We use cookies to improve your experience. Do you accept?

Skip to main content

Cyware Daily Threat Intelligence

shutterstock 2367870873

Daily Threat Briefing Nov 22, 2024

Geopolitical tensions continue to fuel cyber-espionage, with Russia-aligned TAG-110 launching a campaign targeting Central Asia, East Asia, and Europe. Using custom tools like HATVIBE and CHERRYSPY, the group focuses on government entities, human rights organizations, and educational institutions. 

Shifting its focus from gamers to enterprises, XenoRAT is being deployed in a new campaign leveraging Excel XLL files. Researchers uncovered the malware delivering a multi-stage infection chain. This evolution highlights a deliberate pivot toward breaching enterprise networks.

Critical infrastructure is under fire as attackers exploit vulnerabilities in Palo Alto Networks PAN-OS. Two flaws have been used to compromise approximately 2,000 firewalls globally, primarily in the U.S. and India. The vulnerabilities enable authentication bypass and administrative control, allowing attackers to tamper with configurations.

Top Malware Reported in the Last 24 Hours

TAG-110 deploys HATVIBE and CHERRYSPY

Insikt Group identified a cyber-espionage campaign conducted by the Russia-aligned threat group TAG-110, targeting organizations in Central Asia, East Asia, and Europe. The group uses custom malware tools HATVIBE and CHERRYSPY to primarily attack government entities, human rights groups, and educational institutions. TAG-110's tactics align with the historical activities of UAC-0063, attributed to Russian APT group BlueDelta (APT28). The campaign aims to gather intelligence on geopolitical developments and maintain influence in post-Soviet states. 

Linux backdoors connected to Gelsemium APT

ESET researchers have found two new Linux backdoors called WolfsBane and FireWood that are used for cyberespionage to gather sensitive data like system information, user credentials, and specific files. WolfsBane is associated with the Gelsemium APT group from China, known for targeting organizations in Eastern Asia and the Middle East since 2014. FireWood, on the other hand, is not definitively linked to Gelsemium and may be shared among different China-aligned APT groups. It is connected to a backdoor named Project Wood, used in Operation TooHash in 2005. 

XenoRAT adopts unique deployment

Researchers at Hunt uncovered a new deployment of XenoRAT, using Excel XLL files and advanced obfuscation techniques. Traditionally targeting gamers, this version represents a significant shift with implications for enterprise networks. The malicious file, "Payment_Details.xll," serves as a dropper for the XenoRAT payload and another remote access tool. The use of Excel-DNA and ConfuserEx make detection and analysis challenging. The infection chain involves a decoy PDF and multiple stages of execution, ultimately revealing XenoRAT's configuration and C2 server address. The attackers have manipulated timestamps to avoid detection, indicating a focus on breaching enterprise networks. 

Top Vulnerabilities Reported in the Last 24 Hours

Over 2,000 PAN-OS firewalls hacked

Thousands of Palo Alto Networks firewalls have been compromised in attacks exploiting two security vulnerabilities (CVE-2024-0012 and CVE-2024-9474) in PAN-OS. These vulnerabilities allow attackers to bypass authentication and gain administrator privileges, enabling them to tamper with configurations and exploit other vulnerabilities. The CISA has added these vulnerabilities to its KEV Catalog. Approximately 2,000 firewalls have been compromised globally, with the majority in the U.S. and India.

Top Exploited Vulnerabilities of 2023

A VulnCheck report highlighted the top routinely exploited vulnerabilities of 2023, identifying 15 security defects in various products such as Apache, Atlassian, Barracuda, Citrix, Cisco, Fortinet, Microsoft, Progress, PaperCut, and Zoho. The report also mentioned that there are approximately 400,000 internet-accessible systems potentially exposed to attacks due to the availability of public proof-of-concept exploits. Notable vulnerabilities include Log4Shell and Zerologon, which have over 100 and 75 public exploits respectively. Threat actors from various countries, including China, Russia, and Iran, have been linked to exploiting these vulnerabilities.

Related Threat Briefings