Cyware Daily Threat Intelligence
Daily Threat Briefing • Apr 17, 2024
We use cookies to improve your experience. Do you accept?
Daily Threat Briefing • Apr 17, 2024
Scammers are approaching T-Mobile and Verizon employees, on their personal or work cell, offering them $300 to join them in carrying out SIM swap scams. A new APT activity lurks in Eastern Europe in the form of a stealthy backdoor known as the Kapeka backdoor. Linked to Sandstorm, the malware aids espionage, potentially leading to sabotage like ransomware attacks, raising concern among security experts.
In another headline, threat actors behind Cerber ransomware were found targeting unpatched Atlassian servers. Armed with administrative access, a threat actor could take over affected systems, compromising their confidentiality, integrity, and availability. Switching to security flaws, numerous vulnerabilities have been addressed in VCD file viewer software GTKWave that posed myriad threats, including arbitrary code execution attacks.
TP-Link bugs exploited to deploy malware
A flaw in TP-Link Archer AX21 router models is being exploited by multiple botnet operators, such as Moobot, Miori, and AGoent (a Gafgyt Variant), found FortiGuard Labs. The vulnerability enables unauthenticated command injection through the web management interface, allowing attackers to execute arbitrary code. Various botnets utilize different infection tactics, such as fetching script files, establishing connections with C2 servers, and launching DDoS attacks.
Sandworm deploys novel backdoor Kapeka
WithSecure researchers uncovered a new backdoor, Kapeka, attributed to the Russian nation-state group Sandworm. Used in espionage campaigns across Eastern and Central Europe since the Russia-Ukraine conflict, Kapeka facilitates intelligence collection and potential sabotage, including ransomware attacks and modular payload execution. The malware bears similarities to GreyEnergy, indicating Sandworm's involvement.
Cerber deployed via Atlassian servers
Threat actors were observed exploiting the CVE-2023-22518 vulnerability in Atlassian Confluence servers to install a Linux version of Cerber ransomware. Cloud security firm Cado reports financially motivated groups creating admin accounts to execute the ransomware via a web shell plugin. Cerber, written in C++, encrypts files with a .L0CK3D extension, but data exfiltration doesn't occur despite ransom notes.
Xorist ransomware variant emerges
A new variant of the Xorist ransomware, L00KUPRU, has surfaced, encrypting user files with the .L00KUPRU extension. Attackers leave ransom notes demanding payment in Bitcoin. Broadcom's analysis highlighted encryption methods and C2 servers. Another group of experts claimed multiple strains of the variant that are adaptive, file-based, and machine learning-based iterations, posing evasion challenges.
Decade-old malware infects gov docs
A repository containing government and police documents from Ukraine surfaced, infected by a nearly decade-old malware called OfflRouter. This malware, unnoticed for years, delivered an executable named ‘ctrlpanel.exe’ targeting Word documents. Talos researchers discovered that the malware infected over 100 files. Its revival amidst ongoing cyber operations in Ukraine raises concerns.
Junk Gun: A new ransomware trend
A recent investigation by Sophos X-Ops delves into a new trend in the cybercrime landscape: the emergence of junk gun ransomware. Drawing parallels to cheap, unreliable firearms from the past, this ransomware is independently produced, inexpensive, and sold as a one-time purchase. Unlike typical ransomware-as-a-service models, these variants lack complex infrastructure and corporate-like hierarchies.
Banking trojan aims at Korea
SoumniBot, an Android banking trojan, has been spotted targeting Korean users by employing sophisticated obfuscation and evasion techniques. Manipulating the Android manifest, it inserts invalid compression method values and incorrect manifest sizes, confusing parsers while remaining interpretable by live devices. Additionally, it utilizes excessively long namespace names to hinder analysis. It is known for stealing Korean online banking keys, a rare feature in Android trojans.
Critical flaws found in GTKWave
The Debian security team addressed 82 vulnerabilities in GTKWave, a waveform viewer for VCD files. These include integer overflow issues in parsing functionalities like FST_BL_GEOM and LXT2, enabling attackers to deliver malicious files for memory corruption and code execution. Although user interaction is needed to trigger these vulnerabilities, attackers could employ social engineering tactics.
T-Mobile and Verizon employees face SIM swap fraud
Criminals are enticing T-Mobile and Verizon employees with cash offers to perform SIM swaps, a fraudulent scheme aimed at rerouting victims' phone services to the fraudsters' devices. The messages, offering up to $300 per swap, claim to have sourced contact details from employee directories. Both T-Mobile and Verizon are investigating the incidents, emphasizing no system breaches occurred.