Cybercriminals are repurposing Gafgyt malware in a surprising turn, shifting their sights from IoT devices to Docker Remote API servers. By exploiting misconfigurations, attackers deploy malicious containers to build a botnet primed for DDoS attacks. Industrial infrastructure is under duress as mySCADA myPRO vulnerabilities open doors to remote exploitation. With five critical flaws uncovered, attackers could gain full control of systems, highlighting the urgent need for timely patches to secure operations. Kimsuky’s phishing tactics have taken a deceptive twist, now cloaking its attacks as Russian senders. From fake cloud storage alerts to compromised university servers, the group continues to evolve its credential-stealing campaigns with alarming precision.

Top Malware Reported in the Last 24 Hours

Gafgyt targets Docker remote API servers

Threat actors are exploiting misconfigured Docker servers to spread the Gafgyt malware, traditionally used for targeting IoT devices. However, the malware is now being used to attack Docker Remote API servers, indicating a change in behavior. The attackers aim for publicly exposed, misconfigured Docker remote API servers to deploy the Gafgyt malware by creating a Docker container using a legitimate “alpine” Docker image. This process allows them to infect the victim via the Gafgyt botnet malware, which then enables the attacker to carry out DDoS attacks. 

RevC2 and Venom Loader - new malware families

ThreatLabz discovered two new malware families, RevC2 and Venom Loader, active from August to October 2024. These are part of campaigns using the MaaS platform from a threat actor named Venom Spider. The campaigns employed tools like VenomLNK to deliver malware through phishing. RevC2 communicates with its command server using WebSockets and can steal cookies and passwords, execute commands, take screenshots, and proxy traffic. The second campaign introduced Venom Loader, which set up a JavaScript backdoor called More_eggs lite. This backdoor executes remote commands and uses unique encoding for each victim. 

Top Vulnerabilities Reported in the Last 24 Hours

Active exploitation of WebVPN bug in ASA software

Cisco Systems has updated its security advisory for CVE-2014-2120, a vulnerability in the WebVPN login page of Cisco Adaptive Security Appliance (ASA) Software. This issue, first reported in 2014, allows remote attackers to perform XSS attacks on WebVPN users. The advisory highlights that there is active exploitation of this vulnerability, which stems from inadequate input validation, enabling attackers to create harmful links that can execute scripts in victims' browsers. CISA added this flaw to its KEV Catalog, emphasizing its urgency. 

Critical flaws in mySCADA’s myPRO

The mySCADA myPRO software has been found to have critical security vulnerabilities that could allow remote attackers to gain unauthorized access and control over industrial infrastructure. The vulnerabilities are tracked as CVE-2024-47407, CVE-2024-52034, CVE-2024-45369, CVE-2024-47138, and CVE-2024-50054. The CISA has issued an advisory, and mySCADA has released updates to address the vulnerabilities.

Top Scams Reported in the Last 24 Hours

Kimsuky linked to a series of phishing attacks

The North Korea-aligned group Kimsuky has been linked to a series of phishing attacks aimed at stealing credentials. These attacks started with emails from Japan and Korea but shifted in mid-September to disguise themselves as Russian senders. They used the VK Mail[.]ru service and its various alias domains. Kimsuky impersonated financial institutions and internet services like Naver, targeting users with fake alerts about their MYBOX cloud storage accounts. These phishing emails were sent through a compromised server at Evangelia University using a PHP mailer called Star.