medication, and more. The Tennessee-based multistate hospital chain will start notifying individuals from mid-March onward.
Canadaian defense contractor targeted
Black & McDonald, the engineering giant and the parent company of Canadian Base Operators, experienced a ransomware attack. The attack is highly sensitive in nature owing to the kind of data it holds, such as contract data with the Candaian Department of National Defence for facilities management and logistical support services. Defence Construction Canada, which also manages some contracts, has marked itself safe in the attack.
Nine million AT&T users suffered breach
Cyber adversaries apparently accessed the records of nine million users of American multinational telecommunications firm AT&T. The data belonged to its wireless customers, which the hacker could obtain by compromising the network of an unnamed vendor. According to AT&T, its systems were not compromised, and claims the data exposed was "several years old.”
Top Malware Reported in the Last 24 Hours
Tumbling down a malware network
International law enforcement agencies claimed to have shaken the operational infrastructure of the NetWire RAT. Croatia police detained the admin of worldwiredlabs, the website used to sell the NetWire malware. Threat actors would use the RAT to infiltrate victims' devices via phishing campaigns. Some of its capabilities were keylogging, password theft, and remote device takeover.
Chinese crims abuse SonicWall SMA
UNC4540, a China-linked cybercriminal group, was observed deploying a custom backdoor on a SonicWall SMA appliance. Attackers show a thorough understanding of the appliance and use a set of malicious files to obtain privileges. The malware is capable of extracting credentials, achieving persistence through firmware upgrades, and remotely executing code.
Xenomorph’s new version arrived
Cybersecurity researchers at ThreatFabric uncovered a new version of the Xenomorph Android malware. Reportedly, its developers have added new capabilities, such as an ATS framework and the ability to abuse Accessibility Services permissions, for targeting over 400 banking services. They may also be planning to distribute Xenomorph as a MaaS offering.
Linux versions of IceFire
Media and entertainment sector organizations worldwide are under attack by the threat actor using the Linux version of the IceFire ransomware. SentinelLabs first made this observation and found that criminals abused a deserialization bug in IBM Aspera Faspex file sharing software, tracked as CVE-2022-47986. Its Windows version is known to spread via phishing messages.
Top Vulnerabilities Reported in the Last 24 Hours
High-severity bug in routers
Cisco addressed a high-severity DoS vulnerability in the IOS XR software for ASR 9000, ASR 9902, and ASR 9903 series enterprise routers. The bug, tagged CVE-2023-20049, impacts the Bidirectional Forwarding Detection (BFD) hardware offload feature and an attacker can abuse it remotely without the need for any kind of authentication.
Posted on: March 10, 2023
More from Cyware
Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.