Cookie Settings

This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.

Cyware Announces Healthcare TIP

Check it Out

Skip to main content

Cyware Daily Threat Intelligence, January 16, 2025

shutterstock_2379342715

Daily Threat Briefing Jan 16, 2025

Threat actors continue to exploit misconfigurations and vulnerabilities to spread malware and disrupt systems. A newly discovered MikroTik botnet of 13,000 devices abuses SPF DNS flaws to spoof 20,000 domains, bypassing email security and delivering malware via fake DHL-themed emails. At the same time, adversaries are embedding rogue code in image files to spread VIP Keylogger and 0bj3ctivity Stealer, leveraging phishing emails and Base64-encoded payloads to compromise systems.

The CERT/CC warned of newly discovered vulnerabilities affecting over 660,000 Rsync servers. Among the six identified flaws, two—CVE-2024-12084 and CVE-2024-12085—allow remote code execution when combined.

Cybercriminals are also weaponizing Google Search ads to steal Google Ads credentials. By directing users to phishing pages hosted on Google Sites, attackers can disguise their schemes under the guise of legitimate Google Ads pages.

Top Malware Reported in the Last 24 Hours

VIP Keylogger and 0bj3ctivity Stealer Dropped

Adversaries hide rogue code in images to spread malware like VIP Keylogger and 0bj3ctivity Stealer through separate campaigns. They start with phishing emails pretending to be invoices that dupe users into opening rogue attachments that exploit a security flaw to download a VBScript file. It retrieves an image bearing Base64-encoded code that is then turned into a .NET executable that downloads and runs VIP Keylogger. A similar method uses archive files to drop 0bj3ctivity.

MikroTik Botnet Abuses SPF DNS Records

A newly found botnet includes 13,000 MikroTik devices that exploit a misconfigured sender policy framework (SPF) DNS record to bypass email security and push malware via fake emails from about 20,000 spoofed domains. The campaign, active in late November 2024, included emails posing as DHL Express with rogue attachments. The botnet uses the devices as SOCKS4 proxies for DDoS attacks and phishing.

RansomHub Deployed via Python Backdoor

Researchers reported an attack where a hacker used a Python-based backdoor to access compromised systems and spread the RansomHub ransomware across the network. The attack began with the SocGholish JavaScript malware, which dupes users into downloading fake web browser updates from infected sites using black hat SEO tactics. Upon execution, SocGholish connects to a server to download further payloads. The Python backdoor appeared about 20 minutes after SocGholish's infection and was used to move laterally through the network using RDP sessions. The backdoor creates a SOCKS5-based tunnel for further access.

Top Vulnerabilities Reported in the Last 24 Hours

Veeam Resolves High-Risk SSRF Bug

Veeam has revealed a high-risk security flaw, CVE-2025-23082, in its Backup for Microsoft Azure product. This Server-Side Request Forgery (SSRF) flaw could let attackers send unauthorized requests, leading to network enumeration or other malicious activities. All versions up to 7.1.0.22 are affected. Veeam has released a patch in version 7.1.0.59. Users are advised to upgrade immediately to reduce risks.

UEFI Flaw Enables Secure Boot Bypass

Details have emerged about a medium-risk security flaw, CVE-2024-7344, that can enable Secure Boot bypass in UEFI systems. It exists in a UEFI application signed by the “Microsoft Corporation UEFI CA 2011” certificate. Exploiting this flaw lets hackers run untrusted code during system boot, enabling them to install rogue UEFI bootkits, regardless of the operating system. The flaw stems from using a custom PE loader instead of secure UEFI functions. This lets hackers load unsigned UEFI binaries, even before the operating system starts. Effective mitigation includes managing access to EFI system partition files and implementing Secure Boot customization.

Over 660,000 Rsync Servers Exposed to RCE

File synchronization tool Rsync is affected by six new flaws, including a critical issue allowing remote code execution (RCE). The flaws are tracked as CVE-2024-12084, CVE-2024-12085, CVE-2024-12086, CVE-2024-12087, CVE-2024-12088, and CVE-2024-12747. The CERT/CC issued a bulletin warning that CVE-2024-12084 and CVE-2024-12085, when combined, allow a client to execute arbitrary code on a device that has an Rsync server running. Users should upgrade to version 3.4.0 to protect their servers from potential attacks.

Exploit Allows NTLMv1 Despite AD Restrictions

Researchers discovered that a Microsoft Active Directory (AD) Group Policy meant to disable NT LAN Manager (NTLM) v1 can easily be bypassed due to misconfiguration. Poorly set up on-premise applications can override this policy, allowing NTLMv1 authentication. Although Microsoft removed NTLMv1 in newer systems, flaws in NTLM have been exploited for accessing sensitive data. The bypass occurs through a setting in Netlogon Remote Protocol, which can re-enable NTLMv1. To reduce risks, firms should enable audit logs for NTLM authentication, monitor for applications that use NTLMv1, and keep systems updated.

Top Scams Reported in the Last 24 Hours

Google Search Ads Used to Rob Accounts

Malwarebytes warned that cyber actors use Google Search ads to promote phishing sites that rob Google Ads credentials. They create ads that appear to be from Google Ads, directing victims to bogus login pages hosted on Google Sites, allowing hackers to dupe users more easily. These phishing pages steal victims' Google Ads account credentials. The stolen accounts are often sold on hacking forums or used for further attacks.

Related Threat Briefings

Jan 21, 2025

Cyware Daily Threat Intelligence, January 21, 2025

From malware campaigns targeting critical infrastructure to vulnerabilities in core networking protocols, threat actors are exploiting trust and technical gaps to infiltrate systems. The MintsLoader campaign targets sectors like energy and law with the StealC malware and the BOINC client, masking malicious actions as legitimate. Meanwhile, the DoNot APT group is using the new Tanzeem Android malware to spy on South Asian government and military entities. Flaws in tunneling protocols put millions of systems at risk of DoS attacks and unauthorized network access, underscoring the need for stronger configurations. Meanwhile, attackers are impersonating CERT-UA using AnyDesk to infiltrate Ukrainian systems under the pretense of a “security audit.” For detailed Cyber Threat Intel, click ‘Read More’.

Jan 20, 2025

Cyware Daily Threat Intelligence, January 20, 2025

In today’s evolving cyber landscape, even natural disasters are becoming fertile ground for exploitation by bad actors. Southern California’s raging wildfires have ignited a parallel wave of phishing scams targeting affected individuals and businesses. Fraudsters are leveraging themes of relief and recovery to propagate bogus donation requests, fake insurance claims, and cryptocurrency fraud schemes. Elsewhere, PHP-based web servers in Indonesia are being hijacked to promote online gambling platforms. Targeting servers running Moodle LMS, attackers are installing rogue plugins, stealing credentials, and deploying Python-based bots to propagate the attack. Meanwhile, a critical flaw in Moxa’s EDS-508A Series Ethernet switches has been patched, addressing vulnerabilities that could grant unauthorized access and disrupt operations. Admins are urged to apply the security patch immediately. For detailed Cyber Threat Intel, click ‘Read More’.

Jan 15, 2025

Cyware Daily Threat Intelligence, January 15, 2025

A fresh wave of malware has overtaken over 5,000 WordPress sites, exploiting rogue admin accounts and malicious plugins to siphon sensitive data. With data being funneled to the wp3[.]xyz domain, researchers urge website owners to bolster defenses by blocking this domain. Microsoft’s January 2025 Patch Tuesday brings critical relief with fixes for 159 vulnerabilities, including eight zero-days, three actively exploited. Key patches target SYSTEM-level exploits in Hyper-V and resolve dangerous RCE flaws in Microsoft Access, underscoring the need for immediate updates to prevent potential threats. North Korea's economic tactics continue to evolve, as researchers connected the regime's fake IT worker operations to a crowdfunding scam under the alias Nickle Tapestry. The scam lured victims via IndieGoGo, collecting $20,000 under false promises of innovative wireless memory devices.

Jan 14, 2025

Cyware Daily Threat Intelligence, January 14, 2025

Government officials in Central Asia have been ensnared by APT28’s latest cyberespionage campaign, where leaked Kazakhstan government documents serve as the perfect trap. With tools like HATVIBE and CHERRYSPY, the Russian-linked group casts a wide net to maintain geopolitical sway across key regions. Codefinger, a new ransomware group has introduced a chilling new tactic to the ransomware scene, locking AWS S3 buckets with server-side encryption and customer-provided keys. By exploiting compromised AWS keys, the group targets native AWS software developers, encrypting critical data and threatening deletion within seven days. Imagine logging in with Google, only to find your old startup’s downfall has exposed your data. That’s the reality for millions of former employees, as Google’s Sign in with Google flaw allows new domain owners to access sensitive accounts, leaving users and startups alike vulnerable.

Jan 13, 2025

Cyware Daily Threat Intelligence, January 13, 2025

A newly identified ransomware group, FunkSec, has emerged as a low-cost yet prolific threat, targeting over 80 victims across multiple countries within a month. The group’s tactics include demanding modest ransoms and offering tools for DDoS attacks. FunkSec’s latest ransomware version, FunkSec V1, shows signs of AI-assisted development, adding a layer of sophistication to its operations. A critical vulnerability has put Aviatrix Controller users at significant risk by allowing unauthenticated remote code execution. The flaw, caused by improper API input handling, exposes cloud enterprise environments to malicious activities. While Aviatrix has released patches, early exploitation suggests attackers have already begun leveraging the vulnerability for broader campaigns. Cybercriminals are exploiting Apple iMessage’s phishing protection by manipulating users into disabling link-blocking features. Smishing texts urge recipients to reply with Y to re-enable links, bypassing safeguards and exposing victims to malicious websites.

Jan 10, 2025

Cyware Daily Threat Intelligence, January 10, 2025

China-linked RedDelta has intensified its cyber-espionage activities across Asia, targeting government and political entities across multiple countries. The group used sophisticated spear-phishing tactics to deliver a modified PlugX backdoor. Notable breaches include the Mongolian Ministry of Defense and the Communist Party of Vietnam, underscoring RedDelta’s evolving methods and broad geographical reach. In a deceptive twist, threat actors have created a fake PoC exploit tied to a patched Microsoft Windows LDAP vulnerability to lure security researchers. The malicious PoC, hosted on a repository, drops a PowerShell script upon execution, stealing computer information and sending it to an external FTP server. CrowdStrike uncovered a phishing scheme where attackers impersonated the company, offering fake job opportunities to lure victims. Targets were directed to download a fraudulent CRM application, which bypassed sandbox checks to install a Monero miner. The malware operated stealthily in the background, ensuring persistence through startup scripts and registry entries.

Jan 9, 2025

Cyware Daily Threat Intelligence, January 09, 2025

Malicious actors continue to exploit trusted ecosystems, with researchers uncovering npm packages stealing Solana private keys and exfiltrating them via Gmail. Masquerading as legitimate tools, these packages drain victims' wallets while amplifying their reach through GitHub repositories. Threat actors are actively exploiting a critical flaw in GFI KerioControl firewalls, to achieve remote code execution. Despite a patch released by GFI, attempts to abuse the vulnerability have surged, targeting over 23,800 exposed instances worldwide. Meanwhile, the Fancy Product Designer plugin for WordPress remains vulnerable to critical flaws, including file upload and SQL injection vulnerabilities. With no response from the developer, over 20,000 sites face heightened risk from these exploits.

Jan 8, 2025

Cyware Daily Threat Intelligence, January 08, 2025

The Gayfemboy botnet has emerged as a powerful tool in the Mirai-based arsenal, evolving with zero-day exploits targeting industrial routers and smart home devices. With around 15,000 active bot nodes daily, it uses vulnerabilities in industrial routers to launch high-intensity DDoS attacks exceeding 100 Gbps. A cunning social engineering campaign in the Middle East sees fraudsters posing as government officials to exploit customer trust. Victims are lured into installing remote access software under the guise of resolving purchase complaints. Using tools like RedLine Stealer, the attackers steal credit card details and intercept OTPs. CISA’s KEV catalog now includes critical flaws in Mitel MiCollab and Oracle WebLogic Server, highlighting active exploitation. The vulnerabilities like allow unauthorized access and remote code execution, urging federal agencies to update systems by January 28 to mitigate risks effectively.

Jan 7, 2025

Cyware Daily Threat Intelligence, January 07, 2025

PhishWP, a rogue WordPress plugin, is redefining payment fraud with its ability to mimic trusted platforms. By harvesting card details, one-time passwords, and more in real time, this plugin enables sophisticated phishing attacks. Its arsenal includes browser profiling, obfuscation, and fake confirmation emails, delaying detection while users unknowingly fall victim. Android’s January Security Bulletin underscores the urgency of patching critical vulnerabilities in devices running Android 12 to 15. With flaws enabling remote code execution without permissions, Google’s update addresses risks in System, Framework, and hardware components. Hardware giants MediaTek, HPE, and Dell have issued patches for severe vulnerabilities in their products. MediaTek patched a critical modem flaw, Dell resolved privilege escalation vulnerabilities, and HPE addressed issues in SAN switches.

Jan 6, 2025

Cyware Daily Threat Intelligence, January 06, 2025

Discord users are being lured by fake offers to beta test new video games, only to end up downloading malware. Scammers send direct messages posing as game developers, providing a password-protected installer link that spreads multiple info-stealers. The scam leverages installers like NSIS and MSI, making it harder to identify malicious intent until it's too late. Deep learning models face a new threat with BARWM, a backdoor attack method utilizing DNN-based steganography. This advanced technique embeds imperceptible triggers into inputs, bypassing detection while maintaining high attack success rates. Sophos has patched three critical vulnerabilities in its firewall, addressing risks like SQL injection, weak credential management, and code injection. While no active exploitation has been reported, users are strongly urged to upgrade to version 21.0 GA or later.

Jan 3, 2025

Cyware Daily Threat Intelligence, January 03, 2025

Open-source ecosystems once again face scrutiny as a supply chain attack compromises the Nomic Foundation and Hardhat through malicious npm packages. With 20 rogue packages, attackers leverage Ethereum smart contracts to evade takedown, posing risks to development environments and financial security. Disguised as a 'Telegram Premium' app, the newly uncovered Android malware FireScam blends info-stealing and spyware capabilities. Delivered through a fake website, it requests excessive permissions, intercepts sensitive data, and communicates with C2 servers to execute additional malicious payloads, escalating the threat to Android users. macOS users are urged to update iTerm2 after a critical flaw was discovered in its SSH integration feature. Affecting versions 3.5.6 through 3.5.10, the vulnerability exposed sensitive user data by logging it on remote hosts.

Jan 2, 2025

Cyware Daily Threat Intelligence, January 02, 2025

Malware targeting firmware is crossing alarming new thresholds. Security researchers unveiled a UEFI bootkit proof-of-concept capable of compromising the Windows kernel during the boot process. Operating beneath traditional antivirus protections, this bootkit showcases the dangers of persistent threats that survive reboots. Secure boot configurations and firmware updates are vital defenses against such sophisticated exploits. LegionLoader, a malware that has evolved since its 2019 debut, is proving to be a formidable threat. Known also as Satacom and CurlyGate, it deploys malicious tools like Chrome extensions, spreads via drive-by downloads, and uses encryption to evade detection. Its primary targets include financial accounts and sensitive user data. A new vulnerability called DoubleClickjacking has emerged, introducing a clever twist to traditional clickjacking attacks. Exploiting the timing between double clicks, this technique bypasses security measures like X-Frame-Options.