Go to listing page

Cyware Daily Threat Intelligence, March 13, 2023

Cyware Daily Threat Intelligence, March 13, 2023

Share Blog Post

Hackers are once again abusing the Google Ads platform to target users searching for popular software products. Of late, threat actors behind BATLOADER surfaced to impersonate trending apps and services, such as ChatGPT, Spotify, and Zoom, to deploy Vidar Stealer and Ursnif payloads. Meanwhile, government and military entities in Southeast Asian countries face a heightened threat from Dark Pink. Adversaries use two custom malware—TelePowerBot and KamiKakaBot—in their attacks. The former can pilfer information from Edge, Chrome, and Firefox web browsers.

Hackers brought a three-year-old bug back into business, compelling the CISA to issue a red alert in their name and on behalf of the bug. Tracked as CVE-2020-5741, the vulnerability lies in the Plex Media Server and can be exploited in low-complexity attacks.

Top Breaches Reported in the Last 24 Hours

Hackers infiltrate mental health provider
Confidential records of about 3.18 million individuals at Cerebral, an online mental health service, were exposed to advertisers and social media giants like Facebook, Google, and TikTok. The affected data include personal detail (names, phone numbers, email addresses, dates of birth), as well as data collected during Cerebral’s online mental health self-assessments.

Higher education platform laid bare database
PeopleGrove, a social platform for higher education institutions and alumni networks, inadvertently blurted out users’ personal information, resumes, and university ratings through its unprotected internal database. The database contained gigabytes of data without any security password. The company, formerly CampusKudos, has over 20 million users, as per the claim.

Top Malware Reported in the Last 24 Hours

A malware trio by North Korean hackers
Mandiant uncovered an attack campaign, allegedly by a North Korean hacking group with ties to Lazarus, targeting security researchers and media organizations in the U.S. and Europe. Criminals deploy three never-before-seen malware: TOUCHMOVE, SIDESHOW, and TOUCHSHIFT. The campaign has been active since at least June 2022 and uses job lures against security researchers and media firms.

BATLOADER bats no eye
BATLOADER, the notorious malware loader, was seen exploiting Google Ads to deliver secondary payloads such as Vidar Stealer and Ursnif. In their ads, attackers fake legitimate apps and services such as Adobe, Tableau, ChatGPT, Spotify, and Zoom. Other samples of BATLOADER display enhanced capability to establish persistence inside compromised networks.

Custom tools by Dark Pink APT
Cybercriminals, purportedly of Asia-Pacific origin, have launched attacks aimed at government and military organizations in Southeast Asian countries. According to EclecticIQ, Dark Pink APT is behind the campaign and attempts to cripple systems via a pair of custom malware - TelePowerBot and KamiKakaBot. There are used to execute arbitrary commands and pilfer sensitive data from users.

Top Vulnerabilities Reported in the Last 24 Hours

CISA highlights an old bug in Plex
A nearly three-year-old sensitive RCE bug in the Plex Media Server was added to
the CISA’s KEV catalog. The bug, tagged CVE-2020-5741, can enable a threat actor to gain admin privileges to remotely run arbitrary Python code in a low-complexity attack scenario that doesn't require user interaction. 

Several flaws in Chinese product
Security experts at Claroty disclosed over a dozen security bugs in E11, a smart intercom product made by Akuvox, a Chinese firm. The bugs could allow an unauthenticated user to control the device's camera and microphone, steal media files, or even gain a foothold in devices. The most severe issues are CVE-2023-0344, CVE-2023-0345, CVE-2023-0352, and CVE-2023-0354, with a CVSS score of more than 9.0.


dark pink apt
kamikakabot malware
cve 2020 5741
vidar stealer
plex media servers

Posted on: March 13, 2023

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

The Virtual Cyber Fusion Suite