We use cookies to improve your experience. Do you accept?

Skip to main content

Cyware Daily Threat Intelligence, November 18, 2024

shutterstock 1920771149

Daily Threat Briefing Nov 18, 2024

Threat actors are employing sophisticated techniques to breach defenses across industries, from maritime manufacturing to WordPress websites and software impersonation campaigns. A DONOT APT campaign has been targeting Pakistan’s manufacturing sector supporting maritime and defense operations. The attackers use malicious LNK files disguised as RTF documents, leveraging dynamic domain generation and updated encryption to maintain persistence and evade detection.

Meanwhile, a critical authentication bypass vulnerability in the Really Simple Security WordPress plugin is putting over four million sites at risk, granting attackers full administrative access. Another vulnerability in the WPLMS Learning Management System exposes sites to arbitrary file reading and deletion, prompting emergency patches and forced updates by WordPress.

On the social engineering front, researchers highlighted the rise of ClickFix campaigns, impersonating trusted software to deliver malware like AsyncRAT and Lumma Stealer. A fake CAPTCHA variant in these campaigns recently tricked users into executing malicious payloads, impacting hundreds of organizations globally.

Top Malware Reported in the Last 24 Hours

DONOT targets Pakistan’s manufacturing industry

Cyble identified a campaign linked to the DONOT APT group, targeting Pakistan's manufacturing industry supporting the maritime and defense sectors. The campaign uses a malicious LNK file disguised as an RTF to deliver a payload and establish persistence through scheduled tasks. It employs dynamic domain generation for backup C&C servers and has updated encryption methods. The attackers collect system information before deploying the final payload, showing a sophisticated approach.

Phishing emails use SVG attachments 

Threat actors have been found using SVG files in phishing campaigns to hide malicious scripts and create phishing forms to steal credentials. These SVG attachments can also be used to display HTML and execute JavaScript when the graphic is loaded. Some SVG attachments pretend to be official documents or requests for information, prompting users to download malware from remote sites. 

Infostealers Leverage Fake AI Tools

Cybercriminals are using fake AI image and video generators to spread the Lumma Stealer and AMOS malware, targeting Windows and macOS users. These malware steal sensitive information such as cryptocurrency wallets, credentials, passwords, and browsing history. The stolen data is sent back to the attackers for further exploitation or sale. The malicious software is being distributed through professional-looking fake websites.

Top Vulnerabilities Reported in the Last 24 Hours

GeoVision 0-day exploited in the wild

Cybersecurity researchers have identified a zero-day vulnerability (CVE-2024-11120) in unsupported GeoVision devices, allowing attackers to remotely execute commands without authentication. The manufacturer, GeoVision, has acknowledged the issue but has limited patching options due to the end-of-life status of the affected devices. Organizations using these legacy devices are advised to disconnect them from the internet, segment the network, and consider replacing outdated hardware. A botnet is actively exploiting the vulnerability, posing a global threat, and authorities are expected to provide further guidance on mitigations.

Critical WordPress plugin flaw, patch now!

A critical authentication bypass vulnerability (CVE-2024-10924) has been disclosed in the Really Simple Security plugin for WordPress, impacting over four million sites. The vulnerability allows attackers to gain full administrative access. The plugin maintainers have released a patch, but the risk prompted them to work with WordPress to force-update all sites running the plugin. Additionally, another critical vulnerability was revealed in the WPLMS Learning Management System for WordPress, allowing unauthenticated attackers to read and delete arbitrary files.

Bugs in Citrix Virtual Apps and Desktops

The Virtual Apps and Desktops remote access solution from Citrix has two actively exploited vulnerabilities (CVE-2024-8068 and CVE-2024-8069) that allow attackers to execute arbitrary code with significant control over Citrix servers and virtual desktop sessions. These vulnerabilities stem from a combination of exposed and misconfigured MSMQ service and the insecure BinaryFormatter class. Additionally, Citrix's Session Recording Manager has a deserialization vulnerability, providing another attack vector for malicious actors. Exploitation attempts have been identified, and Citrix has urged customers to apply the latest patches for Session Recording Manager.

Top Scams Reported in the Last 24 Hours

ClickFix social engineering runs rampant

Proofpoint researchers noted a rise in a social engineering strategy called ClickFix. Various software, including popular programs like Microsoft Word and Google Chrome, has been impersonated in these campaigns, particularly targeting sectors like transportation and logistics. Notable malware from ClickFix campaigns includes AsyncRAT, Danabot, DarkGate, Lumma Stealer, and NetSupport. Recently, a sophisticated variant called the fake CAPTCHA ClickFix has emerged, mimicking a verification process. Proofpoint observed this technique in various campaigns, including a significant one involving GitHub notifications that led to malware installations impacting around 300 organizations globally.

Related Threat Briefings