We use cookies to improve your experience. Do you accept?

Skip to main content

Cyware Daily Threat Intelligence, November 21, 2024

shutterstock 2158288887

Daily Threat Briefing Nov 21, 2024

With advanced techniques and creative exploits, cybercriminals are escalating their attacks on users' digital and financial lives. A revamped version of NodeStealer is targeting Facebook Ads Manager accounts to extract sensitive information and steal credit card data from web browsers. The malware employs sophisticated methods to access credit card details, which are then exfiltrated via Telegram. 

The WorkflowKit Race Vulnerability in macOS has exposed users to potential data breaches and remote code execution. The flaw arises from a race condition during the shortcut extraction process, allowing malicious apps to intercept and modify shortcuts during import. Apple addressed this critical issue in macOS 14.5 with enhanced sandbox restrictions.

Adding to these growing concerns, criminals have devised a new scam known as Ghost Tap, exploiting NFC technology in mobile payment services. Using phishing tactics and mobile banking malware, attackers capture victims’ card credentials, link them to mobile wallets, and deploy mules to make fraudulent purchases at physical stores. 

Top Malware Reported in the Last 24 Hours

NodeStealer targets Facebook Ad accounts

A new version of NodeStealer has emerged to extract sensitive information from victims' Facebook Ads Manager accounts and steal credit card data from web browsers, potentially opening doors for malicious advertising. The updated NodeStealer uses various techniques, such as unlocking browser database files through Windows Restart Manager and generating Python scripts with batch files. Additionally, some NodeStealer samples unlock SQLite database files to access credit card data, with this information being sent through Telegram, a platform commonly used by cybercriminals. 

Lumma Stealer Distribution on Telegram

Telegram is becoming a popular platform for spreading malware, with Lumma Stealer being distributed through the messaging app. Two Telegram channels with thousands of subscribers are distributing Lumma Stealer disguised as benign apps like CCleaner. The first channel is VIP HitMaster Program with over 42,000 subscribers and the second is named MegaProgram + with 8660 subscribers. The malware connects to a Steam account for command and control, making it harder to detect. 

Top Vulnerabilities Reported in the Last 24 Hours

Bug in AnyDesk's Allow Direct Connections

A security researcher discovered a vulnerability in AnyDesk remote desktop software that could expose users' IP addresses, putting their privacy at risk. The flaw, identified as CVE-2024-52940, affects AnyDesk versions 8.1.0 and older on Windows systems. When the "Allow Direct Connections" feature is enabled with the connection port set to 7070, attackers can retrieve a target's public IP address using only their AnyDesk ID. This vulnerability could be exploited for malicious purposes, such as launching targeted phishing campaigns or DoS attacks. No official fix is currently available, so users are advised to be cautious and consider disabling the feature until AnyDesk releases a patch.

WorkflowKit Race flaw in macOS

The WorkflowKit Race Vulnerability (CVE-2024-27821) exposes users to potential data breaches or remote code execution by allowing malicious apps to intercept and modify shortcut files during import. This flaw arises from a race condition in WorkflowKit’s shortcut extraction process. Apple addressed the issue in macOS 14.5 by implementing enhanced sandbox restrictions to prevent unauthorized access to temporary directories. Users are strongly advised to update to macOS 14.5 or later to mitigate these risks effectively.

Top Scams Reported in the Last 24 Hours

Beware of the “Sad Announcement” email scam

Tech support scammers are employing a new email scheme that pretends to inform recipients about the death of someone they know. The emails begin with the subject line “Sad announcement” and include the name of a familiar individual, making it seem like it’s from that person. The emails have various formats but follow a pattern that quickly grabs the reader’s interest with phrases implying shared photos or memories. Each email contains links that lead to domains, mostly short-lived and registered with NameCheap, that are aimed at tricking users. The websites linked in these emails often mimic the appearance of legitimate security alerts, claiming to scan for threats on your computer, but they actually showcase false results to instill fear. 

Hackers exploit Ghost Tap for NFC scam

Criminals are now using a new method, referred to as Ghost Tap, to steal funds from victims by using NFC technology in mobile payment services like Google Pay and Apple Pay. The criminals trick victims into downloading mobile banking malware that captures their banking credentials or use voice phishing to gain access to the victim's card details. The stolen card details are then linked to Google Pay or Apple Pay and sent to a mule, who makes fraudulent purchases at stores to avoid detection. These attacks evade anti-fraud mechanisms by appearing as if they originate from the same device and can occur even if the device is in airplane mode.

Related Threat Briefings