Cyware Daily Threat Intelligence
Daily Threat Briefing • Aug 28, 2024
We use cookies to improve your experience. Do you accept?
Daily Threat Briefing • Aug 28, 2024
As cyber adversaries grow more cunning, their tactics now span the spectrum from covert espionage operations to intricate social engineering schemes. SpyGlace, a covert backdoor, is weaving its way through East Asia, disguised behind a seemingly benign WPS Office spreadsheet. This espionage operation is the handiwork of a South Korean group, named APT-C-60.
Under the radar and with deadly precision, the Chinese hacking group Volt Typhoon struck U.S. tech and telecom giants, exploiting a zero-day flaw in Versa Director. It used a custom web shell that infiltrated networks, harvested credentials, and executed malicious code - all while remaining virtually invisible.
An elusive threat actor is taking social engineering to new heights, targeting over 130 U.S. organizations with razor-sharp tactics. Through cleverly disguised phone calls and SMS messages, they’re not just asking for credentials—they’re creating fake VPN login pages to seize MFA tokens, putting organizations on high alert.
APT-C-60 targets East Asia with SpyGlace backdoor
ESET uncovered a new cyber-espionage campaign by a South Korean APT group, APT-C-60, targeting victims in East Asia using a custom backdoor called SpyGlace and exploiting an RCE vulnerability in WPS Office for Windows. The campaign involved luring victims to click on a legitimate-looking WPS Office spreadsheet, which contained a hidden hyperlink triggering the exploit. The attackers used a zero-day bug (CVE-2024-7262) that was silently patched by Kingsoft, but ESET found a subsequent vulnerability (CVE-2024-7263) that could still enable similar attacks.
Malware in Pidgin’s plugin repo
The Pidgin messaging app removed the ScreenShareOTR plugin from its official third-party plugin list after discovering that it was used to install keyloggers, information stealers, and malware. The plugin, promoted as a secure screen-sharing tool, was found to be infecting users with the DarkGate malware. Additionally, the plugin installer was signed with a valid digital certificate, adding to the deception. The same server hosting the malicious plugin also hosted other harmful plugins, indicating a broader-scale campaign.
Cryptojacking via CVE-2023-22527
The critical vulnerability CVE-2023-22527, in Confluence Data Center and Confluence Server, is being actively exploited for cryptojacking. Malicious actors are using methods such as deploying shell scripts and XMRig miners, targeting SSH endpoints, killing competing cryptomining processes, and maintaining persistence via cron jobs. The vulnerability allows remote code execution and has been heavily exploited from mid-June to the end of July 2024. The attackers are using various techniques to spread cryptomining scripts and automate mining activities.
Volt Typhoon repeatedly targets Versa bug
Chinese government-linked hacking group Volt Typhoon exploited a zero-day vulnerability in Versa Director to target U.S. internet service providers and technology companies. The flaw, CVE-2024-39717, was exploited to upload a custom web shell named VersaMem, allowing the hackers to harvest credentials and execute malicious code undetected. The campaign is considered highly significant, and U.S. federal agencies have been alerted.
CISA adds Apache OFBiz flaw to KEV catalog
The CISA added a critical security flaw in the Apache OFBiz system to its list of actively exploited vulnerabilities. The flaw, CVE-2024-38856, allows for remote code execution by an unauthenticated attacker. This vulnerability is part of a series of flaws impacting Apache OFBiz, with evidence of exploitation in the wild. Organizations are advised to update to version 18.12.15 to protect against the threat, with federal agencies mandated to apply the necessary updates by September 17.
Massive social engineering scam
GuidePoint researchers identified a highly sophisticated threat actor targeting over 130 U.S. organizations with skilled social engineering and intrusion capabilities. The attackers use social engineering methods, including phone calls and SMS, to trick users into divulging credentials and one-time passcodes. The threat actor has registered domain names resembling VPN technologies used by the targeted organizations and set up custom VPN login pages to harvest user credentials, including MFA tokens. Organizations are advised to check VPN logs for suspicious activity, inform users about the social engineering tactics used, and be vigilant for signs of compromise.
Quishing attacks abused Microsoft Sway
Researchers recently discovered a quishing campaign targeting Microsoft Office credentials, resulting in a significant traffic increase to Microsoft Sway phishing pages. The campaign has focused on victims in Asia and North America across various industries. The use of transparent phishing and Cloudflare Turnstile techniques is also noted. Researchers recommend checking URLs directly and strengthening security policies to prevent such scams.