Cookie Settings

This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing Aug 20, 2024

Cyber attackers are ramping up their efforts, with new malware campaigns, disinformation-fueled espionage, and critical flaws in popular software. A malware named UULoader is being used to distribute remote access tools like Gh0st RAT and Mimikatz, primarily targeting Korean and Chinese speakers through malicious installers.

The pro-Russian hacker group Vermin is using fake news about Ukraine's offensive in Kursk to spread malware, including Spectr spyware and a new strain called Firmachagent.

Researchers discovered eight vulnerabilities in Microsoft applications for macOS, allowing attackers to bypass security measures and gain unauthorized access to user data and system resources.

Top Malware Reported in the Last 24 Hours

New UULoader disperses malware in East Asia

Threat actors are using a new malware called UULoader to distribute remote access tools like Gh0st RAT and Mimikatz. The malware is distributed through malicious software installers targeting Korean and Chinese speakers and is believed to be the work of a Chinese speaker. Additionally, phishing attacks are targeting cryptocurrency users using fake government entities to collect sensitive information.

Russia-linked Vermin targets Ukraine

A pro-Russian hacker group called Vermin is using fake information about Ukraine's offensive in Kursk to spread malware. The hackers are believed to be linked to the Luhansk People’s Republic and are suspected of acting on behalf of the Kremlin. Ukraine's CERT-UA reported that the group has deployed two types of malware, including Spectr spyware and a new strain called Firmachagent. Spectr can capture screenshots of a victim's screen every 10 seconds, copy files with specific extensions, and extract data from messengers and web browsers. The stolen data is then uploaded to the hackers' server using Firmachagent malware.

Old tactics spread new malware

Researchers discovered threat actors using the Steam gaming platform for hosting C2 domain addresses, leveraging user accounts for malicious activity. They uncovered a threat actor using a simple substitution cipher to hide C2 domains and identified associated email addresses and domain registration details. The substitution cipher used a Caesar shift of 3 and was cracked to reveal a valid top-level domain. The team found a high number of malware samples associated with this domain and identified patterns in domain registrations and email addresses, suggesting automation and potentially Russian origin.

Top Vulnerabilities Reported in the Last 24 Hours

Eight bugs in Microsoft apps

Cisco Talos discovered eight vulnerabilities in Microsoft applications for macOS, which could be exploited by adversaries to gain unauthorized access to sensitive resources. These vulnerabilities allow attackers to bypass the operating system’s permissions model and gain access to user data and system resources without user verification. The identified vulnerabilities in Microsoft apps enable attackers to inject malicious code and gain control over app permissions and entitlements. The vulnerabilities affect Microsoft Outlook (CVE-2024-42220), Teams (CVE-2024-42004, CVE-2024-41145, and CVE-2024-41138), PowerPoint (CVE-2024-39804), OneNote (CVE-2024-41159), Excel (CVE-2024-43106), and Word (CVE-2024-41165).

Critical RCE flaw in GiveWP plugin

The GiveWP plugin for WordPress recently addressed a critical security flaw involving PHP Object Injection that could lead to RCE. The vulnerability, tracked as CVE-2024-5932, affects all versions up to 3.14.1. Exploiting this flaw could allow unauthorized users to execute arbitrary code and delete files on affected sites. The severity of the exploit led to a CVSS score of 10.0. Technical details reveal that the flaw stems from inadequate validation of user-provided data during donation processing, leading to the injection of malicious PHP objects.

Multiple OpenJDK 8 vulnerabilities fixed

Canonical has released security fixes for multiple versions of OpenJDK, including OpenJDK 21, OpenJDK 17, OpenJDK 11, and OpenJDK 8 on affected Ubuntu releases, addressing several vulnerabilities. The identified vulnerabilities in OpenJDK 8 could lead to denial of service, information disclosure, arbitrary code execution, or bypassing of Java sandbox restrictions. Organizations using Ubuntu 18.04 can access security fixes through extended security maintenance.

Related Threat Briefings