Go to listing page

Cyware Daily Threat Intelligence, May 20, 2022

Cyware Daily Threat Intelligence, May 20, 2022

Share Blog Post

After creating a national emergency in Costa Rica, Conti has taken its infrastructure offline, and rumors say it may not return. However, new malware activities are on the rise with Vidar infostealer being wrapped in fake portals for downloading legitimate software. Also, Microsoft observed a 254% spike in XorDdos activity that targets SSH servers.

Cyber threats are closing in from all sides and mobile devices are yet another avenue for intrusions. Lately, a cybercriminal was found distributing packaged Chrome and Android zero-days to threat actors globally who use those in their campaigns.

Top Breaches Reported in the Last 24 Hours

Customer data at Nikkei at stake
A server at Nikkei Group Asia, an overseas subsidiary of Nikkei Inc. based in Singapore, was compromised in a ransomware attack. Unauthorized access to the server was first detected and reported on May 13. The server supposedly stored some customer data, however, the exact impact of the attack is yet to be determined.

Top Malware Reported in the Last 24 Hours 

Conti shuts down
The notorious Conti ransomware group has been dissolved. According to sources, the Conti members could be joining other smaller ransomware operations. Researchers say that this is a common technique for ransomware gangs to disappear after a major attack to avoid sanctions and scrutiny by law enforcement agencies. Conti recently threatened to topple the new Costa Rican government after compromising several of its networks.

Vidar infostealer campaign 
Threat actors are dropping Vidar information stealer on victims’ devices by creating fake portals for downloading Microsoft Windows 11. These portals were created to distribute malicious ISO files that lead to the infostealer infection. Hackers are also abusing backdoored versions of Adobe Photoshop and other legitimate software such as Microsoft Teams to deliver the malware.

Warning against XorDdos
Microsoft 365 Defender Research Team warned against a Linux botnet malware, dubbed XorDdos, which has observed a 254% surge in activity over the last six months. Besides being compiled for ARM, x86, and x64 architectures, the payload is designed to support different Linux distributions. XorDdos uses evasion and persistence mechanisms to remain stealthy and functional throughout an operation.

Top Vulnerabilities Reported in the Last 24 Hours 

RCE flaw in Flux2
According to a GitHub advisory,  a critical RCE flaw in Flux2, the continuous delivery tool for Kubernetes, can allow a third party in multi-tenancy deployments to impact ‘neighbors’ using the same off-premise infrastructure. The flaw arises through improper validation of kubeconfig files, which the third party can abuse to execute arbitrary code inside the controller’s container.

Five Zero-Days in Chrome and Android
Google's TAG has reported that a threat actor is developing exploits for five zero-days; four in Chrome and one in Android, to infect Android users. The adversary, as believed to be the case, is packaging and selling the exploits to different government-backed criminal groups across countries. Those groups were spotted weaponizing the bugs in at least three different campaigns.

Emergency Windows update
Microsoft has rolled out emergency out-of-band (OOB) updates to address Active Directory authentication issues after installing Windows Updates issued during its May 2022 Patch Tuesday on domain controllers. The previous update was causing authentication failures across several systems.

New threat in Spotlight

Exposed Kubernetes API servers
The Shadowserver Foundation discovered more than 380,000 Kubernetes API servers exposed to the public internet. This may pose a significant security risk given that attackers have been increasingly targeting Kubernetes cloud clusters, or leveraging those to launch attacks against cloud services. Nearly 53% of the exposed servers were found in the U.S.


vidar infostealer
conti ransomware group
out of band patch
nikkei inc
xorddos botnet
kubernetes api server
zero days

Posted on: May 20, 2022

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

The Virtual Cyber Fusion Suite