Cyware Daily Threat Intelligence
Daily Threat Briefing • Apr 5, 2024
We use cookies to improve your experience. Do you accept?
Daily Threat Briefing • Apr 5, 2024
A near-perfect NordVPN website has emerged to trick users. A cybercrime group is running malicious search ads to target people looking for NordVPN on Bing. Financial institutions are being alerted as security experts noted a spike in the JsOutProx malware attacking banks in South and Southeast Asia, the Middle East, and Africa. Threat analysts suspect Chinese or China-affiliated actors behind the operation.
An unaddressed Magento bug is back in the limelight after threat actors implant persistent backdoors in vulnerable e-commerce sites, leveraging crafted layout templates to inject XML code for continued reinfection. Furthermore, there are risks to governments and businesses owing to a security hole in Broadcom Brocade Fabric OS.
Financial institutions threatened by JsOutProx
Visa warned about a surge in detections of a new variant of JsOutProx malware targeting financial institutions in South and Southeast Asia, the Middle East, and Africa. The malware enables attackers to execute various malicious activities, including command execution, payload downloads, and keyboard/mouse control. The phishing campaign associated with JsOutProx involves fake financial notifications sent via email, with malicious .js files hosted on GitLab.
Bing ad distributes SecTopRAT
A malvertising campaign observed on Microsoft Bing targeted users searching for NordVPN, with the SecTopRAT malware. Attackers redirected them to a fraudulent website resembling NordVPN's official site. The malicious ad led users to download a file named NordVPNSetup.exe, digitally signed to appear legitimate but containing the malware. Despite the convincing appearance of the fake website, several users fell into the trap.
Byakugan, a multi-functional malware
FortiGuard Labs discovered a new strain of malware called Byakugan, distributed through a PDF file, primarily targeting Portuguese-speaking users. The malware is downloaded via a deceptive link, executing a downloader and downloading its main module from a C2 server. Byakugan, based on node.js, performs screen monitoring, screen capturing, mining operations, keylogging, file manipulation, and browser information stealing.
Persistent backdoor threatens e-commerce sites
Sansec reported that threat actors are exploiting a critical vulnerability (CVE-2024-20720) in unpatched Magento sites, allowing them to inject a persistent backdoor into e-commerce websites. The backdoor, added to the CMS controller, ensures periodic reinjection, enabling persistent remote code execution. The exploit facilitates the deployment of a fake Stripe payment skimmer, targeting payment data.
Flawed Broadcom OS allows ACE
A security gap has been identified in Broadcom Brocade Fabric OS, posing a risk of arbitrary code execution. The affected firmware versions range from 9.x through 9.2.0. Exploiting this flaw could lead to unauthorized access with root privileges, enabling attackers to install programs, manipulate data, or create new accounts. While no known exploits were discovered in the wild, users were urged to apply necessary patches promptly.
Critical bugs in Hugging Face's AI platform
Cybersecurity firm Wiz identified two critical vulnerabilities within Hugging Face's AI platform, potentially exposing millions of private AI models and apps. The risks involve a shared inference infrastructure takeover and a shared CI/CD takeover, allowing attackers to compromise the platform's integrity. Wiz recommends isolation and segmentation as crucial steps to mitigate such risks for AI-as-a-service providers.