Cookie Settings

This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing December 10, 2021

The cyber-arms race between cybercriminals and security teams continues with the discovery of new sneaky mechanisms used by attackers to bypass existing defenses. Among the new threats reported in the last 24 hours was the first Rust-based ransomware used in real-world attacks and a malware campaign by an infamous APT group distributing a keylogger through malicious installers.

In other news, the CISA warned of several Apache HTTP Server vulnerabilities that affect multiple Cisco enterprise products, whereas Mozilla patched high-severity vulnerabilities in its Firefox browser and Thunderbird mail client. Lastly, data breaches at a payroll solution provider and a food importer affected the personal information of thousands of employees.

Top Breaches Reported in the Last 24 Hours

Data breach at Cox Communications

The US-based telecommunications and digital cable provider Cox Communications suffered a data breach after a hacker impersonated its support agent to gain access to customers' personal information. The hacker may have accessed the details of some customers, including their names, addresses, telephone numbers, Cox account numbers, Cox.net email addresses, usernames, PIN codes, account security questions and answers, and the types of services they are subscribed to.

Government workers breached

Payroll solution provider Frontier Software was hit by a ransomware attack recently. During this incident, the attackers may have accessed the personal information of at least 38,000 and up to 80,000 government employees of the state of South Australia. The data included names, birthdates, tax file numbers, home addresses, bank account details, and other employment and payroll-related information.

Food importer hit by ransomware

North American food importer Atalanta Corporation disclosed a data breach following a ransomware attack that impacted its employees’ personal information. An investigation into the incident revealed that certain information related to Atalanta’s current and former employees and certain visitors was accessed during this incident.

Top Malware Reported in the Last 24 Hours

First Rust-based ransomware

A first-of-its-kind ransomware strain was discovered this week which was written in the Rust programming language. It is the first such ransomware to be used in attacks in the wild as opposed to just experimental concepts created in the past. The operators behind the ransomware, dubbed ALPHV (or BlackCat), are advertising it as a ransomware-as-a-service on two underground cybercrime forums, namely XSS and Exploit.

Malware-laced WordPress plugins

Sucuri researchers warned of credit card skimmers being injected into random plugins of e-commerce WordPress sites. Instead of injecting skimmers into ‘wp-admin’ and ‘wp-includes’ core directories, threat actors are using the plugin files to hide their malicious scripts or inject a backdoor to gain persistence even after installation of the latest security updates.

Malware campaign by StrongPity APT

The sophisticated StrongPity hacker group was found using malware-laced Notepad++ installers to infect their targets with a keylogger coupled with persistence capabilities. The group, also known as APT-C-41 and Promethium, was previously known for distributing trojanized WinRAR installers in highly-targeted campaigns between 2016 and 2018.

Top Vulnerabilities Reported in the Last 24 Hours

Apache HTTP Server vulnerabilities

The CISA released a second advisory about several Apache HTTP server vulnerabilities. The five vulnerabilities, tracked as CVE-2021-33193, CVE-2021-34798, CVE-2021-36160, CVE-2021-39275, and CVE-2021-40438, in the Apache HTTP Server (httpd) 2.4.48 and earlier releases impact multiple Cisco products used by enterprises worldwide.

MicroTik devices exposed to attacks

Researchers found MicroTik devices exposed to remote takeover attacks due to a set of unaddressed vulnerabilities. This includes two high-severity flaws, tracked as CVE-2019-3977 and CVE-2019-3978, with CVSS scores of 7.5 each. The remaining two critical flaws enabling full takeover of devices are CVE-2018-14847 (CVSS score: 9.1) and

CVE-2018-7445 (CVSS score: 9.8).

Mozilla releases security updates

Mozilla released security updates for the Firefox browser and the Thunderbird mail client to address multiple vulnerabilities, including several bugs rated high severity. The Firefox 95 version addresses 13 vulnerabilities, including six issues with high severity ratings. Some of the patches were also included in Firefox ESR 91.4 and Thunderbird 91.4.0.

Related Threat Briefings

Mar 21, 2025

Cyware Daily Threat Intelligence, March 21, 2025

A stealthy cyber campaign briefly surfaced before vanishing. Researchers uncovered a public web server tied to a campaign targeting South Korean entities, hosting a Rust-based payload delivering Cobalt Strike Cat alongside open-source hacking tools. The infrastructure disappeared within 24 hours but revealed a target list of over 1,000 Korean domains. A backup tool vulnerability is now a fast track for attackers. CISA issued a warning for a path traversal flaw in Nakivo Backup and Replication, which is being actively exploited to execute code remotely and access sensitive enterprise data. The vulnerability has also been added to the KEV catalog. Fake ads are turning Semrush into phishing bait. A malicious ad campaign is tricking users into visiting fraudulent Semrush login pages, stealing Google credentials by forcing victims to use the “Log in with Google” option on spoofed pages.

Mar 20, 2025

Cyware Daily Threat Intelligence, March 20, 2025

Cybercriminals don’t just break in; they move in and redecorate. The DollyWay malware campaign, active since 2016, has now compromised over 20,000 WordPress sites, according to GoDaddy. By February 2025, it was redirecting 10 million users each month to scam sites. Originally a ransomware operation, it has evolved into a redirection scam using the VexTrio and LosPollos affiliate networks. Hackers have found a new disguise for malware—virtual hard disk files. Threat actors are distributing VenomRAT through phishing emails with .VHD files masked as purchase orders. These files help the malware evade detection while a hidden batch script self-replicates, maintains PowerShell persistence, and steals data using HVNC and Pastebin-based C2 communication. Meanwhile, a year-old sophisticated phishing campaign has shifted gears. After successfully tricking Windows users with fake Microsoft security alerts on windows[.]net, attackers are now targeting macOS users. For detailed Cyber Threat Intel, click ‘Read More’.

Mar 19, 2025

Cyware Daily Threat Intelligence, March 19, 2025

Cyber threats are increasingly targeting sensitive industries and posing national security concerns. Ukraine’s CERT-UA has raised alarms about a wave of cyberattacks leveraging the DarkCrystal RAT to target defense industry professionals and military entities. The attackers are using Signal messenger to send phishing messages disguised as trusted contacts, luring victims into opening a fake PDF file containing a malware dropper. When even your AI assistant can be tricked into working for hackers, the stakes couldn’t be higher. Security researchers have uncovered a supply chain attack known as the 'Rules File backdoor,' which compromises AI-powered code editors like GitHub Copilot and Cursor. Meanwhile, in the healthcare sector, PoC exploits have surfaced for vulnerabilities in Sante PACS servers. These flaws, including CVE-2025-2263 through CVE-2025-2284, could enable unauthorized data access and system disruption. For detailed Cyber Threat Intel, click ‘Read More’.

Mar 18, 2025

Cyware Daily Threat Intelligence, March 18, 2025

Cybercriminals are getting craftier, with Microsoft uncovering StilachiRAT, a stealthy malware that steals crypto, spies on systems, and evades detection. It targets digital wallets, browser data, and RDP sessions while maintaining persistence through Windows services. Meanwhile, a year-old SSRF flaw in ChatGPT (CVE-2024-27564) is under active exploitation, with over 10,000 attack attempts in a week, mainly targeting US financial and government entities. Phishers are now exploiting Microsoft 365 infrastructure in a BEC campaign, tricking users with fake support notifications and fraudulent call centers. Attackers collect credentials and take over accounts while avoiding detection. As AI vulnerabilities, RATs, and phishing tactics evolve, businesses must stay ahead to protect sensitive data. For detailed Cyber Threat Intel, click ‘Read More’.

Mar 17, 2025

Cyware Daily Threat Intelligence, March 17, 2025

The Black Basta gang has cooked up a relentless new tool. Its automated brute-forcing framework has been relentlessly probing edge networking devices since 2023, zeroing in on widely used edge networking devices. Something sinister was brewing in the PyPI repository. Multiple fraudulent packages racked up tens of thousands of downloads and hid a nasty secret: code designed to siphon cloud access tokens. However, the packages have been removed. Coinbase users are getting hit with a scam that’s all polish and bad intentions. Dressed up as an official notice about a court-ordered shift to self-custodial wallets, it nudges recipients to set up a new wallet with a recovery phrase - except it’s a trap, pre-controlled by the attackers.

Mar 14, 2025

Cyware Daily Threat Intelligence, March 14, 2025

A new ransomware group is making waves with tactics reminiscent of LockBit. Mora_001 has been exploiting Fortinet vulnerabilities to gain access to networks. Subsequently, it deploys its SuperBlack ransomware, ensuring persistent control before encrypting critical systems. GitLab users should patch now as critical authentication flaws surface. Two newly discovered GitLab vulnerabilities could allow attackers to impersonate users, potentially leading to data breaches and privilege escalation. Security updates have been released to mitigate the risk. Cybercriminals are faking Clop ransomware attacks to scam businesses. Fraudsters are posing as the Clop ransomware gang, fabricating extortion claims to trick victims into paying ransoms for non-existent data breaches.

Mar 13, 2025

Cyware Daily Threat Intelligence, March 13, 2025

A new spyware is lurking in fake apps, and it’s tied to North Korea. KoSpy, a newly discovered Android surveillance tool, is believed to be the work of APT37 and has been targeting Korean and English-speaking users. Distributed via Google Play Store and Firebase Firestore, the spyware could access a plethora of information. Juniper routers are being turned into stealthy backdoors. The Chinese threat group UNC3886 has infiltrated older Juniper MX routers, deploying customized TinyShell backdoors to evade detection. By accessing devices via terminal servers with legitimate credentials, the attackers bypassed Junos OS security protections, allowing persistent access to compromised networks. A widely used font library is now a security risk. Facebook has warned of a critical flaw in FreeType. The bug, caused by an out-of-bounds write, can lead to arbitrary code execution and has been exploited in attacks.

Mar 12, 2025

Cyware Daily Threat Intelligence, March 12, 2025

Copy, paste, and lose everything - MassJacker turns a simple action into a costly mistake. The operation leverages 778,000 fraudulent wallet addresses to siphon digital assets from unsuspecting victims. It has targeted victims by replacing copied cryptocurrency wallet addresses with those controlled by attackers. Exploited in the wild and patched just in time. Microsoft has released security updates fixing 57 vulnerabilities, including six zero-days actively exploited by attackers. The update also addresses 17 Edge browser vulnerabilities, reinforcing the critical need for immediate patching before these flaws can be leveraged for malicious purposes. A botnet is turning home routers into attack platforms, and there’s still no fix in sight. The Ballista botnet is actively exploiting a remote code execution flaw in TP-Link Archer routers, allowing attackers to inject commands without authentication. With thousands of compromised devices and growing, the botnet uses Tor domains for stealth and has been traced back to an Italian-based threat actor.

Mar 11, 2025

Cyware Daily Threat Intelligence, March 11, 2025

A new ransomware strain isn’t just locking up files, it’s locking out hope of recovery. Researchers uncovered EByte Ransomware, a Golang-based malware that’s actively targeting Windows systems with advanced cryptographic techniques, making decryption nearly impossible without the attackers' key. A simple-looking PDF is all it takes for attackers to hijack your system. A new malware strain, Phantom Goblin, is being spread through RAR attachments in phishing campaigns, tricking users into opening a malicious LNK file disguised as a document. It also abuses VSCode tunnels for remote access. Attackers don’t need new tricks when unpatched systems do the job for them. The CISA has flagged five new vulnerabilities under active exploitation, affecting Advantive VeraCore and Ivanti Endpoint Manager. The VeraCore flaw exploitation is linked to a likely Vietnamese threat group, while the Ivanti EPM vulnerabilities allow attackers to coerce credentials for further access.

Mar 10, 2025

Cyware Daily Threat Intelligence, March 10, 2025

When cybercriminals upgrade their arsenal, staying hidden becomes easier than ever. Several ransomware and cybercrime groups are leveraging the Ragnar Loader malware toolkit to maintain long-term access to compromised systems. Constantly evolving with new features, Ragnar Loader has become more modular and harder to detect. A single flaw in a widely used API almost handed attackers full control over vulnerable applications. The Volt API for Livewire recently patched a critical remote code execution vulnerability. The issue has been fixed in version 1.7.0, and users are strongly urged to update to prevent exploitation. A billion devices, a hidden backdoor, and tens of undocumented commands that could change everything. Security researchers have uncovered a major issue in ESP32 revealing 29 undocumented commands that attackers could exploit for spoofing devices, unauthorized data access, and long-term persistence. This vulnerability raises concerns over supply chain security, as OEMs could unknowingly ship compromised devices.

Mar 7, 2025

Cyware Daily Threat Intelligence, March 07, 2025

Step right up to the slickest show in the digital shadows, where EncryptHub is running the ring. This rising cybercrime crew is dazzling victims across platforms like QQ Talk, WeChat, and Google Meet with trojanized apps and clever multi-stage attack chains. They’re even teasing a new act called EncryptRAT to keep their audience on edge. Something wicked is crashing the WordPress party, and it’s not on the guest list. Over 1,000 sites have been slipped a nasty surprise, planting backdoors that swing wide open for hackers. These uninvited intruders are ready to sneak back in and turn the festivities into a free-for-all. These dusty old cameras are stealing the spotlight, but it’s a scene straight out of a cyber horror flick. A critical flaw in Edimax IC-7100 IP cameras has botnets buzzing with excitement, exploiting shaky default passwords. They’re staging a takeover, dropping Mirai malware to keep the chaos rolling.

Mar 6, 2025

Cyware Daily Threat Intelligence, March 06, 2025

Social media’s open doors are proving a playground for malware with a Middle Eastern twist. Desert Dexter, a sly campaign, has been hitting the Middle East and North Africa with a tweaked AsyncRAT. It’s hunting cryptocurrency wallets and chatting with a Telegram bot, spreading through legit file-sharing accounts and Telegram channels. A WordPress plugin’s chatty nature just turned into a hacker’s dream. A critical flaw in the Chaty Pro plugin, used by tens of thousands of websites, lets attackers upload malicious files thanks to lax security checks. Left unpatched, it’s a fast track to site takeovers. LinkedIn’s polished veneer is getting a malware makeover, and it’s a convincing act. Cofense spotted a campaign mimicking LinkedIn InMail, complete with branding and a sales director’s pitch for a quote - though the person’s real, the company’s fake. Those “Read More” and “Reply To” buttons? They’re a one-way ticket to the ConnectWise RAT, sidestepping the usual phishing playbook for something nastier.