We use cookies to improve your experience. Do you accept?

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing Aug 21, 2024

Cybercriminals are turning mobile banking into a minefield. ESET researchers have uncovered phishing campaigns using fake Progressive Web Applications (PWAs) and WebAPKs to target users in Hungary, Czechia, and Georgia. These sophisticated scams trick users into installing bogus mobile banking apps through deceptive websites and pop-ups, delivered via automated calls, SMS, and malvertising.

When DNS queries aren't just innocent requests—Symantec researchers uncovered Msupedge, a cunning backdoor targeting a Taiwanese university. Exploiting a PHP flaw (CVE-2024-4577), this backdoor uses DNS tunneling for stealthy communication and command execution.

Azure’s Kubernetes playground just got a bit more dangerous. Mandiant warned of a new "WireServing" threat, exploiting vulnerabilities in TLS bootstrap token handling within Azure Kubernetes Services (AKS) clusters. Attackers could escalate privileges by downloading sensitive configuration files, however, Microsoft swiftly patched the issue to prevent unauthorized access.

Top Malware Reported in the Last 24 Hours

TA453 delivers BlackSmith and AnvilEcho

Proofpoint identified Iranian threat actor TA453 targeting a prominent religious figure with a fake podcast interview invitation lure. By sending a follow-up malicious link, the attackers attempted to deploy a new malware toolkit called BlackSmith, which delivered a PowerShell trojan dubbed AnvilEcho. The trojan, which uses encryption and network communication techniques similar to previously observed TA453 samples, is designed to enable intelligence gathering and exfiltration. AnvilEcho contains all of TA453’s previously identified malware capabilities in a single PowerShell script rather than the modular approach previously observed.

New Msupedge backdoor targets Taiwan

Symantec's Threat Hunter Team revealed a new stealthy backdoor called Msupedge that was recently used in a cyberattack against a university in Taiwan. The backdoor exploits a critical flaw in PHP (CVE-2024-4577) to achieve remote code execution (RCE). Msupedge is a dynamic-link library installed in specific paths on the system. It uses DNS tunneling for communication with the C&C server, receiving commands via DNS traffic. The backdoor supports various commands such as creating a process, downloading files, sleeping for a set time, and creating temporary files with unknown purposes.

Top Vulnerabilities Reported in the Last 24 Hours

Azure Kubernetes clusters at risk

Mandiant warned of a new threat known as "WireServing" enabling attackers to launch TLP bootstrap attacks against Azure Kubernetes Services (AKS). By exploiting weaknesses in how AKS clusters handled TLS bootstrap tokens, attackers could download configuration files containing credentials to escalate privileges and access sensitive information. Microsoft promptly addressed the issue by updating AKS clusters to prevent unauthorized access to TLS bootstrap tokens.

F5 patches high-severity vulnerabilities

F5 released patches for nine vulnerabilities in its August 2024 quarterly security notification, including high-severity flaws in BIG-IP and NGINX Plus. The most severe issue, CVE-2024-39809, affects BIG-IP Next Central Manager, allowing an attacker to access systems even after a user has logged out. Another high-severity bug, CVE-2024-39778, impacts BIG-IP versions 15.x, 16.x, and 17.x, causing a denial-of-service (DoS) when Traffic Management Microkernel stops on stateless virtual servers. NGINX Plus instances using the MQTT filter module are vulnerable to CVE-2024-39792, which can lead to performance degradation. F5 also addressed five medium-severity flaws that could lead to various security issues in BIG-IP and NGINX.

RFID cards prone to cloning

A vulnerability in millions of Shanghai Fudan Microelectronics RFID cards allows for easy cloning, warned researchers at Quarkslab. Researchers found a hardware backdoor in the FM11RF08S cards that enables instantaneous cloning of smart cards by cracking its key. The backdoor allows for unauthorized access to all user-defined keys on the cards, even when fully diversified, posing a significant security risk. Quarkslab also identified a similar backdoor in previous FM11RF08 cards, along with other related models from Fudan, NXP, and Infineon.

Updates for GitHub Enterprise Server

GitHub disclosed multiple security vulnerabilities in GitHub Enterprise Server (GHES), including CVE-2024-6800, CVE-2024-6337, and CVE-2024-7711, allowing unauthorized admin access and repository manipulation. CVE-2024-6800, with a CVSS score of 9.5, exploited GHES's SAML authentication to grant admin privileges. CVE-2024-6337 (CVSS 5.9) permitted limited GitHub App access to private repository content. CVE-2024-7711 (CVSS 5.3) enabled modification of public repository issues. Vulnerabilities affected versions before 3.14 and were addressed in versions 3.13.3, 3.12.8, 3.11.14, and 3.10.16.

Zero-click exploit against Microsoft Outlook

Morphisec researchers disclosed a critical vulnerability in Microsoft Outlook, CVE-2024-38021, allowing RCE on vulnerable systems. This poses a significant security threat, similar to a previous flaw (CVE-2024-21413) exposing users to NTLM credential leaks. The vulnerability stems from how Outlook handles hyperlink objects in image tags in emails, enabling attackers to exploit a composite moniker to trigger RCE. While Microsoft attempted to secure this in the past, Morphisec found the fix incomplete. This exploit can be triggered by opening an email with a malicious image tag without user interaction. Although Microsoft issued a patch extending security measures, it does not fully address the NTLM leakage issue.

Top Scams Reported in the Last 24 Hours

Unique phishing method for financial fraud

A new phishing method has been discovered by ESET researchers, targeting mobile banking users in Hungary, Czechia, and Georgia through Progressive Web Applications (PWAs) and WebAPKs. This technique involves tricking users into installing fake banking applications that are indistinguishable from the real ones. The phishing websites target iOS users to add PWAs to their home screens, while on Android, the installation is done through custom pop-ups in the browser. The phishing campaigns utilize different delivery mechanisms such as automated voice calls, SMS messages, and social media malvertising.

Related Threat Briefings