Cyware Daily Threat Intelligence
Daily Threat Briefing • Apr 18, 2024
We use cookies to improve your experience. Do you accept?
Daily Threat Briefing • Apr 18, 2024
Amalgamating the techniques of typosquatting and malvertising, a threat actor has been found directing victims to malicious sites. This campaign involves a new backdoor dubbed MadMxShell that propagates via spoofed IP scanner software domains. It’s a cyber coincidence that FIN7 also used a fake Advanced IP Scanner site recently to target a leading U.S. car manufacturer with the Anunak backdoor.
A PoC exploit release gave birth to a new cyber campaign dubbed Connect:fun, highlighting the urgency of patching vulnerable systems. Attackers exploit a critical SQL injection flaw in Fortinet FortiClient EMS to deploy ScreenConnect and Metasploit Powerfun payloads. Additionally, Cisco fixed a high-severity vulnerability in its Integrated Management Controller (IMC), allowing local attackers to perform command injections and escalate privileges.
New backdoor impersonates IP and Port scanner
Zscaler ThreatLabz uncovered a sophisticated malvertising campaign in March, utilizing typosquatting domains and Google Ads to distribute a novel backdoor dubbed MadMxShell. The threat actor registered multiple sites masquerading as legitimate IP and port scanner software programs. Employing DLL sideloading and DNS tunneling for C2 communication, the backdoor evades memory forensics and endpoint security.
Car maker targeted with Anunak backdoor
The financially motivated group FIN7 employed the Anunak backdoor to target a leading U.S. car manufacturer. The attack utilized spear-phishing tactics, luring high-level IT personnel with a counterfeit Advanced IP Scanner tool. Through a multi-stage process, the malicious executable 'WsTaskLoad.exe' deployed the Anunak backdoor, enabling persistent access by installing OpenSSH, and created a scheduled task.
Cisco IMC bug allows privilege escalation
Cisco patched a high-severity vulnerability (CVE-2024-20295) in its IMC that could allow local attackers to escalate privileges to root. The flaw, residing in the IMC CLI, enabled command injection attacks on the underlying OS. Affected products included Cisco UCS C-Series Rack Servers, Catalyst 8300 Series Edge uCPE, and others. No workarounds are available, and Cisco warned of public exploit code.
Exploits deliver ScreenConnect and Metasploit payloads
An attack campaign was found abusing a critical SQL injection flaw (CVE-2023-48788) in Fortinet FortiClient EMS devices to deliver ScreenConnect and Metasploit Powerfun payloads. Dubbed Connect:fun by Forescout, the campaign targeted a media company shortly after a proof-of-concept exploit for the flaw surfaced in March. The threat actor, active since at least 2022, exhibits manual tactics, indicating a targeted approach.
Oracle's April 2024 critical updates are here
Oracle released a significant batch of security patches, totaling 441, in its April 2024 Critical Patch Update. More than 200 of these patches addressed vulnerabilities exploitable by remote, unauthenticated attackers. With Oracle Communications leading in the number of patches issued, various other products such as Fusion Middleware, Financial Services Applications, and E-Business Suite have also received substantial fixes.
OpenMetadata vulnerabilities lead to cryptomining
Microsoft warned of a series of chained vulnerabilities in the OpenMetadata platform on Kubernetes clusters, allowing Chinese hackers to execute code and install cryptomining software remotely. The flaws, including CVE-2024-28255 and CVE-2024-28847, affect versions before 1.3.1. Attackers left a plea for victims not to remove the malware, citing financial hardship. The attack sequence involves reconnaissance, exploitation, and installation of cryptomining software.