We use cookies to improve your experience. Do you accept?

Skip to main content

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing Aug 7, 2023

From using off-the-shelf tools to deploying custom-built payloads, malware authors often give us a glimpse of rapid adaptation to the shifting security balance. An open-source kernel module rootkit is being used in real-world attacks to target Linux systems, discovered cybersecurity experts. It has been utilized in attacks by various threat groups, specifically Chinese actors, and was found in attacks against Korean companies. Meanwhile, the Cl0p ransomware gang has switched to using torrents for distributing stolen data, increasing the impact and complicating law enforcement efforts to shut down distribution - potentially escalating ransom pressure on victims.

What’s more? The SkidMap malware has been observed attacking poorly secured Redis server instances to deploy a dropper shell script, disguising itself as a GIF image file. Also read about the new variant of STRRAT, which has been in distribution since March.

Top Breaches Reported in the Last 24 Hours

Education department breached

The Colorado Department of Higher Education (CDHE) disclosed a data breach impacting current and former students and teachers after a ransomware attack in June. The breach exposed names, Social Security numbers, student identification numbers, and other education records. The number of affected individuals has not been disclosed yet. No ransomware group has claimed responsibility for the attack thus far.

**DDoS attack on Spanish entities **

A well-known Spanish research institute fell victim to a weeks-long distributed DDoS campaign, allegedly orchestrated by NoName057. The cyberattacks impacted at least 72 websites, including banks, telecoms providers, media companies, and government ministries. Separately, the Spanish National Research Council was hit by a ransomware attack last month.

Top Malware Reported in the Last 24 Hours

Malicious packages target IT professionals

A malicious package, disguised as the legitimate VMware vSphere connector module vConnector, was uploaded to the PyPI as ‘VMConnect’ specifically targeting IT professionals. The package was downloaded 237 times before being removed on August 1, 2023. Sonatype's investigation also revealed two more malicious packages, 'ethter' and 'quantiumbase,' which mimicked popular legitimate packages 'eth-tester' and 'databases,' respectively.

Open-source rootkit targeting Linux systems

Reptile, an open-source kernel module rootkit, designed to target Linux systems was found on GitHub. Unlike typical rootkit malware, Reptile not only conceals its presence but also offers a reverse shell, granting threat actors control over compromised systems. The rootkit utilizes a method called "Port Knocking" to establish connections with C&C servers. It shares similarities with Syslogk, based on the Adore-Ng rootkit.

Cl0p adopts torrents for data leaks

MOVEit-hijacker Cl0p ransomware gang has changed its extortion tactics and is now using torrents to distribute data stolen in the MOVEit Transfer breaches. Previously, the group utilized Tor data leak sites, but this method was slow and easier to shut down. Through torrents, criminals are expecting faster transfer speeds making the leak more impactful. As torrents are decentralized, it becomes challenging for law enforcement to shut them down.

STRRAT gets an upgrade

The Java-based RAT, STRRAT, has undergone significant evolution, showcasing several advancements, including the integration of a Crimson ransomware module and the adoption of multiple infection chains. A new distribution technique utilizing two-string obfuscation methods has been identified. The infection begins with a spam email containing a malicious PDF attachment that leads to the download of the STRRAT payload.

New threat lurks on vulnerable Redis servers

A highly sophisticated malware variant called SkidMap is targeting vulnerable Redis services on a wide range of Linux distributions, including Alibaba, Anolis, CentOS, and RedHat. First disclosed in September 2019 as a cryptocurrency mining botnet, SkidMap has evolved to adapt to the systems it infects. It adds SSH keys, disables SELinux, establishes a reverse shell, and downloads appropriate packages based on the Linux distribution.

Top Vulnerabilities Reported in the Last 24 Hours

RCE bug in PaperCut NG/MF

PaperCut, a print management software, recently fixed a critical security vulnerability—tracked as CVE-2023-39143—that could allow an unauthenticated user to remotely execute code on Windows servers. The flaw results from two path traversal weaknesses that enable threat actors to read, delete, and upload arbitrary files without user interaction. The vulnerability impacts servers in non-default configurations, although it is, generally, enabled in most Windows PaperCut servers. The issue has been actively exploited by ransomware gangs, including the Cl0p and LockBit groups.

Top Scams Reported in the Last 24 Hours

Scammers impersonate NFT developers

The FBI is warning about fraudsters posing as Non-Fungible Token (NFT) developers to deceive NFT enthusiasts and steal their cryptocurrency and NFT assets. These criminals gain unauthorized access to NFT developers’ social media accounts or create fake accounts to promote "exclusive" NFT releases, preying on victims with misleading claims and a false sense of urgency.

Related Threat Briefings