Go to listing page

Cyware Daily Threat Intelligence, May 26, 2023

Cyware Daily Threat Intelligence, May 26, 2023

Share Blog Post

A pair of sensitive security holes in one of D-Link’s network management suites has been fixed by the vendor. Uncovered during Trend Micro's Zero Day Initiative (ZDI) event, the bugs could allow remote attackers to compromise devices and use them for malicious activities, notably DDoS attacks. YouTube as a medium to promote malicious programs is an ongoing trend to watch for. Recently, verified YouTube channels with a substantial number of subscribers were found advertising software cracks in an attempt to infect users with a myriad of malware for stealing credentials, pilfering crypto wallet addresses, and more.

Malware designed specifically for Operational Technology (OT) systems are a rare breed. Researchers have uncovered one such malware called COSMICENERGY which has the ability to trigger power supply disruptions.

Top Breaches Reported in the Last 24 Hours

Unprotected VPN database
SuperVPN, a widely used free VPN service, experienced a massive data breach, owing to an unprotected database that exposed over 360 million user records. The database contained approximately 133GB of sensitive information, including user email addresses, original IP addresses, geolocation data, secret app keys, unique user identifier numbers, and logs of visited websites.

Ransomware cripples U.S. city
The BlackByte ransomware gang added the City of Augusta, in the U.S. state of Georgia, as one of its victims and demanded $50 million in ransom. The city has admitted to unauthorized access to its network that brought its IT systems offline. It is, however, yet to be determined whether the cybercriminals managed to access or steal any sensitive data. Meanwhile, criminals claimed to have stolen 10 GB of sensitive data.

Top Malware Reported in the Last 24 Hours

Malware via cracked files on YouTube
FortiGuard Labs discovered an active threat campaign that specifically targets individuals searching for pirated software on YouTube. The campaign promotes pirated software containing different harmful executable files, such as Vidar Stealer and Laplas Clipper. The malware's primary objectives include stealing credentials, engaging in cryptojacking activities, and pilfering funds from cryptocurrency wallets.

Experts dissect Predator spyware
An in-depth analysis of the commercial Android spyware Predator, marketed by the Israeli company Intellexa, was published. The delivery mechanism for the spyware involves utilizing a separate loader component known as Alien. Additionally, the spyware can record audio from phone calls and VoIP-based applications and also gather contacts and messages from popular messaging platforms like WhatsApp, Signal, and Telegram.

Tailored malware against OT and ICS
A new malware named COSMICENERGY has emerged in the OT and ICS landscape, revealed cybersecurity company Mandiant. The malware is designed to disrupt electric power systems by interacting with IEC 60870-5-104 (IEC-104) devices, specifically remote terminal units (RTUs). Malware actors can manipulate the actuation of power line switches and circuit breakers. They achieve this typically via two derivative components: PIEHOP and LIGHTWORK.

Dark Frost - A mix of other botnets
Akamai security researchers identified a botnet threat aimed at pursuing DDoS attacks, specifically targeting the gaming industry. Named Dark Frost, the botnet has reportedly drawn inspiration from malware strains like Gafgyt, QBot, Mirai, and others, and has hundreds of compromised devices within its network. As of February 2023, there are 414 infected machines running on diverse instruction set architectures, including ARMv4, MIPS, ARM7, x86, and MIPSEL.

Potential info-stealer earns praise
An info-stealing malware was found gaining popularity in underground marketplaces due to its ability to target multiple browsers and cryptocurrency wallets while remaining undetected by security systems. Dubbed Bandit Stealer—and developed in Go language—it is preferably targeting the Windows platform as of now.  When encountered by a sandbox environment, it can change its behavior accordingly to dodge detection or analysis.

Top Vulnerabilities Reported in the Last 24 Hours

Abusing Linux-based servers and devices
A Mirai variant dubbed IZ1H9 is abusing vulnerabilities from a range of exposed servers and networking devices running Linux. The list includes Tenda G103 command injection vulnerability (CVE-2023-27076), LB-Link command injection vulnerability (CVE-2023-26801), DCN DCBI-Netlog-LAB remote code execution vulnerability (CVE-2023-26802), and a Zyxel remote code execution vulnerability. Compromised devices are used to conduct further attacks, mainly DDoS attacks.

D-Link patches critical vulnerabilities
Two high-severity flaws were addressed in D-Link’s D-View 8 network management suite. The first flaw is tracked as CVE-2023-32165 which an adversary can abuse for RCE with SYSTEM privileges. For Windows, the code will run with the highest privileges, risking a complete system takeover. The exploitation of the second flaw, CVE-2023-32169, allows privilege escalation, data exposure, installation of backdoors and malware, and more.

Top Scams Reported in the Last 24 Hours

Scammer abuse ChatGTP users
A sophisticated phishing campaign based on ChatGPT has surfaced to steal business email account credentials from unsuspecting users. The phishing email requests the recipient to verify their email address if they wish to maintain access to their ChatGPT account setup. The first login attempt returns an error message. It is the stage where attackers have already captured their sensitive data. The next click redirects victims to the legitimate domain.


d link d view 8
city of augusta
youtube videos
dark frost
bandit stealer
predator spyware

Posted on: May 26, 2023

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

The Virtual Cyber Fusion Suite