Cyware Daily Threat Intelligence

Daily Threat Briefing • Aug 5, 2024
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Daily Threat Briefing • Aug 5, 2024
The Magniber ransomware scourge unleashed a torrent of devastation upon unsuspecting home users across the globe. This campaign demands exorbitant ransoms, with decryption keys priced at thousands of dollars if the ransom remains unpaid after a mere 72 hours.
Researchers unearthed a potent new threat - SLUBStick, a cross-cache attack against the Linux Kernel, boasting a staggering 99% success rate. This exploit leverages heap vulnerabilities to bestow malicious actors with formidable powers of arbitrary memory read-and-write.
Meanwhile, in a digital landscape rife with deception, the FBI sounds a clarion call of caution. Threat actors, masquerading as cryptocurrency exchange employees, coax victims into divulging login credentials or unwittingly clicking malicious links, draining their accounts with ruthless efficiency.
StormBamboo compromises ISP, delivers malware
The StormBamboo threat group successfully compromised an ISP to conduct DNS poisoning attacks on target organizations. The attackers exploited insecure software update mechanisms to install new variants of the MACMA malware on victim machines running macOS and Windows. Additionally, they deployed the malicious browser extension RELOADEXT to exfiltrate victims’ email data.
Rise in Magniber ransomware attacks
A massive Magniber ransomware campaign has been targeting home users worldwide, demanding thousand-dollar ransoms for a decryptor. The ransomware encrypts files and appends a random extension to their names, with ransom demands starting at $1,000 and increasing to $5,000 if payment is not made within three days. Victims are advised to avoid software cracks and key generators, as they are commonly used to distribute the malware.
Fighting Ursa deploys HeadLace backdoor
A Russian threat actor called Fighting Ursa (APT28) used a car advertisement as a lure to distribute the HeadLace backdoor malware, targeting diplomats. The attack involved hosting malicious content on legitimate services like Webhook.site and ImgBB. The malware was delivered in a ZIP file disguised as an image, and it used tactics to evade detection. The malware campaign relied on free online services to host various stages of the attack.
New SLUBStick attack targets Linux kernel
Researchers from the Graz University of Technology have discovered a new Linux Kernel cross-cache attack called SLUBStick, with a 99% success rate in exploiting heap vulnerabilities to gain arbitrary memory read-and-write capabilities. The attack works on both 32-bit and 64-bit systems, bypassing modern kernel defenses. The attack demonstrated high versatility by working on Linux kernel versions 5.9 and 6.2, and it bypassed modern kernel defenses like SMEP, SMAP, and KASLR. SLUBStick's real-world impact includes the potential for privilege escalation to root, container escapes, and post-exploitation persistence through modifying kernel structures.
Fake Potato
A security researcher discovered that the ShellWindows DCOM application, associated with the SilverPotato abuse, can be misused locally by a standard user. This DCOM application, running under the Interactive User Identity with default permissions, is hosted by the explorer process, which grants execute access to authenticated users. A non-privileged user could potentially activate the object on behalf of another user in a different session and invoke the ShellExecute() method for arbitrary execution. This issue was reported to Microsoft and fixed in July 2024 Patch Tuesday as CVE-2024-38100, marked as Important Local Privilege Escalation.
FBI warns of crypto scams
The FBI issued a warning about scammers posing as cryptocurrency exchange employees to steal funds. These scammers create a sense of urgency and trick victims into providing login credentials or clicking on malicious links. They drain the victim's account once they have the information. Recovery service scams and imposter websites are also common in the crypto space. The FBI advises verifying communications, not rushing into decisions, researching crypto services, using multi-factor authentication, and being cautious with personal information.