Cyware Daily Threat Intelligence
Daily Threat Briefing • Aug 29, 2024
We use cookies to improve your experience. Do you accept?
Daily Threat Briefing • Aug 29, 2024
In a landscape where no sector is safe, cyber adversaries are refining their methods, combining potent malware with strategic exploits and cunning scams. APT33 deployed its new Tickler malware to backdoor U.S. and UAE networks, particularly in government, defense, and critical infrastructure sectors.
Meanwhile, attackers have been exploiting a five-year-old vulnerability in the AVM1203 surveillance camera to spread the Mirai malware, turning IoT devices into a botnet for large-scale DDoS attacks.
Adding to the chaos, cybercriminals are crafting fake domains that mimic political donation sites, tricking unsuspecting donors as election season heats up.
APT33 uses new Tickler malware
The APT33 Iranian hacking group, aka Peach Sandstorm and Refined Kitten, used the new Tickler malware to backdoor the networks of organizations in the U.S. and UAE. The attackers particularly targeted the government, defense, satellite, and oil and gas sectors. They leveraged Microsoft Azure infrastructure for C2, using compromised user accounts in the education sector to host their infrastructure. Microsoft observed consistent password spray attacks across sectors and warned of extensive breaches in defense, satellite, and pharmaceutical sectors since February 2023.
Evolution of PoorTry Windows driver
The PoorTry kernel-mode Windows driver, previously used to disable EDR solutions, has now evolved into an EDR wiper. This new functionality allows it to delete critical files of security software, making restoration more difficult. Ransomware actors, including BlackCat, Cuba, and LockBit, have utilized PoorTry, and its evolution includes optimization and obfuscation techniques. Sophos confirmed the use of PoorTry in a RansomHub attack in July, where it was used to delete essential components of security software. The malware can selectively delete files crucial to EDR operation and employs tactics like certificate roulette to bypass security checks.
BlackByte ransomware abuses new bug
The BlackByte ransomware group has been exploiting a VMware ESXi vulnerability (CVE-2024-37085) and VPN access credentials to target businesses globally. The attackers are using stolen credentials to spread ransomware within networks and are more active than their public data leak site suggests. The top targeted industries are manufacturing, transportation/warehousing, professional services, IT, and public administration. Organizations are urged to patch systems, implement MFA, audit VPN configurations, restrict network access, and deploy reliable endpoint detection and response solutions.
Unpatchable 0-day drops Mirai
Attackers have been exploiting a critical vulnerability in the AVTECH AVM1203 surveillance camera to spread the Mirai botnet. The five-year-old vulnerability, tracked as CVE-2024-7029, allows attackers to remotely execute commands. Mirai turns infected IoT devices into a botnet for launching large-scale DDoS attacks. The malware also targets other vulnerabilities such as Huawei device exploits. The AVM1203 camera is no longer supported, so users are advised to replace it and ensure that all IoT devices are not accessible using default credentials.
Fortra patches hardcoded password flaw
A critical hardcoded password flaw in Fortra FileCatalyst Workflow could be exploited by attackers to gain unauthorized access to the internal database, steal sensitive information, and gain administrator privileges. The flaw, tracked as CVE-2024-6633, affects FileCatalyst Workflow 5.1.6 Build 139 and older releases. Users are urged to upgrade to version 5.1.7 or later. The flaw was discovered by Tenable, who found the same static password, GOSENSGO613, on all FileCatalyst Workflow deployments.
**U.S. Election phishing **
Cybercriminals are creating fake domains to impersonate legitimate political donation websites, aiming to deceive donors and organizations. Researchers identified fake domains mimicking legitimate political donation websites, such as actsblue[.]com. They also spotted suspicious domains like nationalcommittee[.]democrat and republicanpac[.]net, urging caution when making donations through such sites. The phishing page offers a variety of payment options with unusual account names, indicating potential fraudulent activity. This underscores the importance of vigilance among donors and political organizations to prevent falling victim to scams as the election nears.