An unknown threat actor has been linked to a cyberattack on a power generation company in southern Africa with a new variant of the SystemBC malware called DroxiDat. Researchers revealed that newer variants of the SystemBC malware can also download and run additional payloads. Meanwhile, a new information stealer family has come to light - Statc Stealer. The malware's infection chain involves users clicking on deceptive ads resembling genuine Google advertisements. Its stealing capabilities span from cookies and login data to cryptocurrency wallets and autofill information.

On the vulnerability front, we have the CISA warning to patch a five-year-old security hole in the Zyxel P660HN-T1A router that has reached its end-of-life. The agency also added a zero-day in Microsoft's .NET and Visual Studio products to its Known Exploited Vulnerabilities Catalog.

Top Breaches Reported in the Last 24 Hours

Breach exposes Cumbria police data

Cumbria police, U.K, has suffered a significant data breach, inadvertently disclosing the names and salaries of over 2,000 employees, including 1,304 police officers, 756 staff, and 53 police community support officers. The leaked data, mistakenly posted online by an individual, included positions and allowances and basic personal details such as date of birth and address.

California cities under attack

The City of El Cerrito, California, is investigating a potential data theft following a ransomware attack by the LockBit group. The group added El Cerrito to its list of victims, along with 15 others, and threatened to expose stolen data on an external website. Other California cities like Modesto and Hayward have also faced ransomware attacks this year, reflecting a growing trend.

Top Malware Reported in the Last 24 Hours

New DroxiDat variant infiltrates African Power firm

An unidentified threat actor targeted a southern African power generation company with a new DroxiDat variant, which may lead to a potential ransomware attack. Attackers deploy DroxiDat alongside Cobalt Strike Beacons in a critical infrastructure network. DroxiDat, a compact variant of SystemBC, was used for system profiling and proxying network traffic to C2 servers. The threat actor's identity remains uncertain, though signs point to Russian ransomware groups, particularly FIN12.

New info stealer targets Windows

Zscaler ThreatLabz detected and dissected Statc Stealer, a potent information-stealing malware targeting Windows systems. This C++-based malware effectively extracts sensitive data from popular web browsers, cryptocurrency wallets, and messaging apps like Telegram. Statc Stealer affects popular Windows browsers like Chrome, Microsoft Edge, Brave, Opera, Yandex, and Mozilla Firefox.

Gootloader campaign hits law firms

The Gootloader malware, known for utilizing a SEO watering hole tactic, was found using legal-related search terms to target law firms and individuals seeking legal information online. Gootloader exploits compromised WordPress sites for malware distribution and manipulates search results, luring users to malicious websites. This technique, different from common phishing, entices victims with industry-specific assets such as contract templates. The malware campaign leverages fake forums to deliver malicious payloads.

Gafgyt botnet hunts for flawed Zyxel devices

Fortinet has issued an alert regarding the Gafgyt botnet actively exploiting a vulnerability in the end-of-life Zyxel P660HN-T1A router. The malware targets CVE-2017-18368, a critical command injection vulnerability that Zyxel patched in 2017. Despite previous warnings, Fortinet has detected around 7,100 attacks per day since July 2023. The CISA has also warned about this exploitation, requiring federal agencies to patch the vulnerability by August 28, 2023.

Top Vulnerabilities Reported in the Last 24 Hours

CISA flags zero-day in Microsoft

The CISA warned against a zero-day bug, CVE-2023-38180, affecting Microsoft's .NET and Visual Studio products in its Known Exploited Vulnerabilities Catalog. The flaw, fixed by Microsoft's August 2023 Patch Tuesday updates, can be exploited for DoS attacks. Remote exploitation is possible without user interaction or privileges. The CISA has instructed government organizations to patch or mitigate by August 30, placing the vulnerability on its 'must patch' list per Binding Operational Directive 22-01.

Abusing unpatched Magento bug

An ongoing campaign is targeting e-commerce stores using Adobe's Magento 2 software through an unpatched vulnerability (CVE-2022-24086), despite being patched in February 2022. Akamai's security researchers detected the security bug that enables attackers to inject malicious code or templates into a web application's server-side processing. In the context of Magento 2, this could potentially lead to remote code execution and unauthorized access to sensitive data.