Daily Threat Intelligence – May 22 – 2023
Fake sites, fake app, real malware! A threat actor group has been found infecting potential users of a popular video editing tool with different info-stealers. Attackers bait users with fake websites for downloading the tool which they promote using black hat SEO techniques. In another round of updates, FIN7 is back with a new campaign to encrypt systems using the Cl0p ransomware. The group is infamous for targeting restaurants, gambling firms, and the healthcare sector in the U.S. and extracting financial information from their systems.
With time, ransomware operators and their affiliates have demonstrated an increased interest in acquiring privileged-level access to evade detection. A similar effort has been made by the BlackCat ransomware operators who were observed working on their defense evasion phase using a signed kernel driver.
Top Breaches Reported in the Last 24 Hours
Ransomware attack hits satellite TV firm
Dish Network, an American television provider, fell victim to a ransomware attack that not only rendered its websites and applications inaccessible but also impacted over 296,000 customers. While there is no evidence to suggest that customer databases were accessed by criminals, the stolen data does include employee-related records and personal information.
Business, customer, and employee data spilled
Houston-headquartered food distribution company Sysco Corporation disclosed a data breach due to a recent cyberattack that impacted the sensitive business records and personal data of nearly 126,000 individuals. Victims include the food distributor’s current and former employees whose information such as names, SSNs, account numbers, and other information provided for payroll purposes might have been exposed in the data breach.
Top Malware Reported in the Last 24 Hours
Fake editor tool carries multiple malware
Cybercriminals are distributing a fake version of CapCut, ByteDance’s official video editor tool, to infect users with different malware. In most cases, they employ SEO poisoning techniques, utilize search ads, and leverage social media platforms to promote the tool via malicious websites created by them. One of its campaigns delivers a copy of the Offx Stealer while the other was found dropping Redline Stealer and a .NET executable via a file named CapCut_Pro_Edit_Video.rar.
FIN7 adopts Cl0p ransomware
Security experts at Microsoft warned against a barrage of attacks by financially motivated cybercriminal group FIN7 (it tracks as Sangria Tempest) attempting to infect victims with the Cl0p ransomware. Attackers are utilizing PowerShell script POWERTRASH to facilitate the deployment of the Lizar post-exploitation tool, allowing them to establish a foothold within a victim’s network. The first instance was observed last month.
BlackCat abuses signed kernel driver
Analyzing a BlackCat ransomware incident from February 2023, Trend Micro revealed that the criminal group is using a signed kernel driver for evasion tactics. The driver was utilized in conjunction with a separate user client executable, with the intention of manipulating, pausing, and terminating specific processes associated with the security on the targeted endpoints.
Top Vulnerabilities Reported in the Last 24 Hours
Flaw abused in buggy Samsung smartphones
Samsung and the CISA cautioned the users of Samsung smartphones about a recently patched security bug that impacts certain Android 11, 12, and 13 devices. The bug, earmarked CVE-2023-21492, is a kernel pointer exposure issue related to log files that enables a privileged local intruder to bypass Android ASLR protection. Google’s TAG suggests that the bug has likely been abused by a commercial spyware vendor.
Fingerprint brute-force attacks on Android
Security researchers with Tencent Labs and Zhejiang University uncovered a new attack method dubbed BrutePrint to breach the security of Android smartphones. They relied on brute-force techniques to bypass fingerprint authentication on modern smartphones by submitting an unlimited number of fingerprint images, enabling complete device takeover. Researchers experimented with Android, iOS, and HarmonyOS-based smartphones, however, only Android phones were found susceptible to attacks.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.