Go to listing page

Cyware Daily Threat Intelligence, March 31, 2022

Cyware Daily Threat Intelligence, March 31, 2022

Share Blog Post

Amidst the ongoing geopolitical tension between Russia and Ukraine, researchers have revealed that threat actors from China, Iran, North Korea, and Russia are capitalizing on the situation to launch phishing and malware attacks against Eastern European and NATO countries. In separate news, the Hive ransomware gang has polished its obfuscation technique that involves the use of IPv4 addresses.

Meanwhile, a new unpatched Spring4Shell vulnerability in Java Spring Framework has raised security concerns among organizations. The flaw appears to be a bypass for an old security issue in the framework. Additionally, QNAP has issued an advisory about an infinite loop vulnerability that affects specific versions of its NAS devices.

Top Breaches Reported in the Last 24 Hours

LEHB discloses a ransomware attack
Law Enforcement Health Benefits (LEHB) has disclosed a ransomware attack that occurred last year. According to the organization, attackers encrypted files on September 14, 2021. Among the files affected include the personal information of more than 85,000 users.

Hive targets PHC
Hive ransomware gang has claimed to have stolen 850,000 PII records from Partnership HealthPlan of California (PHC). The stolen data includes names, social security numbers, and addresses of users. Around 400 GB of stolen files from the healthcare organization’s server has been posted on Hive’s dark website.

Top Malware Reported in the Last 24 Hours

Hive ransomware upgraded
Hive ransomware gang is using a new IPfuscation tactic to hide its payload. Here, the threat actors hide 64-bit Windows executables inside IPv4 addresses, which eventually causes the download of the Cobalt Strike Beacon. Instead of IPv4, researchers also discovered IPv6, UUIDs, and MAC addresses being used to obfuscate the executables.

New wave of Remcos RAT campaign
A new wave of Remcos RAT campaign, set around the payment remittance theme, has been observed by researchers. The emails appear to come from financial institutions and include a malicious Excel file that starts the infection chain process.

Lazarus’ trojanized application
A trojanized DeFi application associated with Lazarus APT was used to deliver a backdoor malware. While it’s still unclear how the threat actor tricked the victim into executing the trojanized application, researchers suspect that it sent a spear-phishing email or contacted the victim through social media.

Top Vulnerabilities Reported in the Last 24 Hours

New Spring4Shell flaw
A zero-day RCE vulnerability affecting the Spring Core Java Framework has been disclosed by researchers. Called Spring4Shell, the flaw can be exploited to execute arbitrary code on the targeted system. While the firm is yet to release a patch, a PoC exploit has been released by a Chinese security researcher. It impacts Spring Core on JDK versions 9 and later.

QNAP warns about a flaw
QNAP warns that some of its NAS devices are impacted by an infinite loop vulnerability existing in the OpenSSL cryptographic library. Tracked as CVE-2022-0778, the flaw arises when parsing security certificates and can trigger a denial of service condition or remote crash unpatched devices. To date, there is no evidence that the vulnerability has been exploited in the wild.

Google releases Chrome 100
Google has released Chrome 100 that includes patches for 28 new vulnerabilities. Nine of these flaws are rated critical. They are tracked as CVE-2022-1125, CVE-2022-1127, CVE-2022-1128, CVE-2022-1129, CVE-2022-1130, CVE-2022-1131, CVE-2022-1132, CVE-2022-1133, and CVE-2022-1134.

Vulnerabilities in ImpressCMS
Vulnerabilities in ImpressCMS could allow attackers to bypass the software’s SQL injection protections and conduct remote code execution on targeted systems. One of these flaws is tracked as CVE-2021-265599 and has been patched in the latest version of CMS. The other flaw is related to an access control issue.

Top Scams Reported in the Last 24 Hours

Phishing through Calendly
Towards the end of February, researchers detected a credential harvesting operation that abused Calendly. The attack made use of hijacked email accounts to send emails to recipients. The emails were sent with the subject line ‘new documents received.’ Once the recipients clicked on the ‘VIEW DOCUMENTS’ button, they were redirected to an invitation on a fake Calendly site managed by threat actors.

New Threat in Spotlight

Geopolitical tension-related threats
Google researchers revealed that threat actors from China, Iran, North Korea, and Russia are capitalizing on the latest geopolitical conflict to launch phishing and malware attacks against Eastern European and NATO countries. They are sending emails with Ukraine war-related themes to target users with malicious links. In one such incident, the attackers impersonated military personnel to extort money for the purpose of rescuing relatives in Ukraine.


qnap device
nato countries
remcos rat campaign
law enforcement health benefits lehb
hive ransomware

Posted on: March 31, 2022

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

The Virtual Cyber Fusion Suite