Go to listing page

Cyware Daily Threat Intelligence, March 18, 2022

Cyware Daily Threat Intelligence, March 18, 2022

Share Blog Post

Well, threat actors have shown that they can have their cake and eat it too. The LightBasin threat actor is using a new Unix rootkit—Caketap—against servers running Oracle Solaris. As the Russia-Ukraine war continues to the third week, cybercriminals are getting more debauched. They are trying to steal cryptocurrency by impersonating legitimate aid for Ukrainian citizens.

Following an attack on the KA-SAT network of Viasat, federal agencies released an advisory warning of possible threats to satellite communications. As communications are now more intricate and crucial than ever, the defenses need to be stronger than adversaries. 

Top Breaches Reported in the Last 24 Hours

Phishers solicit crypto
Cybercriminals are exploiting the Russia-Ukraine conflict to steal financial donations meant for Ukrainian inhabitants. Most are mimicking legitimate aid organizations, while some even impersonated Aronov Maxim, a doctor at Smile Children’s Hospital. The phishing emails are sent with subject lines such as “Help save the children in Ukraine,” “Help - Bitcoin,” and “Ukraine Donations.”

Potential threats to SATCOM
The CISA and the FBI stated that satellite communications (SATCOM) across the world are at the risk of cyberattacks. The security advisory warned U.S. critical infrastructure organizations of the same following several network breaches. The federal agencies have recommended SATCOM network providers add additional egress and ingress monitoring to identify anomalous traffic. 

Top Malware Reported in the Last 24 Hours

Cyclops Blink targets Asus routers
A new strain of the Cyclops Blink malware has been targeting multiple Asus router models. This botnet is written in the C programming language and is deployed by the Russian-based Sandworm APT. Researchers surmise that the malware’s primary motive is to build an infrastructure for attacks on high-value targets. 

Unix rootkit steals ATM data
The financially-motivated LightBasin group is using a new Unix rootkit to exfiltrate ATM banking data and perform banking fraud. Dubbed Caketap, the Unix kernel module is deployed on servers running the Oracle Solaris OS. Caketap can hide network files, processes, and connections, and install hooks into system functions for remote commands and configurations. 

Pro-Ukraine protestware on GitHub
Several open-source protestware projects on GitHub were discovered pushing geo-targeting malware and anti-war ads. Recently, a new element was added to the JavaScript framework vue-cli, which would erase all files from any systems visiting from Belarusian or Russian internet addresses. Ukrainian and non-Ukrainian developers are altering their public software to trigger malware when deployed on Russian systems.  

Top Vulnerabilities Reported in the Last 24 Hours

TAG identifies IAB for Conti
Google’s TAG team identified a new Initial Access Broker (IAB) that is affiliated with the Russian-based Conti ransomware group. Named Exotic Lily, the threat actor is abusing a critical flaw—CVE-2021-40444—in the Microsoft Windows MSHTML platform. This is a part of a broader phishing campaign that has sent around 5,000 business proposal-themed emails per day to more than 600 firms, across the world. 

Top Scams Reported in the Last 24 Hours

SMS phishing scam
The Singapore Police warned against SMS phishing scams deceiving unsuspecting users by luring them to a fake Singpass website. The messages are sent from unknown numbers, informing recipients that their Singpass accounts have expired and they need to click on an embedded link to reactivate the accounts.


cryptocurrency stealer
satcom service
sms phishing campaign
russia ukraine conflict
exotic lily
asus routers

Posted on: March 18, 2022

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

The Virtual Cyber Fusion Suite