We use cookies to improve your experience. Do you accept?

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing Oct 1, 2024

What started as a seemingly harmless download turned into an eight-day siege, as attackers infiltrated networks with Nitrogen malware, only to end with BlackCat ransomware locking down the entire domain. After gaining initial access, the attackers deployed tools like Sliver, Cobalt Strike, and PowerSploit.

Cybercriminals are targeting the gaming community, especially Roblox and Da Hood players, with malicious Python packages disguised as cheats or mods. These packages contain the Skuld Stealer and Blank Grabber malware, stealing data like Discord credentials, cryptocurrency wallets, and 2FA codes.

The CISA flagged four actively exploited vulnerabilities, including flaws in D-Link and DrayTek routers, Motion Spell GPAC, and SAP Commerce Cloud. These critical vulnerabilities could be exploited for command injection or remote access, with CISA urging all organizations—not just federal agencies—to patch immediately to reduce their risk.

Top Malware Reported in the Last 24 Hours

Nitrogen campaign drops BlackCat ransomware

In November 2023, a BlackCat ransomware attack began with the use of Nitrogen malware, disguised as Advanced IP Scanner on a fraudulent website. Sliver and Cobalt Strike beacons were deployed on the host through Python scripts. The threat actor utilized PowerSploit, SharpHound, and Impacket for lateral movement and network enumeration post initial access. Restic, an open-source backup tool, was used for data exfiltration from a file server to a remote location. The attacker modified a privileged user's password on the eighth day, deploying BlackCat ransomware across the domain using PsExec and executing a batch script.

Linux malware campaign targets vulnerable servers

Elastic Security Labs discovered a sophisticated Linux malware campaign targeting vulnerable servers, using tools like KAIJI and RUDEDEVIL. The attackers exploited the GSOCKET network utility to establish encrypted communication channels. The campaign also involved cryptocurrency mining activities, especially with XMRIG, which connects to the mining pool c3pool.org. The attackers attempted to establish persistence, conduct manual privilege escalation, and download custom malware, but faced challenges in executing the custom binaries. The campaign involved the use of various tactics and techniques, including post-compromise dwell time, Bitcoin mining, and money laundering activities using gambling APIs.

Roblox cheaters hit with malware

The gaming community, particularly Roblox players and its derivative game Da Hood, is targeted by cybercriminals using malicious Python packages. These packages are disguised as cheats or mods to enhance gaming experiences but actually contain malware such as the Skuld Stealer and Blank Grabber, which can steal sensitive data from users' systems. The cybercriminals distribute these packages through platforms like GitHub, Discord, and YouTube. Skuld Stealer is a Go-written malware that targets Windows systems to steal data from Discord, browsers, and cryptocurrency wallets. It can steal login credentials, cookies, credit cards, and browsing history, as well as intercept 2FA codes from Discord users. Similarly, Blank Grabber is an info-stealer based on Python and C++.

Top Vulnerabilities Reported in the Last 24 Hours

CISA adds four bugs to KEV catalog

The CISA identified four new vulnerabilities that are actively being exploited, including command injection vulnerabilities in D-Link (CVE-2023-25280) and DrayTek (CVE-2020-15415) routers; a null pointer dereference vulnerability in Motion Spell GPAC (CVE-2021-4043); and a deserialization vulnerability in SAP Commerce Cloud (CVE-2019-0344). These vulnerabilities pose significant risks to federal enterprise and must be remediated according to Binding Operational Directive (BOD) 22-01. While the directive applies to FCEB agencies, CISA encourages all organizations to prioritize the timely remediation of these vulnerabilities to reduce exposure to cyberattacks. The bugs have been added to the KEV catalog.

Multiple flaws in Foxit PDF Reader and Editor

Multiple vulnerabilities (CVE-2024-28888, CVE-2024-7725, CVE-2024-38393, and CVE-2024-41605) were discovered in Foxit PDF Reader and Editor. These flaws could result in arbitrary code execution, potentially allowing attackers to install programs, view, change, or delete data, or create new accounts with full user rights. The vulnerabilities affect various versions of Foxit PDF Reader for both Windows and macOS. Users are urged to apply appropriate updates provided by Foxit to vulnerable systems immediately after appropriate testing and to establish and maintain a vulnerability management process.

Related Threat Briefings

Nov 22, 2024

Cyware Daily Threat Intelligence

Geopolitical tensions continue to fuel cyber-espionage, with Russia-aligned TAG-110 launching a campaign targeting Central Asia, East Asia, and Europe. Using custom tools like HATVIBE and CHERRYSPY, the group focuses on government entities, human rights organizations, and educational institutions. Shifting its focus from gamers to enterprises, XenoRAT is being deployed in a new campaign leveraging Excel XLL files. Researchers uncovered the malware delivering a multi-stage infection chain. This evolution highlights a deliberate pivot toward breaching enterprise networks. Critical infrastructure is under fire as attackers exploit vulnerabilities in Palo Alto Networks PAN-OS. Two flaws have been used to compromise approximately 2,000 firewalls globally, primarily in the U.S. and India. The vulnerabilities enable authentication bypass and administrative control, allowing attackers to tamper with configurations.

Nov 21, 2024

Cyware Daily Threat Intelligence, November 21, 2024

With advanced techniques and creative exploits, cybercriminals are escalating their attacks on users' digital and financial lives. A revamped version of NodeStealer is targeting Facebook Ads Manager accounts to extract sensitive information and steal credit card data from web browsers. The malware employs sophisticated methods to access credit card details, which are then exfiltrated via Telegram. The WorkflowKit Race Vulnerability in macOS has exposed users to potential data breaches and remote code execution. The flaw arises from a race condition during the shortcut extraction process, allowing malicious apps to intercept and modify shortcuts during import. Apple addressed this critical issue in macOS 14.5 with enhanced sandbox restrictions. Adding to these growing concerns, criminals have devised a new scam known as Ghost Tap, exploiting NFC technology in mobile payment services. Using phishing tactics and mobile banking malware, attackers capture victims’ card credentials, link them to mobile wallets, and deploy mules to make fraudulent purchases at physical stores.

Nov 20, 2024

Cyware Daily Threat Intelligence, November 20, 2024

Cybercriminals and nation-state actors are fine-tuning their craft, targeting everything from IoT devices to global telecom networks. The Ngioweb malware has been used to assemble a botnet of over 35,000 compromised IoT devices and SOHO routers, to sell residential proxies on platforms like NSOCKS. A China-linked group, LIMINAL PANDA, has been conducting cyberespionage against telecommunications entities in South Asia and Africa since 2020. Armed with custom malware like SIGTRANslator and PingPong, they exploit telecom protocols to exfiltrate data and maintain persistent access, employing advanced tactics. Meanwhile, the CISA has issued warnings about three actively exploited vulnerabilities in networking products. These include a critical Kemp LoadMaster OS flaw and two Palo Alto PAN-OS vulnerabilities. The vulnerabilities have been added to the the KEV catalog.

Nov 19, 2024

Cyware Daily Threat Intelligence, November 19, 2024

As cyber threats grow more sophisticated, attackers are leveraging tailored tactics to exploit both individuals and organizations. BabbleLoader, a stealthy malware loader, is delivering information stealers like WhiteSnake and Meduza, targeting users searching for cracked software and professionals in finance and administration by disguising itself as accounting software. Its advanced evasion techniques bypass antivirus and sandbox defenses, disrupting analysis and detection. Critical vulnerabilities are also under scrutiny. The LibreNMS project revealed CVE-2024-51092, a flaw in its network monitoring platform that allows authenticated attackers to execute OS commands and potentially take over servers. Users are strongly advised to update to version 24.10.0 to mitigate these risks. Meanwhile, phishing campaigns continue to escalate. DocuSign phishing attacks targeting state and municipal contractors have surged by 98% in just one week. Exploiting licensing cycles and spoofing government agencies like the Department of Health, these campaigns aim to trick businesses into signing fake documents for financial gain.

Nov 18, 2024

Cyware Daily Threat Intelligence, November 18, 2024

Threat actors are employing sophisticated techniques to breach defenses across industries, from maritime manufacturing to WordPress websites and software impersonation campaigns. A DONOT APT campaign has been targeting Pakistan’s manufacturing sector supporting maritime and defense operations. The attackers use malicious LNK files disguised as RTF documents, leveraging dynamic domain generation and updated encryption to maintain persistence and evade detection. Meanwhile, a critical authentication bypass vulnerability in the Really Simple Security WordPress plugin is putting over four million sites at risk, granting attackers full administrative access. Another vulnerability in the WPLMS Learning Management System exposes sites to arbitrary file reading and deletion, prompting emergency patches and forced updates by WordPress. On the social engineering front, researchers highlighted the rise of ClickFix campaigns, impersonating trusted software to deliver malware like AsyncRAT and Lumma Stealer. A fake CAPTCHA variant in these campaigns recently tricked users into executing malicious payloads, impacting hundreds of organizations globally.

Nov 15, 2024

Cyware Daily Threat Intelligence, November 15, 2024

From app stores to online shopping platforms, cybercriminals are exploiting trust to infiltrate systems and steal sensitive data. Eight trojan-infected Android apps were spotted on the Google Play Store, downloaded over two million times. These apps, containing Android.FakeApp.1669, connect to malicious DNS servers to display deceptive links. Meanwhile, the CISA has issued a warning about two critical vulnerabilities in Palo Alto Networks Expedition software, citing active exploitation. These flaws allow attackers to execute commands as root and access sensitive database contents. In another alarming campaign, Chinese threat actor SilkSpecter has created over 4,500 fake domains impersonating brands like North Face and Ikea to steal credit card details from shoppers in the U.S. and Europe.

Nov 14, 2024

Cyware Daily Threat Intelligence, November 14, 2024

The lines between digital espionage and warfare blur as state-sponsored threat actors employ increasingly advanced methods to compromise their targets. China’s APT41 has launched a cyberespionage campaign targeting organizations in South Asia, utilizing the DeepData Framework. This Windows-based toolkit consists of 12 malicious plugins that are designed to harvest a wide range of sensitive data. Meanwhile, the Lazarus Group has turned its sights on macOS users with a new malware strain, RustyAttr. Built using the Tauri framework, the malware exploits extended file attributes to execute a malicious shell script that loads a Rust-based backend via a fake webpage. In another wave of attacks, a critical zero-day vulnerability is being exploited to target Windows systems in Ukraine. This vulnerability allows attackers to take control of systems when users interact with malicious URL files delivered through phishing emails.

Nov 13, 2024

Cyware Daily Threat Intelligence, November 13, 2024

From deceptive apps to vulnerabilities and developer-targeted tools, attackers are exploiting every corner of the digital landscape. SpyNote is posing as a fake antivirus, giving attackers full control over Android devices, stealing credentials, and targeting cryptocurrency users. In its November Patch Tuesday, Microsoft patched 89 security flaws, including two actively exploited vulnerabilities, urging immediate updates. Meanwhile, a new tool named GoIssue is being sold to attackers, allowing bulk theft of developer credentials from GitHub profiles, enabling supply chain attacks.

Sep 23, 2024

Cyware Daily Threat Intelligence

Splinter, a new post-exploitation tool, is tearing through victims' IT environments, enabling attackers to achieve multiple objectives with alarming efficiency. Written in Rust, Splinter self-deletes after leaving a trail of chaos in its wake. A

Sep 20, 2024

Cyware Daily Threat Intelligence

Vanilla Tempest is wreaking havoc in U.S. healthcare, slipping through the cracks via Storm-0494 to unleash the INC ransomware. With tools like Gootloader and Supper in its arsenal, this group remains a persistent menace. UNC1860, the shadowy Ir

Sep 19, 2024

Cyware Daily Threat Intelligence

PondRAT is lurking in poisoned Python packages, quietly infiltrating Linux and macOS systems through PyPI downloads. Linked to the Gleaming Pisces group, this campaign targets developers’ endpoints in a clever bid to compromise software supply chain

Sep 18, 2024

Cyware Daily Threat Intelligence

UNC2970 is turning job hunting into a minefield, using fake job offers from major energy and aerospace companies to deliver a trojanized PDF reader. The North Korean group has been using a new backdoor, MISTPEN, for this purpose. A subtle flaw i