We use cookies to improve your experience. Do you accept?

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing Dec 1, 2023

In an era marked by the continuous evolution of the digital landscape, there has been a relentless surge in new malware attacks. A new variant of Gh0st RAT, named SugarGh0st RAT, has been observed in a campaign targeting the Uzbekistan Ministry of Affairs and users in South Korea. In another case, a sophisticated Android malware, called FjordPhantom, has been spotted employing a virtualization solution to stealthily target mobile banking users. Currently, the malware is active in Southeast Asia, including Malaysia, Thailand, Indonesia, Singapore, and Vietnam.

In other news, security experts have shared details about the far-reaching consequences of LogoFAIL vulnerabilities that impact the image parsing libraries used by nearly all BIOS vendors.

Top Breaches Reported in the Last 24 Hours

Hendersonville targeted by threat actors

Hendersonville, a city in North Carolina, disclosed a cyberattack that affected employees’ information. Officials revealed that a group of hackers targeted a software used by the city to manage employee information. Majority of the stolen data belonged to employees hired before January 1, 2021. However, the attack did not impact other systems or customer data.

Staples’ operation disrupted

American office supply retailer Staples took down some of its systems after a cyberattack, to contain the impact and protect customer data. The disclosure comes after the firm reported various internal operational issues, including the inability to access Zendesk, VPN employees' portals, print email, and use phone lines. While Staples stores continued to operate normally, orders placed on the site could not be processed.

Top Malware Reported in the Last 24 Hours

New variant of Gh0stRAT detected

Cisco has discovered a new variant of Gh0st RAT, dubbed SugarGh0st RAT, targeting the Uzbekistan Ministry of Foreign Affairs and users in South Korea. The campaign leverages a Windows Shortcut file to deliver the components that drop the payload. Compiled in C++, the variant is designed to steal system information such as computer name, operating system version, and drive information.

New FjordPhantom

A new Android malware named FjordPhantom has been found leveraging emails, SMS, and messaging services to infect banking users in Indonesia, Thailand, Vietnam, Singapore, and Malaysia. The malware incorporates a virtualization solution to run malicious code in a container to evade detection. It is also capable of stealing online bank account credentials and manipulating transactions by performing on-device fraud. In one case, a customer was defrauded of $280,000.

Top Vulnerabilities Reported in the Last 24 Hours

Apple addresses two new iOS zero-day flaws

Apple has released emergency security updates for two actively exploited zero-day flaws impacting iPhone, iPad, and Mac devices. The first vulnerability (CVE-2023-42916) is tracked as an out-of-bounds read and can be abused by tricking victims into visiting specially crafted web content to disclose sensitive information. The second vulnerability (CVE-2023-42917) is a memory corruption flaw that can result in arbitrary code execution.

LogoFAIL vulnerability discovered

Image-parsing components in the UEFI code from various vendors are affected by multiple security vulnerabilities collectively named LogoFAIL. The flaws can be exploited to hijack the execution flow of the booting process, bypass security features like Secure Boot, including hardware-based Verified Boot mechanisms, and deliver bootkits. The flaws can be used against Intel Boot Guard, AMD Hardware-Validated Boot, or ARM TrustZone-based Secure Boot.

Top Scams Reported in the Last 24 Hours

ScamClub threat actor deceives users

Malwarebytes detected a malvertising campaign orchestrated by the ScamClub threat actor that managed to plant malicious ads on popular sites like the Associated Press, ESPN, and CBS. As part of the attack, the unsuspecting readers were automatically redirected to a fake security scan page disguised to be from McAfee.

Related Threat Briefings