We use cookies to improve your experience. Do you accept?

Skip to main content

Cyware Daily Threat Intelligence, November 20, 2024

shutterstock 2339262777 (1)

Daily Threat Briefing Nov 20, 2024

Cybercriminals and nation-state actors are fine-tuning their craft, targeting everything from IoT devices to global telecom networks. The Ngioweb malware has been used to assemble a botnet of over 35,000 compromised IoT devices and SOHO routers, to sell residential proxies on platforms like NSOCKS. 

A China-linked group, LIMINAL PANDA, has been conducting cyberespionage against telecommunications entities in South Asia and Africa since 2020. Armed with custom malware like SIGTRANslator and PingPong, they exploit telecom protocols to exfiltrate data and maintain persistent access, employing advanced tactics.  

Meanwhile, the CISA has issued warnings about three actively exploited vulnerabilities in networking products. These include a critical Kemp LoadMaster OS flaw and two Palo Alto PAN-OS vulnerabilities. The vulnerabilities have been added to the the KEV catalog.

Top Malware Reported in the Last 24 Hours

Ngioweb Malware Used for NSOCKS Proxy Service

The Ngioweb malware has been utilized to create a significant botnet used for residential proxy services like NSOCKS, VN5Socks, and Shopsocks5. The botnet consists of over 35,000 working bots, with a large portion located in the U.S. It targets IoT devices and small office/home office routers, using automated scripts to infiltrate and deploy the malware. The infected devices are then sold as proxies on a marketplace. NSOCKS, which offers SOCKS5 proxies globally, is a particular concern as it enables malicious actors to conduct DDoS attacks and target specific entities.

LIMINAL PANDA target telcos with custom malware

A new cyberespionage group, LIMINAL PANDA, linked to China, has been targeting telecommunications entities in South Asia and Africa since 2020 to gather intelligence. The attackers have deep knowledge of telecommunications networks and protocols, using bespoke tools for access, command-and-control, and data exfiltration. Some custom malware in LIMINAL PANDA's arsenal include SIGTRANslator, CordScan, and PingPong, which allow for data transmission, network scanning, and backdoor access, respectively. They use password spraying attacks on external DNS servers and employ TinyShell for C2 communications. 

Top Vulnerabilities Reported in the Last 24 Hours

Apple patches two 0-days

Apple released emergency security updates to fix two zero-day vulnerabilities that were exploited in attacks on Intel-based Mac systems. The vulnerabilities, found in macOS Sequoia JavaScriptCore (CVE-2024-44308) and WebKit (CVE-2024-44309) components, allowed for remote code execution and cross-site scripting attacks. The updates also addressed the same components in other Apple operating systems.

CISA adds bugs to KEV catalog

The CISA warned about three actively exploited vulnerabilities in popular networking and security products. The Kemp LoadMaster OS vulnerability (CVE-2024-1212) allows attackers to execute commands on vulnerable systems. The Palo Alto Networks PAN-OS vulnerabilities (CVE-2024-0012 and CVE-2024-9474) enable unauthorized access and privilege escalation. CISA advises administrators to patch these vulnerabilities immediately to protect networks. 

Oracle warns of Agile PLM vulnerability

Oracle fixed a security vulnerability (CVE-2024-21287) in its Agile Product Lifecycle Management (PLM) software. This flaw allowed attackers to access files without authentication. The vulnerability was reported by CrowdStrike and confirmed by Oracle to be actively exploited in attacks. The flaw has a CVSS Base Score of 7. 5 and could allow attackers to download files from the system. However, it is unknown how the flaw is being exploited currently and if any specific threat actor is behind the attacks.

Top Scams Reported in the Last 24 Hours

Sports Piracy Through Live Streaming Capture

Malicious actors are exploiting misconfigured JupyterLab and Jupyter Notebooks to conduct illegal live streaming of sports events. The attackers hijack unauthenticated Jupyter Notebooks to gain access and use FFmpeg to capture and redirect live sports event streams to their server. This enables them to profit from advertising revenue by illicitly broadcasting the live streams. The attackers could potentially cause serious consequences for organizations by compromising data analysis servers, leading to risks such as data theft, denial-of-service, and financial damage.

Spotify Abuse for Software Piracy

Spotify is being misused to promote pirated software, game cheats, and spam links. Cybercriminals are using playlists and podcasts to inject keywords and links that increase the search engine visibility for their dubious websites. An example includes a playlist titled "Sony Vegas Pro 13 Crack," which leads to sites offering free software. The spam issue extends beyond playlists; many podcasts also promote pirated digital content, including eBooks. These podcasts often only last a few seconds and use synthesized speech to direct listeners to spam links. Additionally, some podcasts offer game cheat codes for various popular games.

Related Threat Briefings