Cyware Daily Threat Intelligence

Daily Threat Briefing • Aug 19, 2024
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Daily Threat Briefing • Aug 19, 2024
From malware lurking in job applications to zero-day exploits and disinformation campaigns, the threat landscape grows darker. BeaverTail malware has been spotted sinking its claws into job seekers, hiding behind macOS software to pilfer sensitive data and cryptocurrency. Lazarus is showing its adaptability, spreading across platforms with weaponized games and targeted attacks.
Microsoft patched a zero-day bug, exploited by the Lazarus group that gained SYSTEM privileges through vulnerabilities in AFD.sys and AppLocker drivers. The group targeted professionals in cryptocurrency and aerospace.
Celebrity gossip is turning sinister as a disinformation campaign has been using cloud subdomains and Google search to spread malware. Android users are being led into a web of scams and counterfeit software disguised as infotainment.
BeaverTail strikes via weaponized games
The BeaverTail malware campaign, originating from North Korea, has evolved to target job seekers and now includes a native macOS version disguised as legitimate software. The malware is designed to steal confidential information, including browser data and cryptocurrency wallets, and has expanded its reach to Windows users through weaponized games. The Lazarus group has shown adaptability by developing different versions of BeaverTail for various operating systems and using sophisticated techniques to target victims.
**Xeon Sender for spam and phishing campaigns **
Malicious actors are using a cloud attack tool called Xeon Sender to carry out SMS phishing and spam campaigns on a large scale using legitimate services. The tool exploits valid credentials for various SaaS providers to send messages. Some of the services utilized include Amazon SNS, Nexmo, Twilio, and more. The tool is distributed via Telegram and hacking forums, with the most recent version attributed to a Telegram channel named Orion Toolxhub. The tool allows users to conduct bulk SMS spam attacks through the command-line interface, utilizing backend APIs of service providers.
Lazarus abused Microsoft 0-day
Microsoft addressed a zero-day vulnerability, CVE-2024-38193, actively exploited by the North Korea-linked Lazarus APT group, which allowed attackers to gain SYSTEM privileges. The Lazarus APT group used a zero-day exploit in the AFD.sys driver to access sensitive system areas, targeting individuals in fields such as cryptocurrency engineering and aerospace. The group also exploited CVE-2024-21338, a zero-day vulnerability in the AppLocker driver, to gain kernel-level access and disable security software.
Ransomware attack traced to bug
A ransomware attack on an Indian digital payment system was traced back to a vulnerability (CVE-2024-23897) in Jenkins, an open-source automation system for developers. The attack, which began with a vulnerability in the Jenkins Command Line Interface, affected the National Payments Corporation of India and a third-party tech provider, C-Edge Technologies. The RansomEXX gang had claimed credit for the attack.
Disinformation campaign on Azure domains
A disinformation campaign is using Microsoft Azure, OVH cloud subdomains, and Google search to promote malware and spam sites. Android users receive misleading Google search notifications related to public figures, leading them to scam websites disguised as infotainment articles. The campaign targets multiple celebrities by spreading false rumors about their health, while redirecting visitors to malicious websites that push malware, spam, and counterfeit software.