We use cookies to improve your experience. Do you accept?

Cyware Announces Healthcare TIP

Check it Out

Skip to main content

Cyware Daily Threat Intelligence, January 08, 2025

shutterstock 1709630365

Daily Threat Briefing Jan 8, 2025

The Gayfemboy botnet has emerged as a powerful tool in the Mirai-based arsenal, evolving with zero-day exploits targeting industrial routers and smart home devices. With around 15,000 active bot nodes daily, it uses vulnerabilities in industrial routers to launch high-intensity DDoS attacks exceeding 100 Gbps.

A cunning social engineering campaign in the Middle East sees fraudsters posing as government officials to exploit customer trust. Victims are lured into installing remote access software under the guise of resolving purchase complaints. Using tools like RedLine Stealer, the attackers steal credit card details and intercept OTPs.

CISA’s KEV catalog now includes critical flaws in Mitel MiCollab and Oracle WebLogic Server, highlighting active exploitation. The vulnerabilities like allow unauthorized access and remote code execution, urging federal agencies to update systems by January 28 to mitigate risks effectively.

Top Malware Reported in the Last 24 Hours

New Mirai botnet targets industrial routers

A new Mirai-based botnet, named Gayfemboy, has become more advanced, using zero-day exploits for security flaws in industrial routers and smart home devices. One notable vulnerability is CVE-2024-12856, found in Four-Faith industrial routers, with exploitation efforts spotted around December 20. It has about 15,000 active bot nodes daily, primarily in countries like China, the U.S., Russia, Turkey, and Iran. The botnet's main aim is to carry out distributed DDoS attacks for profit, with activity spiking in October and November 2024. The botnet leverages a mix of public and private exploits for over 20 vulnerabilities and is capable of high-intensity DDoS attacks exceeding 100 Gbps.

Fake refund schemes in Middle East

A sophisticated social engineering scheme is targeting customers in the Middle East, where fraudsters impersonate government officials to gain trust and use remote access software to steal credit card details. The victims are typically individuals who have lodged complaints with the government about unsatisfactory purchases. The fraudsters exploit this by posing as government representatives offering assistance with the complaints and then tricking victims into installing remote access software. Once the software is installed, the fraudsters steal credit card information and intercept OTPs to make fraudulent transactions. The scheme involves the use of RedLine Stealer malware to acquire victims' personal data. 

Top Vulnerabilities Reported in the Last 24 Hours

CISA adds two critical flaws to KEV catalog

The CISA added three vulnerabilities affecting Mitel MiCollab and Oracle WebLogic Server to its KEV catalog, noting evidence of active exploitation. The vulnerabilities include CVE-2024-41713 (CVSS score: 9.1), allowing unauthorized access to Mitel MiCollab and CVE-2024-55550 (CVSS score: 4.4), enabling authenticated administrators to read local files. CVE-2020-2883 (CVSS score: 9.8) could be exploited by unauthenticated attackers on Oracle WebLogic Server. Federal agencies must apply necessary updates by January 28.

Google and Mozilla release updates

Google and Mozilla released new security updates for their browsers, addressing several high-risk vulnerabilities. Google launched a Chrome 131 update that fixes four security issues, including a severe type confusion flaw (CVE-2025-0291) in the V8 JavaScript engine. This flaw could allow attackers to execute code remotely. Mozilla patched 11 vulnerabilities in Firefox, including three high-severity flaws related to memory safety and an address bar spoofing issue for Android. 

Major bug in Illumina iSeq 100 DNA sequencers

The Illumina iSeq 100 DNA sequencing instrument has been found to have firmware security vulnerabilities, allowing potential attackers to brick the device or plant persistent malware. The outdated BIOS firmware lacks standard protections such as Secure Boot, making it susceptible to malicious firmware modifications. Illumina has released a fix after responsible disclosure.

Related Threat Briefings

Jan 7, 2025

Cyware Daily Threat Intelligence, January 07, 2025

PhishWP, a rogue WordPress plugin, is redefining payment fraud with its ability to mimic trusted platforms. By harvesting card details, one-time passwords, and more in real time, this plugin enables sophisticated phishing attacks. Its arsenal includes browser profiling, obfuscation, and fake confirmation emails, delaying detection while users unknowingly fall victim. Android’s January Security Bulletin underscores the urgency of patching critical vulnerabilities in devices running Android 12 to 15. With flaws enabling remote code execution without permissions, Google’s update addresses risks in System, Framework, and hardware components. Hardware giants MediaTek, HPE, and Dell have issued patches for severe vulnerabilities in their products. MediaTek patched a critical modem flaw, Dell resolved privilege escalation vulnerabilities, and HPE addressed issues in SAN switches.

Jan 6, 2025

Cyware Daily Threat Intelligence, January 06, 2025

Discord users are being lured by fake offers to beta test new video games, only to end up downloading malware. Scammers send direct messages posing as game developers, providing a password-protected installer link that spreads multiple info-stealers. The scam leverages installers like NSIS and MSI, making it harder to identify malicious intent until it's too late. Deep learning models face a new threat with BARWM, a backdoor attack method utilizing DNN-based steganography. This advanced technique embeds imperceptible triggers into inputs, bypassing detection while maintaining high attack success rates. Sophos has patched three critical vulnerabilities in its firewall, addressing risks like SQL injection, weak credential management, and code injection. While no active exploitation has been reported, users are strongly urged to upgrade to version 21.0 GA or later.

Jan 3, 2025

Cyware Daily Threat Intelligence, January 03, 2025

Open-source ecosystems once again face scrutiny as a supply chain attack compromises the Nomic Foundation and Hardhat through malicious npm packages. With 20 rogue packages, attackers leverage Ethereum smart contracts to evade takedown, posing risks to development environments and financial security. Disguised as a 'Telegram Premium' app, the newly uncovered Android malware FireScam blends info-stealing and spyware capabilities. Delivered through a fake website, it requests excessive permissions, intercepts sensitive data, and communicates with C2 servers to execute additional malicious payloads, escalating the threat to Android users. macOS users are urged to update iTerm2 after a critical flaw was discovered in its SSH integration feature. Affecting versions 3.5.6 through 3.5.10, the vulnerability exposed sensitive user data by logging it on remote hosts.

Jan 2, 2025

Cyware Daily Threat Intelligence, January 02, 2025

Malware targeting firmware is crossing alarming new thresholds. Security researchers unveiled a UEFI bootkit proof-of-concept capable of compromising the Windows kernel during the boot process. Operating beneath traditional antivirus protections, this bootkit showcases the dangers of persistent threats that survive reboots. Secure boot configurations and firmware updates are vital defenses against such sophisticated exploits. LegionLoader, a malware that has evolved since its 2019 debut, is proving to be a formidable threat. Known also as Satacom and CurlyGate, it deploys malicious tools like Chrome extensions, spreads via drive-by downloads, and uses encryption to evade detection. Its primary targets include financial accounts and sensitive user data. A new vulnerability called DoubleClickjacking has emerged, introducing a clever twist to traditional clickjacking attacks. Exploiting the timing between double clicks, this technique bypasses security measures like X-Frame-Options.

Dec 23, 2024

Cyware Daily Threat Intelligence, December 23, 2024

Compromised npm packages are yet another reminder of the fragility of supply chains in the digital age. Threat actors inserted cryptomining malware into popular packages, impacting hundreds of thousands of users before developers patched and re-released them. The malicious code executed via npm's postinstall script, emphasizing the need for vigilance and prompt updates in package management. IBM’s Cognos Analytics platform has been diagnosed with critical vulnerabilities that could undermine system security and expose sensitive data. Flaws like CVE-2024-51466, an Expression Language Injection vulnerability, and CVE-2024-40695, tied to poor file validation, affect several versions of the platform. IBM recommends urgent upgrades to patched versions to safeguard enterprise systems. In the murky world of Phishing-as-a-Service (PhaaS), FlowerStorm has emerged as a dangerous new player, potentially taking over from the now-defunct Rockstar2FA. With majority of its attacks focused on U.S. users, the platform is setting its sights on key sectors, raising fresh alarms for cybersecurity defenders.

Dec 20, 2024

Cyware Daily Threat Intelligence, December 20, 2024

Disguised as a harmless health tool, the BMI CalculationVsn app hid its sinister purpose within the Amazon Appstore. The spyware recorded screens, intercepted sensitive SMS messages, and scanned installed apps, leaving users vulnerable before its removal. However, traces of the app may still linger, necessitating manual removal and device scans. A critical vulnerability in BeyondTrust's Privileged Remote Access products landed on CISA's KEV catalog after reports of active exploitation. Tracked as CVE-2024-12356, the flaw enables attackers to execute commands as a site user, with patched updates now available for self-hosted installations. Copy-paste commands are no longer innocent. Threat actors have weaponized clipboard activity, tricking users into running malicious PowerShell scripts under the guise of software notifications. By exploiting trusted brands and Cloudflare tunnels, they discreetly deploy malware while bypassing conventional defenses.

Dec 19, 2024

Cyware Daily Threat Intelligence, December 19, 2024

Cybercriminals are pushing the boundaries of their operations, exploiting vulnerabilities in both devices and software ecosystems to widen their reach. The BADBOX botnet, thought to be dismantled, has made a troubling comeback, infecting over 192,000 Android-based devices worldwide. Expanding its scope, BADBOX now compromises high-end smart TVs and smartphones at the supply chain level. Juniper Networks routers are under siege in a botnet campaign deploying the Mirai malware. Exploiting default credentials, the malware scans the internet for vulnerable devices, infecting systems to launch DDoS attacks and execute malicious commands remotely. Juniper strongly advises users to change default passwords, monitor devices for unusual activity, and update firmware. Infected systems require reimaging to fully eradicate the threat. Fortinet has issued urgent patches for critical vulnerabilities in its products, including FortiClient VPN, FortiManager, and FortiWLM. The flaws allow attackers to extract VPN passwords, execute remote code, and access sensitive files. With millions of users at risk, Fortinet urges immediate upgrades to secure versions, highlighting the importance of proactive vulnerability management in today’s threat landscape.

Dec 18, 2024

Cyware Daily Threat Intelligence, December 18, 2024

Cybercriminals are weaving new layers of deception, blending sophisticated delivery methods with innocuous-looking themes. The FLUX#CONSOLE phishing campaign has been targeting Pakistan with tax-themed lures to deliver a stealthy backdoor. I2PRAT, a malware leveraging the I2P network, is redefining stealth by enabling encrypted, anonymous communication between attackers and infected systems. Delivered through phishing emails that lead to malicious CAPTCHA pages, I2PRAT installs a RAT while disabling system defenses like Microsoft Defender. Meanwhile, vulnerabilities in Apache Tomcat are raising alarms. A critical flaw allows remote code execution via the default servlet, while a DoS vulnerability affects the "examples" web app. The Apache Software Foundation urges users to update to the latest versions to safeguard against these risks. Adding to the chaos, Google Calendar spoofing campaigns have targeted 300 organizations, using altered headers to lure victims into phishing traps. Fake links to Google Forms and Drawings masquerade as cryptocurrency services, stealing personal and financial data from unsuspecting users.

Dec 17, 2024

Cyware Daily Threat Intelligence, December 17, 2024

Cybercriminals are doubling down on exploiting overlooked vulnerabilities, turning common devices and platforms into tools for covert operations. The FBI issued a warning about HiatusRAT attacks that target web cameras and DVRs, especially Chinese-branded devices with weak passwords and known flaws. Unit 42 researchers uncovered critical vulnerabilities in Azure Data Factory's Apache Airflow integration, exposing cloud infrastructure to potential compromise. Flaws like misconfigured Kubernetes RBAC and mishandled Geneva secrets could allow attackers to exfiltrate data, deploy malware, and gain unauthorized control. Meanwhile, Guardio Labs identified a malvertising campaign called DeceptionAds, responsible for over one million daily ad impressions. The attackers exploit a single ad network to spread fake CAPTCHA prompts, tricking users into running harmful PowerShell commands.

Dec 16, 2024

Cyware Daily Threat Intelligence, December 16, 2024

The ever-evolving threat landscape continues to target unsuspecting users across industries and platforms. A SocGholish malware campaign recently set its sights on Kaiser Permanente employees, leveraging fraudulent Google Search Ads masquerading as an HR portal. Meanwhile, the Chinese hacking group Winnti has unleashed a new modular backdoor named Glutton, targeting industries in both China and the U.S. This advanced ELF-based backdoor not only enables tailored cyberattacks but also infiltrates other threat actors’ systems by embedding itself in software packages. Ruijie Networks faced scrutiny as researchers uncovered 10 vulnerabilities in its Reyee cloud management platform and OS devices. Among these flaws is Open Sesame, allowing attackers near a Ruijie access point to exploit its cloud connection and infiltrate internal networks. Though Ruijie has patched these vulnerabilities at the cloud level, the findings emphasize the growing risks associated with cloud-enabled devices. Even content creators are under siege, as over 200,000 YouTubers have been targeted in a phishing campaign that mimics major brands. Cybercriminals lure victims with fake collaboration emails containing malware-laden attachments designed to steal credentials and grant remote system access.

Dec 13, 2024

Cyware Daily Threat Intelligence, December 13, 2024

Malware’s relentless evolution continues to shape the cyber landscape, with threat actors pushing boundaries in espionage and infrastructure disruption. Two spyware families, BoneSpy and PlainGnome, linked to the Russian group Gamaredon, have been identified as tools of surveillance. Both spyware families enable extensive data collection, reinforcing Gamaredon’s focus on espionage. Iranian cyber actors have unleashed IOCONTROL malware to compromise IoT and OT/SCADA systems in critical infrastructure. By exploiting routers and fuel management systems, this malware poses a serious threat to key infrastructure in Israel and the U.S. IOCONTROL is capable of executing commands, sending system information, and even self-deleting to avoid detection, highlighting the increasing risks tied to interconnected devices. Cleo has urged its customers to immediately patch their file-sharing products after the discovery of a vulnerability affecting widely used systems. Despite an earlier patch, the flaw remains exploitable. With exploitation reports rising, firms must secure their systems to mitigate risks associated with this critical bug.

Dec 12, 2024

Cyware Daily Threat Intelligence, December 12, 2024

Malware threats continue to evolve, targeting both enterprises and individual developers. Zloader’s latest variant leverages a custom protocol for DNS tunneling and advanced anti-analysis features. Meanwhile, a typosquatting attack tricked developers by mimicking the popular TypeScript ESLint plugin’s NPM package, enabling clipboard monitoring and persistence on compromised systems. Researchers revealed details about the AuthQuake vulnerability affecting Microsoft’s MFA system, leaving critical services like Outlook, Teams, and Azure exposed to brute-force attacks. Meanwhile, Siemens Healthineers issued a hotfix to address an SQL injection flaw in its syngo.plaza software that allowed database compromise. Phishing campaigns are becoming increasingly elaborate, with "Aggressive Inventory Zombies (AIZ)" impersonating major retailers like Amazon, Etsy, and eBay, and crypto platforms like Binance and Kraken. The phishing network preyed on unsuspecting users using fake sites and fraudulent chat support.