Daily Threat Intelligence – April 07 – 2023

b067 shutterstock 2272912697

Of late, security researchers stumbled across a group of English-speaking European teenagers who are offering services such as malware-as-a-subscription, hacking for hire, and more under the moniker FusionCore. They have reportedly tools in their arsenal after Greek and Roman mythology. Meanwhile, an unnamed campaign that has been exploiting millions of vulnerable WordPress websites since 2017 finally gets a name – Balada Injector. Researchers claim to have assorted over 100 signatures for both front-end and back-end variations of the malware injected into server files and WordPress databases.

Meet BEC 3.0! Researchers at Avanan have observed a leap in evolving phishing tactics wherein adversaries are registering free accounts on genuine services and using email addresses from trusted domains that will most likely go undetected.

Top Breaches Reported in the Last 24 Hours


Online university suffers breach
A cyberattack on the Open University of Cyprus (OUC), Cyprus, has caused severe disruptions to the organization’s operations. The Medusa ransomware group has claimed responsibility for the attack and has given the institute 14 days to revert with the ransom demand of $100,000. It is also offering data to any interested party for the same price.

Cl0p leaks data of students and parents
The state government of Tasmania confirmed that hackers leaked 16,000 documents belonging to its education department on the dark web. These documents included personal information of school children, as well as financial statements and invoices containing the names and addresses of both students and their parents. The Cl0p ransomware is behind the leak as the institute fell victim to a third-party breach involving Fortra GoAnywhere MFT. 

Top Malware Reported in the Last 24 Hours


FusionCore – emerging MaaS service
Active since November, FusionCore acts as a one-stop-shop for cybercriminals; it offers services such as malware-as-a-subscription, hacking for hire, and ransomware. It has rolled out a ransomware affiliate program as well called AnthraXXXLocker. Typhon Reborn is one example of the group’s proprietary malware.

Balada Injector campaigns
Sucuri uncovered details about a massive WordPress infection campaign, Balada Injector, that is active since 2017. The attackers are known to leverage all known and recently discovered theme and plugin vulnerabilities. The campaign has several distinctive features, such as frequent utilization of String.fromCharCode obfuscation, newly created domain names to host malicious scripts on arbitrary subdomains, multiple redirections to fraudulent websites, and more.

Top Vulnerabilities Reported in the Last 24 Hours


Wi-Fi chips allow snooping
A bug in Qualcomm and HiSilicon chips was found exposing at least 55 Wi-Fi router models to cyberattacks. The flaw, tracked as CVE-2022-25667, lies in the network processing units (NPUs) of the chips that prevent the devices from blocking bogus Internet Control Message Protocol (ICMP) messages. The bug allows an attacker to intercept and snoop on the traffic of another device connected to the same Wi-Fi network.

Cisco fixes multiple bugs across products
Cisco has addressed multiple vulnerabilities across its product chain, including high-severity issues impacting its Secure Network Analytics and Identity Services Engine products. A remote attacker could abuse CVE-2023-20102 to send specially crafted HTTP requests for arbitrary code execution. CVE-2023-20122, CVE-2023-20121, CVE-2022-20812, CVE-2023-20117, and CVE-2023-20128 were among the other flaws it patched this week.

A buggy IoT platform
A vulnerability in ThingsBoard, an open source IoT platform, enabled attackers to escalate their privileges on a server and send requests as an admin. IBM Security X-Force researchers found and reported the flaw, CVE-2023-26462. The vulnerability arises from the fact that the platform utilizes a static key to sign JSON Web Tokens (JWTs) given to clients. Attackers in possession of the key pose threats to the system.

Security issues affecting Sophos appliances
Sophos issued security updates resolving a number of vulnerabilities in Sophos Web Appliance. The updates include a high-severity issue, CVE-2023-1671, in the warning page handler of the appliance that could be exploited without authentication. Another bug, earmarked CVE-2022-4934, is a command injection flaw but requires authentication for successful exploitation.

Top Scams Reported in the Last 24 Hours


BEC 3.0 – scaling with phishing 
A new wave of phishing scams has emerged in the wild and experts have termed it as BEC 3.0. In one such campaign, scammers send rogue invoices from a legitimate Quickbooks domain, which means it will bypass all SPF checks, domain checks, and more. The campaign is highly tricky as there isn’t a newly created domain for scrutiny.

Original Source


A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

Buy Me A Coffee
Patreon

 To keep up to date follow us on the below channels.

join
Telegram
discord
Discord
reddit
Reddit
linkedin
LinkedIn