We use cookies to improve your experience. Do you accept?

Cyware Announces Healthcare TIP

Check it Out

Skip to main content

Cyware Daily Threat Intelligence, January 13, 2025

shutterstock 2319601883

Daily Threat Briefing Jan 13, 2025

A newly identified ransomware group, FunkSec, has emerged as a low-cost yet prolific threat, targeting over 80 victims across multiple countries within a month. The group’s tactics include demanding modest ransoms and offering tools for DDoS attacks. FunkSec’s latest ransomware version, FunkSec V1, shows signs of AI-assisted development, adding a layer of sophistication to its operations.

A critical vulnerability has put Aviatrix Controller users at significant risk by allowing unauthenticated remote code execution. The flaw, caused by improper API input handling, exposes cloud enterprise environments to malicious activities. While Aviatrix has released patches, early exploitation suggests attackers have already begun leveraging the vulnerability for broader campaigns.

Cybercriminals are exploiting Apple iMessage’s phishing protection by manipulating users into disabling link-blocking features. Smishing texts urge recipients to reply with Y to re-enable links, bypassing safeguards and exposing victims to malicious websites.

Top Malware Reported in the Last 24 Hours

New ransomware uses AI to develop malware

Check Point has identified a new ransomware group called FunkSec that has targeted over 80 victims in a month, primarily in the U.S., India, Italy, Brazil, Israel, Spain, and Mongolia. The group demands low ransoms and sells stolen data at reduced prices, with some recycled from previous hacktivism campaigns.The group also offers tools for DDoS attacks and remote desktop management. The ransomware group's latest version, FunkSec V1, was uploaded from Algeria and contains elements apparently created with the help of artificial intelligence.

RedCurl drops malware 

The RedCurl APT group has been identified carrying out malicious activities in Canada, utilizing scheduled tasks to execute pcalua.exe for running malicious binaries and Python scripts. Evidence suggests data exfiltration to cloud storage, targeting various industries for long-term data collection. The malware leverages PowerShell and Python for file downloads, encryption, and exfiltration, while also utilizing living-off-the-land techniques to evade detection. The backdoor component, RedLoader, employs obfuscation techniques and encryption to conceal its true purpose. 

Top Vulnerabilities Reported in the Last 24 Hours

PoC released for macOS Sandbox flaw

A security researcher revealed a PoC exploit for CVE-2024-54498, a vulnerability allowing applications to escape the macOS Sandbox. This PoC, shared on GitHub, shows how attackers could gain unauthorized access to sensitive data. The macOS Sandbox is meant to stop applications from accessing files outside their area, protecting users from malware. However, CVE-2024-54498, which has a high severity score of 8. 8, allows bypassing these restrictions. Apple has fixed this vulnerability in recent updates: macOS Sequoia 15.2, macOS Ventura 13.7.2, and macOS Sonoma 14.7.2.

Aviatrix Controller RCE actively exploited

CVE-2024-50603 is a critical code execution vulnerability affecting Aviatrix Controller, rated 10.0 on the CVSS score. This flaw allows attackers without authentication to run commands on the system remotely due to improper handling of input. It has been fixed in versions 7.1.4191 and 7.2.4996. The vulnerability exists within the Aviatrix Controller's API, which improperly processes user parameters, enabling command injection by unauthenticated users. Currently, about 3% of cloud enterprise environments use Aviatrix Controller, and in 65% of those, there is a risk of lateral movement to admin permissions in the cloud. Exploitation was first reported on January 7, with immediate evidence of the vulnerability being attacked. Attackers were found mining cryptocurrency and deploying backdoors, suggesting potential later data exfiltration. 

Top Scams Reported in the Last 24 Hours

Muddling Meerkat’s domain spoofing scams

Infoblox discovered a widespread use of domain spoofing in spam campaigns while investigating a threat actor known as Muddling Meerkat. Multiple spam campaigns were identified, including phishing with QR codes, impersonating brands, extortion, and mysterious financial spam. These campaigns utilized sophisticated domain spoofing techniques to deceive recipients and bypass security measures.

Smishing attacks target iMessage users

Cybercriminals are using a tactic to bypass Apple iMessage's phishing protection by tricking users into re-enabling disabled links. This tactic involves sending smishing texts and asking recipients to reply with "Y" to enable the links. By doing so, the phishing protection is turned off, making the user vulnerable to potential attacks. This attack technique has been in use over the past year, with an increase since the summer. 

New transaction simulation spoofing attack

Threat actors are using a new tactic called transaction simulation spoofing to deceive users into approving fraudulent transactions. This involves luring victims to a fake website that initiates a deceptive "Claim" function, showing a small amount of Ethereum in a transaction simulation. However, a time delay allows the attackers to change the transaction's actual outcome after the user has approved it, resulting in the loss of cryptocurrency from the victim's wallet. This sophisticated attack exploits trusted wallet features.

Related Threat Briefings

Jan 14, 2025

Cyware Daily Threat Intelligence, January 14, 2025

Government officials in Central Asia have been ensnared by APT28’s latest cyberespionage campaign, where leaked Kazakhstan government documents serve as the perfect trap. With tools like HATVIBE and CHERRYSPY, the Russian-linked group casts a wide net to maintain geopolitical sway across key regions. Codefinger, a new ransomware group has introduced a chilling new tactic to the ransomware scene, locking AWS S3 buckets with server-side encryption and customer-provided keys. By exploiting compromised AWS keys, the group targets native AWS software developers, encrypting critical data and threatening deletion within seven days. Imagine logging in with Google, only to find your old startup’s downfall has exposed your data. That’s the reality for millions of former employees, as Google’s Sign in with Google flaw allows new domain owners to access sensitive accounts, leaving users and startups alike vulnerable.

Jan 10, 2025

Cyware Daily Threat Intelligence, January 10, 2025

China-linked RedDelta has intensified its cyber-espionage activities across Asia, targeting government and political entities across multiple countries. The group used sophisticated spear-phishing tactics to deliver a modified PlugX backdoor. Notable breaches include the Mongolian Ministry of Defense and the Communist Party of Vietnam, underscoring RedDelta’s evolving methods and broad geographical reach. In a deceptive twist, threat actors have created a fake PoC exploit tied to a patched Microsoft Windows LDAP vulnerability to lure security researchers. The malicious PoC, hosted on a repository, drops a PowerShell script upon execution, stealing computer information and sending it to an external FTP server. CrowdStrike uncovered a phishing scheme where attackers impersonated the company, offering fake job opportunities to lure victims. Targets were directed to download a fraudulent CRM application, which bypassed sandbox checks to install a Monero miner. The malware operated stealthily in the background, ensuring persistence through startup scripts and registry entries.

Jan 9, 2025

Cyware Daily Threat Intelligence, January 09, 2025

Malicious actors continue to exploit trusted ecosystems, with researchers uncovering npm packages stealing Solana private keys and exfiltrating them via Gmail. Masquerading as legitimate tools, these packages drain victims' wallets while amplifying their reach through GitHub repositories. Threat actors are actively exploiting a critical flaw in GFI KerioControl firewalls, to achieve remote code execution. Despite a patch released by GFI, attempts to abuse the vulnerability have surged, targeting over 23,800 exposed instances worldwide. Meanwhile, the Fancy Product Designer plugin for WordPress remains vulnerable to critical flaws, including file upload and SQL injection vulnerabilities. With no response from the developer, over 20,000 sites face heightened risk from these exploits.

Jan 8, 2025

Cyware Daily Threat Intelligence, January 08, 2025

The Gayfemboy botnet has emerged as a powerful tool in the Mirai-based arsenal, evolving with zero-day exploits targeting industrial routers and smart home devices. With around 15,000 active bot nodes daily, it uses vulnerabilities in industrial routers to launch high-intensity DDoS attacks exceeding 100 Gbps. A cunning social engineering campaign in the Middle East sees fraudsters posing as government officials to exploit customer trust. Victims are lured into installing remote access software under the guise of resolving purchase complaints. Using tools like RedLine Stealer, the attackers steal credit card details and intercept OTPs. CISA’s KEV catalog now includes critical flaws in Mitel MiCollab and Oracle WebLogic Server, highlighting active exploitation. The vulnerabilities like allow unauthorized access and remote code execution, urging federal agencies to update systems by January 28 to mitigate risks effectively.

Jan 7, 2025

Cyware Daily Threat Intelligence, January 07, 2025

PhishWP, a rogue WordPress plugin, is redefining payment fraud with its ability to mimic trusted platforms. By harvesting card details, one-time passwords, and more in real time, this plugin enables sophisticated phishing attacks. Its arsenal includes browser profiling, obfuscation, and fake confirmation emails, delaying detection while users unknowingly fall victim. Android’s January Security Bulletin underscores the urgency of patching critical vulnerabilities in devices running Android 12 to 15. With flaws enabling remote code execution without permissions, Google’s update addresses risks in System, Framework, and hardware components. Hardware giants MediaTek, HPE, and Dell have issued patches for severe vulnerabilities in their products. MediaTek patched a critical modem flaw, Dell resolved privilege escalation vulnerabilities, and HPE addressed issues in SAN switches.

Jan 6, 2025

Cyware Daily Threat Intelligence, January 06, 2025

Discord users are being lured by fake offers to beta test new video games, only to end up downloading malware. Scammers send direct messages posing as game developers, providing a password-protected installer link that spreads multiple info-stealers. The scam leverages installers like NSIS and MSI, making it harder to identify malicious intent until it's too late. Deep learning models face a new threat with BARWM, a backdoor attack method utilizing DNN-based steganography. This advanced technique embeds imperceptible triggers into inputs, bypassing detection while maintaining high attack success rates. Sophos has patched three critical vulnerabilities in its firewall, addressing risks like SQL injection, weak credential management, and code injection. While no active exploitation has been reported, users are strongly urged to upgrade to version 21.0 GA or later.

Jan 3, 2025

Cyware Daily Threat Intelligence, January 03, 2025

Open-source ecosystems once again face scrutiny as a supply chain attack compromises the Nomic Foundation and Hardhat through malicious npm packages. With 20 rogue packages, attackers leverage Ethereum smart contracts to evade takedown, posing risks to development environments and financial security. Disguised as a 'Telegram Premium' app, the newly uncovered Android malware FireScam blends info-stealing and spyware capabilities. Delivered through a fake website, it requests excessive permissions, intercepts sensitive data, and communicates with C2 servers to execute additional malicious payloads, escalating the threat to Android users. macOS users are urged to update iTerm2 after a critical flaw was discovered in its SSH integration feature. Affecting versions 3.5.6 through 3.5.10, the vulnerability exposed sensitive user data by logging it on remote hosts.

Jan 2, 2025

Cyware Daily Threat Intelligence, January 02, 2025

Malware targeting firmware is crossing alarming new thresholds. Security researchers unveiled a UEFI bootkit proof-of-concept capable of compromising the Windows kernel during the boot process. Operating beneath traditional antivirus protections, this bootkit showcases the dangers of persistent threats that survive reboots. Secure boot configurations and firmware updates are vital defenses against such sophisticated exploits. LegionLoader, a malware that has evolved since its 2019 debut, is proving to be a formidable threat. Known also as Satacom and CurlyGate, it deploys malicious tools like Chrome extensions, spreads via drive-by downloads, and uses encryption to evade detection. Its primary targets include financial accounts and sensitive user data. A new vulnerability called DoubleClickjacking has emerged, introducing a clever twist to traditional clickjacking attacks. Exploiting the timing between double clicks, this technique bypasses security measures like X-Frame-Options.

Dec 23, 2024

Cyware Daily Threat Intelligence, December 23, 2024

Compromised npm packages are yet another reminder of the fragility of supply chains in the digital age. Threat actors inserted cryptomining malware into popular packages, impacting hundreds of thousands of users before developers patched and re-released them. The malicious code executed via npm's postinstall script, emphasizing the need for vigilance and prompt updates in package management. IBM’s Cognos Analytics platform has been diagnosed with critical vulnerabilities that could undermine system security and expose sensitive data. Flaws like CVE-2024-51466, an Expression Language Injection vulnerability, and CVE-2024-40695, tied to poor file validation, affect several versions of the platform. IBM recommends urgent upgrades to patched versions to safeguard enterprise systems. In the murky world of Phishing-as-a-Service (PhaaS), FlowerStorm has emerged as a dangerous new player, potentially taking over from the now-defunct Rockstar2FA. With majority of its attacks focused on U.S. users, the platform is setting its sights on key sectors, raising fresh alarms for cybersecurity defenders.

Dec 20, 2024

Cyware Daily Threat Intelligence, December 20, 2024

Disguised as a harmless health tool, the BMI CalculationVsn app hid its sinister purpose within the Amazon Appstore. The spyware recorded screens, intercepted sensitive SMS messages, and scanned installed apps, leaving users vulnerable before its removal. However, traces of the app may still linger, necessitating manual removal and device scans. A critical vulnerability in BeyondTrust's Privileged Remote Access products landed on CISA's KEV catalog after reports of active exploitation. Tracked as CVE-2024-12356, the flaw enables attackers to execute commands as a site user, with patched updates now available for self-hosted installations. Copy-paste commands are no longer innocent. Threat actors have weaponized clipboard activity, tricking users into running malicious PowerShell scripts under the guise of software notifications. By exploiting trusted brands and Cloudflare tunnels, they discreetly deploy malware while bypassing conventional defenses.

Dec 19, 2024

Cyware Daily Threat Intelligence, December 19, 2024

Cybercriminals are pushing the boundaries of their operations, exploiting vulnerabilities in both devices and software ecosystems to widen their reach. The BADBOX botnet, thought to be dismantled, has made a troubling comeback, infecting over 192,000 Android-based devices worldwide. Expanding its scope, BADBOX now compromises high-end smart TVs and smartphones at the supply chain level. Juniper Networks routers are under siege in a botnet campaign deploying the Mirai malware. Exploiting default credentials, the malware scans the internet for vulnerable devices, infecting systems to launch DDoS attacks and execute malicious commands remotely. Juniper strongly advises users to change default passwords, monitor devices for unusual activity, and update firmware. Infected systems require reimaging to fully eradicate the threat. Fortinet has issued urgent patches for critical vulnerabilities in its products, including FortiClient VPN, FortiManager, and FortiWLM. The flaws allow attackers to extract VPN passwords, execute remote code, and access sensitive files. With millions of users at risk, Fortinet urges immediate upgrades to secure versions, highlighting the importance of proactive vulnerability management in today’s threat landscape.

Dec 18, 2024

Cyware Daily Threat Intelligence, December 18, 2024

Cybercriminals are weaving new layers of deception, blending sophisticated delivery methods with innocuous-looking themes. The FLUX#CONSOLE phishing campaign has been targeting Pakistan with tax-themed lures to deliver a stealthy backdoor. I2PRAT, a malware leveraging the I2P network, is redefining stealth by enabling encrypted, anonymous communication between attackers and infected systems. Delivered through phishing emails that lead to malicious CAPTCHA pages, I2PRAT installs a RAT while disabling system defenses like Microsoft Defender. Meanwhile, vulnerabilities in Apache Tomcat are raising alarms. A critical flaw allows remote code execution via the default servlet, while a DoS vulnerability affects the "examples" web app. The Apache Software Foundation urges users to update to the latest versions to safeguard against these risks. Adding to the chaos, Google Calendar spoofing campaigns have targeted 300 organizations, using altered headers to lure victims into phishing traps. Fake links to Google Forms and Drawings masquerade as cryptocurrency services, stealing personal and financial data from unsuspecting users.