Cyware Daily Threat Intelligence

Vanilla Tempest is wreaking havoc in U.S. healthcare, slipping through the cracks via Storm-0494 to unleash the INC ransomware. With tools like Gootloader and Supper in its arsenal, this group remains a persistent menace.

UNC1860, the shadowy Iranian APT group linked to MOIS, has opened the backdoor to high-value Middle Eastern networks. Using stealthy implants like TEMPLEDOOR and FACEFACE, it has left a trail of chaos from Albania to the region’s telecom and government sectors, with a reputation for destructive wiper attacks.

CISA’s latest warning puts federal agencies on high alert, as a critical flaw in Apache HugeGraph-Server is being actively exploited. With the clock ticking toward the October 9 deadline, vulnerabilities in Microsoft SQL Server and Oracle WebLogic demand urgent action to prevent intrusions.

Top Malware Reported in the Last 24 Hours

U.S. healthcare caught in INC ransomware attacks

Microsoft has identified Vanilla Tempest, a ransomware affiliate, targeting the U.S. healthcare sector in INC ransomware attacks. Vanilla Tempest used INC ransomware in a recent attack, gaining access through the Storm-0494 threat actor and deploying malware like Gootloader and Supper. While the specific victim was not named, a similar attack affected Michigan's McLaren Health Care hospitals last month, causing disruptions to patient information databases and services. The threat actor conducts lateral movement through RDP and leverages the Windows Management Instrumentation Provider Host to deploy the INC ransomware payload.

GitHub Scanner campaign pushes Lumma Stealer

A threat campaign has been using GitHub to distribute Lumma Stealer. Malicious actors create fake security vulnerability issues on open-source project repositories, prompting users to visit a fake GitHub Scanner domain that distributes a Windows malware. The campaign also sends convincing email alerts from legitimate GitHub servers, tricking users into accessing the malicious domain. The malware steals sensitive information and targets GitHub users, potentially aiming to compromise source code and conduct supply chain attacks.

Iranian UNC1860 now acts as IAB

An Iranian APT group linked to MOIS, known as UNC1860, is offering remote access to target networks. Mandiant has connected this activity to Storm-0861 and ShroudedSnooper. UNC1860 utilizes specialized tools and passive backdoors to infiltrate high-value networks in government and telecom sectors across the Middle East. The group has been tied to destructive cyberattacks in Albania using ransomware and wiper variants. Mandiant warns that UNC1860 is a serious threat with links to APT34, employing similar tactics to exploit vulnerabilities and implant malicious payloads. The threat actor drops web shells such as STAYSHANTE and SASHEYAWAY, with the latter leading to the execution of implants, such as TEMPLEDOOR, FACEFACE, and SPARKLOAD, that are embedded within it.

?Top Vulnerabilities Reported in the Last 24 Hours

Apache bug actively abused, warns CISA

The CISA added a critical remote code execution flaw (CVE-2024-27348) in Apache HugeGraph-Server to its KEV catalog. Apache released a fix in version 1. 3. 0, urging users to upgrade, use Java 11, enable the Auth system, and activate "Whitelist-IP/port" for RESTful-API security. Active exploitation of CVE-2024-27348 has been reported, requiring federal agencies and critical infrastructure operators to apply mitigations before October 9. The CISA also added other flaws to the KEV catalog, including vulnerabilities in Microsoft SQL Server (CVE-2020-0618), Windows Task Scheduler (CVE-2019-1069), Oracle JDeveloper (CVE-2022-21445), and Oracle WebLogic Server (CVE-2020-14644).

Atlassian patches multiple vulnerabilities

Atlassian patched four high-severity vulnerabilities in Bamboo, Bitbucket, Confluence, and Crowd, all of which could allow attackers to cause DoS conditions without user interaction. The vulnerabilities include CVE-2024-34750 in Apache Tomcat's Coyote component affecting Bamboo and Bitbucket, and CVE-2024-32007 in Apache CXF JOSE code affecting Bitbucket. Confluence contained flaws in the Bouncy Castle Java dependency (CVE-2024-29857) and Clojure (CVE-2024-22871), while Crowd was also impacted by CVE-2024-29857. Reported via Atlassian's bug bounty program, these issues do not impact confidentiality or integrity. Users are urged to update to the latest versions promptly.

Cyware Daily Threat Intelligence, November 21, 2024

With advanced techniques and creative exploits, cybercriminals are escalating their attacks on users' digital and financial lives. A revamped version of NodeStealer is targeting Facebook Ads Manager accounts to extract sensitive information and steal credit card data from web browsers. The malware employs sophisticated methods to access credit card details, which are then exfiltrated via Telegram. The WorkflowKit Race Vulnerability in macOS has exposed users to potential data breaches and remote code execution. The flaw arises from a race condition during the shortcut extraction process, allowing malicious apps to intercept and modify shortcuts during import. Apple addressed this critical issue in macOS 14.5 with enhanced sandbox restrictions. Adding to these growing concerns, criminals have devised a new scam known as Ghost Tap, exploiting NFC technology in mobile payment services. Using phishing tactics and mobile banking malware, attackers capture victims’ card credentials, link them to mobile wallets, and deploy mules to make fraudulent purchases at physical stores.

Cyware Daily Threat Intelligence, November 20, 2024

Cybercriminals and nation-state actors are fine-tuning their craft, targeting everything from IoT devices to global telecom networks. The Ngioweb malware has been used to assemble a botnet of over 35,000 compromised IoT devices and SOHO routers, to sell residential proxies on platforms like NSOCKS. A China-linked group, LIMINAL PANDA, has been conducting cyberespionage against telecommunications entities in South Asia and Africa since 2020. Armed with custom malware like SIGTRANslator and PingPong, they exploit telecom protocols to exfiltrate data and maintain persistent access, employing advanced tactics. Meanwhile, the CISA has issued warnings about three actively exploited vulnerabilities in networking products. These include a critical Kemp LoadMaster OS flaw and two Palo Alto PAN-OS vulnerabilities. The vulnerabilities have been added to the the KEV catalog.

Cyware Daily Threat Intelligence, November 19, 2024

As cyber threats grow more sophisticated, attackers are leveraging tailored tactics to exploit both individuals and organizations. BabbleLoader, a stealthy malware loader, is delivering information stealers like WhiteSnake and Meduza, targeting users searching for cracked software and professionals in finance and administration by disguising itself as accounting software. Its advanced evasion techniques bypass antivirus and sandbox defenses, disrupting analysis and detection. Critical vulnerabilities are also under scrutiny. The LibreNMS project revealed CVE-2024-51092, a flaw in its network monitoring platform that allows authenticated attackers to execute OS commands and potentially take over servers. Users are strongly advised to update to version 24.10.0 to mitigate these risks. Meanwhile, phishing campaigns continue to escalate. DocuSign phishing attacks targeting state and municipal contractors have surged by 98% in just one week. Exploiting licensing cycles and spoofing government agencies like the Department of Health, these campaigns aim to trick businesses into signing fake documents for financial gain.

Cyware Daily Threat Intelligence, November 18, 2024

Threat actors are employing sophisticated techniques to breach defenses across industries, from maritime manufacturing to WordPress websites and software impersonation campaigns. A DONOT APT campaign has been targeting Pakistan’s manufacturing sector supporting maritime and defense operations. The attackers use malicious LNK files disguised as RTF documents, leveraging dynamic domain generation and updated encryption to maintain persistence and evade detection. Meanwhile, a critical authentication bypass vulnerability in the Really Simple Security WordPress plugin is putting over four million sites at risk, granting attackers full administrative access. Another vulnerability in the WPLMS Learning Management System exposes sites to arbitrary file reading and deletion, prompting emergency patches and forced updates by WordPress. On the social engineering front, researchers highlighted the rise of ClickFix campaigns, impersonating trusted software to deliver malware like AsyncRAT and Lumma Stealer. A fake CAPTCHA variant in these campaigns recently tricked users into executing malicious payloads, impacting hundreds of organizations globally.

Cyware Daily Threat Intelligence, November 15, 2024

From app stores to online shopping platforms, cybercriminals are exploiting trust to infiltrate systems and steal sensitive data. Eight trojan-infected Android apps were spotted on the Google Play Store, downloaded over two million times. These apps, containing Android.FakeApp.1669, connect to malicious DNS servers to display deceptive links. Meanwhile, the CISA has issued a warning about two critical vulnerabilities in Palo Alto Networks Expedition software, citing active exploitation. These flaws allow attackers to execute commands as root and access sensitive database contents. In another alarming campaign, Chinese threat actor SilkSpecter has created over 4,500 fake domains impersonating brands like North Face and Ikea to steal credit card details from shoppers in the U.S. and Europe.

Cyware Daily Threat Intelligence, November 14, 2024

The lines between digital espionage and warfare blur as state-sponsored threat actors employ increasingly advanced methods to compromise their targets. China’s APT41 has launched a cyberespionage campaign targeting organizations in South Asia, utilizing the DeepData Framework. This Windows-based toolkit consists of 12 malicious plugins that are designed to harvest a wide range of sensitive data. Meanwhile, the Lazarus Group has turned its sights on macOS users with a new malware strain, RustyAttr. Built using the Tauri framework, the malware exploits extended file attributes to execute a malicious shell script that loads a Rust-based backend via a fake webpage. In another wave of attacks, a critical zero-day vulnerability is being exploited to target Windows systems in Ukraine. This vulnerability allows attackers to take control of systems when users interact with malicious URL files delivered through phishing emails.

Cyware Daily Threat Intelligence, November 13, 2024

From deceptive apps to vulnerabilities and developer-targeted tools, attackers are exploiting every corner of the digital landscape. SpyNote is posing as a fake antivirus, giving attackers full control over Android devices, stealing credentials, and targeting cryptocurrency users. In its November Patch Tuesday, Microsoft patched 89 security flaws, including two actively exploited vulnerabilities, urging immediate updates. Meanwhile, a new tool named GoIssue is being sold to attackers, allowing bulk theft of developer credentials from GitHub profiles, enabling supply chain attacks.

Top Malware Reported in the Last 24 Hours

?Top Vulnerabilities Reported in the Last 24 Hours

Related Threat Briefings

Nov 21, 2024