Cyware Daily Threat Intelligence

Splinter, a new post-exploitation tool, is tearing through victims' IT environments, enabling attackers to achieve multiple objectives with alarming efficiency. Written in Rust, Splinter self-deletes after leaving a trail of chaos in its wake.

A critical flaw in the Grafana Plugin SDK for Go is threatening to expose sensitive repository credentials, leaving developers scrambling. With a CVSS score of 9.1, this vulnerability could allow attackers to extract credentials from plugin binaries.

Two critical vulnerabilities in the WordPress theme Houzez and its companion plugin have opened the door to potential site takeovers. While one allows users to escalate privileges and hijack sites, the other lets attackers change email addresses and seize control of accounts.

Top Malware Reported in the Last 24 Hours

New post-exploitation tool surfaces

Attackers are using Splinter, a new post-exploitation tool, to cause chaos in victims' IT environments. This tool allows them to execute Windows commands, steal files, collect cloud service account information, and download additional malware onto victims' systems. The malicious code then self-deletes. Splinter, written in Rust, uses a JSON format for configuration data and communicates with a C2 server over HTTPS.

Popular software cracks deliver AsyncRAT

Cybercriminals are using fake versions of popular software to distribute AsyncRAT, which can infiltrate systems and grant attackers remote access. The malware disguises itself as legitimate software like AnyDesk and CCleaner, tricking users into downloading and running it. Once executed, AsyncRAT remains undetected by exploiting system settings and using obfuscation techniques. It aims to establish a remote connection with the infected machine, allowing cybercriminals to carry out data theft and command execution. The malware's payload is designed to evade detection, and communicate with a C2 server, giving attackers control over compromised systems.

Top Vulnerabilities Reported in the Last 24 Hours

Critical Flaw in Microchip ASF

The Microchip Advanced Software Framework (ASF) has a critical security flaw (CVE-2024-7490) that could allow remote code execution due to a stack-based overflow vulnerability in the tinydhcp server. This vulnerability affects multiple versions of the software and forks of the tinydhcp software. Currently, there are no fixes available, and the recommendation is to replace the tinydhcp service with a different one.

Grafana plugin bug exposes info

A critical security vulnerability (CVE-2024-8986) in the Grafana Plugin SDK for Go could lead to the inadvertent leakage of sensitive information, including repository credentials. This vulnerability, with a CVSS score of 9.1, is significant as it allows attackers to extract embedded credentials from affected plugin binaries, potentially granting unauthorized access to private repositories. Developers using vulnerable SDK versions (up to 0.249.0) are advised to upgrade to version 0.250.0 or later immediately and review and rotate any exposed repository credentials.

Critical vulnerabilities in WordPress theme

Two critical vulnerabilities in the WordPress theme Houzez and its companion plugin Houzez Login Register have been uncovered. These vulnerabilities could enable unauthorized users to take control of WordPress sites running the theme, posing a significant risk to businesses and clients. CVE-2024-22303 is a privilege escalation flaw that allows unauthenticated users to elevate their privileges and potentially take over a site. The theme lacks proper authorization checks, enabling users with Subscriber roles to obtain nonce tokens and reset passwords, including administrator accounts. CVE-2024-21743 affects the Houzez Login Register plugin, allowing users to change email addresses and hijack accounts. Users must update to version 3. 3. 0 or higher to mitigate these risks.

Cyware Daily Threat Intelligence, November 20, 2024

Cybercriminals and nation-state actors are fine-tuning their craft, targeting everything from IoT devices to global telecom networks. The Ngioweb malware has been used to assemble a botnet of over 35,000 compromised IoT devices and SOHO routers, to sell residential proxies on platforms like NSOCKS. A China-linked group, LIMINAL PANDA, has been conducting cyberespionage against telecommunications entities in South Asia and Africa since 2020. Armed with custom malware like SIGTRANslator and PingPong, they exploit telecom protocols to exfiltrate data and maintain persistent access, employing advanced tactics. Meanwhile, the CISA has issued warnings about three actively exploited vulnerabilities in networking products. These include a critical Kemp LoadMaster OS flaw and two Palo Alto PAN-OS vulnerabilities. The vulnerabilities have been added to the the KEV catalog.

Cyware Daily Threat Intelligence, November 19, 2024

As cyber threats grow more sophisticated, attackers are leveraging tailored tactics to exploit both individuals and organizations. BabbleLoader, a stealthy malware loader, is delivering information stealers like WhiteSnake and Meduza, targeting users searching for cracked software and professionals in finance and administration by disguising itself as accounting software. Its advanced evasion techniques bypass antivirus and sandbox defenses, disrupting analysis and detection. Critical vulnerabilities are also under scrutiny. The LibreNMS project revealed CVE-2024-51092, a flaw in its network monitoring platform that allows authenticated attackers to execute OS commands and potentially take over servers. Users are strongly advised to update to version 24.10.0 to mitigate these risks. Meanwhile, phishing campaigns continue to escalate. DocuSign phishing attacks targeting state and municipal contractors have surged by 98% in just one week. Exploiting licensing cycles and spoofing government agencies like the Department of Health, these campaigns aim to trick businesses into signing fake documents for financial gain.

Cyware Daily Threat Intelligence, November 18, 2024

Threat actors are employing sophisticated techniques to breach defenses across industries, from maritime manufacturing to WordPress websites and software impersonation campaigns. A DONOT APT campaign has been targeting Pakistan’s manufacturing sector supporting maritime and defense operations. The attackers use malicious LNK files disguised as RTF documents, leveraging dynamic domain generation and updated encryption to maintain persistence and evade detection. Meanwhile, a critical authentication bypass vulnerability in the Really Simple Security WordPress plugin is putting over four million sites at risk, granting attackers full administrative access. Another vulnerability in the WPLMS Learning Management System exposes sites to arbitrary file reading and deletion, prompting emergency patches and forced updates by WordPress. On the social engineering front, researchers highlighted the rise of ClickFix campaigns, impersonating trusted software to deliver malware like AsyncRAT and Lumma Stealer. A fake CAPTCHA variant in these campaigns recently tricked users into executing malicious payloads, impacting hundreds of organizations globally.

Cyware Daily Threat Intelligence, November 15, 2024

From app stores to online shopping platforms, cybercriminals are exploiting trust to infiltrate systems and steal sensitive data. Eight trojan-infected Android apps were spotted on the Google Play Store, downloaded over two million times. These apps, containing Android.FakeApp.1669, connect to malicious DNS servers to display deceptive links. Meanwhile, the CISA has issued a warning about two critical vulnerabilities in Palo Alto Networks Expedition software, citing active exploitation. These flaws allow attackers to execute commands as root and access sensitive database contents. In another alarming campaign, Chinese threat actor SilkSpecter has created over 4,500 fake domains impersonating brands like North Face and Ikea to steal credit card details from shoppers in the U.S. and Europe.

Cyware Daily Threat Intelligence, November 14, 2024

The lines between digital espionage and warfare blur as state-sponsored threat actors employ increasingly advanced methods to compromise their targets. China’s APT41 has launched a cyberespionage campaign targeting organizations in South Asia, utilizing the DeepData Framework. This Windows-based toolkit consists of 12 malicious plugins that are designed to harvest a wide range of sensitive data. Meanwhile, the Lazarus Group has turned its sights on macOS users with a new malware strain, RustyAttr. Built using the Tauri framework, the malware exploits extended file attributes to execute a malicious shell script that loads a Rust-based backend via a fake webpage. In another wave of attacks, a critical zero-day vulnerability is being exploited to target Windows systems in Ukraine. This vulnerability allows attackers to take control of systems when users interact with malicious URL files delivered through phishing emails.

Cyware Daily Threat Intelligence, November 13, 2024

From deceptive apps to vulnerabilities and developer-targeted tools, attackers are exploiting every corner of the digital landscape. SpyNote is posing as a fake antivirus, giving attackers full control over Android devices, stealing credentials, and targeting cryptocurrency users. In its November Patch Tuesday, Microsoft patched 89 security flaws, including two actively exploited vulnerabilities, urging immediate updates. Meanwhile, a new tool named GoIssue is being sold to attackers, allowing bulk theft of developer credentials from GitHub profiles, enabling supply chain attacks.

Top Malware Reported in the Last 24 Hours

Top Vulnerabilities Reported in the Last 24 Hours

Related Threat Briefings

Nov 20, 2024