TheCyberThrone Security Week In Review –April 8th, 2023
Share this:
Welcome to TheCyberThrone cybersecurity week in review will be posted covering the important security happenings . This review is for the week ending Saturday, April 8th, 2023.
1. Rorschach Ransomware Dissection
Researchers have spotted, threat actors have deployed a new ransomware strain using the Palo Alto Cortex XDR Dump Service Tool, a commercial security product and it’s dubbed as Rorschach.
Unlike other ransomware cases, the threat actor did not hide behind any alias and appears to have no affiliation to any of the known ransomware groups. Those two facts, rarities in the ransomware ecosystem, piqued CPR’s interest and prompted us to thoroughly analyze the newly discovered malware. Rorschach is one of the fastest ransomwares observed, by the speed of encryption and highly customisable
2. Rilide Malware Dissection
Researchers discovered a new malware dubbed as Rilide that fakes legitimate Google Drive extensions to inject malicious scripts and steal cryptocurrency. The malware targets Chromium-based browsers like Google Chrome, Microsoft Edge, Brave, and Opera.
Rilide uses malicious browser extensions. It has a standout capability to simulate dialogs. Using forged dialogs, the malware lures users to disclose their 2FA. Then, it will steal their cryptocurrencies.
3. Spyware Vendors Exploiting Zeroday to Exploit Various Platforms
Researchers from Google’s Threat Analysis Group (TAG) in a report detailed the vendors of commercial spyware developed and used zero-day exploits against iOS and Android devices. The exploit chains also relied on known vulnerabilities to work, highlighting the importance of both users and device manufacturers to speed up the adoption of security patches
4. Bots Exploiting Cacti & Realtek Vulnerabilities
Researchers has spotted several malware botnets are actively exploiting Cacti and Realtek flaws to distribute ShellBot and Moobot malware in campaigns found between January and March 2023. The vulnerabilities targeted are CVE-2021-35394, a critical remote code execution vulnerability residing in the Realtek Jungle SDK, and CVE-2022-46169 which is a critical injection vulnerability detected in the Cacti fault management monitoring tool.
Moobot, a variant of Mirai, is currently targeting CVE-2021-35394 and CVE-2022-46169 to infect vulnerable hosts, then download a script containing its configuration and establish a connection with the C2 server. Later, the malware continues to send heartbeat messages until an incoming command is recognized to start the attack. New versions of Moobot are capable of scanning and killing processes of other known bots so that they can utilize the maximum hardware power of the infected host to launch DDoS attacks.
SUBSCRIBE TO OUR BLOG TODAY !
We understand the importance of staying on top of the latest threats and vulnerabilities that can harm your digital life. You’ll receive the latest cybersecurity news, insights, resources, offers and analysis straight to your inbox every day
5. Winter Vivern exploits Zimbra Vulnerability
Researchers have spotted a phishing campaign from the Russian APT group known as Winter Vivern, TA473, and UAC-0114 exploiting a vulnerability in Zimbra Collaboration software to hack the emails of government agencies in different European countries.
Winter Vivern’s mode of operation includes sending out phishing emails impersonating the target organizations or their parent organizations’ employees with political affiliation to the government.
6. Cylance Ransomware Dissection
Researchers have spotted a new ransomware strain with the name Cylance Ransomware. Samples of the ransomware’s payload have already been collected after successful attacks were launched on unnamed victims.
Researchers revealed the existence of the Cylance strain this week, stating that it appears to be targeting both Windows and Linux machines. Little known information exists on its TTP due to its recent emergence
This brings end of this week in review security coverage. Thanks for visiting TheCyberThrone. If you like us please follow us on Facebook, Twitter, Instagram
