Cyware Daily Threat Intelligence

Daily Threat Briefing • Apr 25, 2023
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Daily Threat Briefing • Apr 25, 2023
The notorious Lazarus group has formulated a new malware family to threaten macOS users. The attackers have been discovered utilizing RustBucket as a macOS malware in recent attacks. Security experts are yet to confirm how attackers gain an initial foothold and whether there has been any successful intrusion. Meanwhile, the Mirai botnet took a leap to multiply its army of infected devices for DDoS attacks. In its new campaign, it was observed targeting a high-severity (CVSS v3: 8.8) unauthenticated command injection bug in a model of TP-Link routers.
Solarwinds is back in the headlines for security issues. Trend Micro Zero Day Initiative researchers uncovered a couple of security vulnerabilities that a cybercriminal can take advantage of to execute arbitrary commands and escalate privileges.
Sensitive leak by automobile company
A misconfiguration issue on the official Peugeot store for Peru was found exposing highly-sensitive information via an exposed environment file. The file contained full MySQL database Uniform Resource Identifier (URI), database credentials (username and passwords), JSON Web Token’s (JWT) passphrase and locations of private and public keys; a link to the git repository for the site, and; Symfony application secret.
RustBucket - MacOS malware
Jamf, a security company, has reported that BlueNoroff (a subgroup of Lazarus APT) has introduced a new macOS malware strain they are calling RustBucket. The malware allows attackers to download and execute various payloads. For the first-stage infection, the malware arrives packaged as an unsigned application, whereas it masquerades as a legitimate Apple bundle identifier during the second stage that is signed with an ad-hoc signature.
Mirai botnet abuses TP-Link flaw
The Mirai botnet operators were seen abusing CVE-2023-1389, a vulnerability in the TP-Link Archer A21 (AX1800) WiFi router, and trying to make those devices part of their future DDoS attacks. The initial study of the attack infrastructure revealed targeted devices in the Eastern Europe region, however, the attack campaign could be spreading worldwide. The vulnerability was patched last month by TP-Link.
Gh0st RAT targets European-owned firm
Cofense Intelligence stumbled across Gh0st RAT while studying a phishing attack aimed at a medical technology organization owned by a European entity in China. The Gh0st RAT was developed by a Chinese hacking group known as "C." Its C2 server is reportedly located on the CHINANET Jiangsu province network in the city of Nanjing.
Exploit code out for bugs under abuse
While cybercriminals are exploiting the pair of bugs in PaperCut MF/NG print management software, researchers at cybersecurity firm Horizon3 revealed information about one of the bugs, identified as CVE-2023-27350, and also shared a PoC exploit code. The bug can be effectively exploited by criminals to dodge detection and run arbitrary code on susceptible PaperCut servers. Trend Micro is poised to release further details on the bugs on May 10th.
New attack technique against Intel CPUs
Researchers at Tsinghua University, the University of Maryland, and the Beijing University of Posts and Telecommunications laid bare a new side-channel attack impacting multiple generations of Intel CPUs. This latest attack exploits a vulnerability in transient execution that enables the extraction of sensitive information from a user's memory space through timing analysis.
Privilege escalation flaws in Solarwind
SolarWinds patched two critical security issues tracked as CVE-2022-36963 and CVE-2022-47505. The first one is a severe command injection bug in SolarWinds’ infrastructure monitoring and management solution. The other one is a local privilege escalation flaw. Abuse of both, individually, could lead to attacks based on privilege escalation.
Giveaway scam via hijacked Twitter account
A bad actor managed to take over KuCoin's Twitter account and launched a fake giveaway offer to steal more than $22,600 in cryptocurrency from users. The crypto exchange assured victims it will fully compensate for their losses. They further stated that all the other assets belonging to users on the platform are entirely secure.