Cookie Settings

This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.

Skip to main content

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing Dec 11, 2023

Despite patches being available for over two years, approximately 38% of applications using the Apache Log4j library have been found vulnerable to Log4Shell, a critical remote code execution flaw. Meanwhile, a set of vulnerabilities, dubbed 5Ghoul, was spotted in Qualcomm and MediaTek 5G modems that concern 714 smartphone models. Temporary service disruptions and network downgrades are the most probable outcomes. Guess what? These flaws are easily exploited over-the-air, requiring no knowledge of the target's SIM card details.

Another feather in law enforcement’s cap but maybe too soon to celebrate. BlackCat’s leak site is reportedly down due to law enforcement action. However, experts claim it didn’t do much harm as adversaries are confident of bouncing back.

Top Breaches Reported in the Last 24 Hours

Norton Healthcare suffers breach

Norton Healthcare, Kentucky, disclosed a data breach following a ransomware attack incident from May. The AlphV/BlackCat group claimed responsibility for the attack, stating that they exfiltrated 4.7 TB of data. The breach exposed the personal information of millions of patients, employees, and dependents. The compromised information included names, contact details, SSNs, dates of birth, health information, insurance details, and medical identification numbers.

PLAY ransomware cripples transit company

The Greater Richmond Transit Company, which manages the transit system for central Virginia, experienced a cyberattack around Thanksgiving, resulting in a network disruption. The Play ransomware gang claimed responsibility for the attack and posted information on its leak site. The group has given GRTC until December 13 to pay an undisclosed ransom.

Top Malware Reported in the Last 24 Hours

GuLoader adopts new evasion tricks

Operators of GuLoader introduced an enhanced version of the malware, underlining improved threat anti-analysis capabilities. GuLoader is typically spread through phishing campaigns, often involving ZIP archives or links containing VBScript files. The method "consists of breaking the normal flow of code execution by deliberately throwing a large number of exceptions and handling them in a vector exception handler that transfers control to a dynamically calculated address," experts at Check Point noted.

BlackCat group’s leak site down

The Tor-based leak site associated with the BlackCat ransomware group, also known as ALPHV, has been inaccessible since December 7, leading to speculation that it has been taken down by law enforcement. Threat intelligence company RedSense reported that the shutdown was likely due to a law enforcement action, as indicated by conversations among threat actors. RedSense Chief Research Officer Yelisey Bohuslavkiy confirmed that the cybercriminals expect everything to be restored soon, suggesting that the impact on their operation and infrastructure was limited.

Top Vulnerabilities Reported in the Last 24 Hours

PoolParty: New process injection techniques

Researchers from SafeBreach revealed a collection of eight process injection techniques, collectively named PoolParty, capable of achieving code execution in Windows systems while evading EDR systems. The techniques leverage the Windows user-mode thread pool, targeting worker factories to insert malicious shellcode into target processes. PoolParty has shown a 100% success rate against popular EDR solutions, making it a potent and flexible tool for threat actors.

Nearly 40% of organizations vulnerable to Log4j

A recent analysis by Veracode uncovered that 38% of applications are still using vulnerable versions of Log4j, two years after the discovery of the high-severity bug tracked as CVE-2021-44228. The study covered 38,278 unique applications running Log4j versions 1.1 to 3.0.0-alpha1 across 3866 organizations. The majority (32%) of the vulnerable applications were running Log4j2 1.2.x, exposing them to three critical flaws. Another 3.8% were using Log4j2 2.17.0, which contains CVE-2021-44832.

5Ghoul impact 714 smartphone models

Researchers from the Singapore University of Technology and Design discovered a set of security vulnerabilities named 5Ghoul in the firmware implementation of 5G mobile network modems from major chipset vendors, including Qualcomm and MediaTek. The 5Ghoul vulnerabilities impact 714 smartphones from 24 vendors, including Samsung, OnePlus, Oppo, Vivo, Xiaomi, Apple, and Google. Threat actors can exploit the flaws to block or manipulate 5G connections, downgrade connectivity to 4G, and deceive 5G-enabled target devices into connecting to rogue base stations.

Android Autofill exploited to steal credentials

At the Black Hat Europe conference, security researchers presented a new attack named AutoSpill that targets Android password managers during the autofill operation. The attack exploits weaknesses in Android's autofill process, allowing a rogue app to capture auto-filled credentials without user awareness. Tests revealed vulnerabilities in password managers like 1Password, LastPass, Enpass, Keeper, and Keepass2Android when using Android's autofill framework.

Critical bugs in Delta Electronics products

Sensitive flaws have been discovered in Delta Electronics' operational technology monitoring product, InfraSuite Device Master. The affected product, designed for real-time monitoring of critical devices in data center facilities, contained two critical bugs that could be exploited by a remote, unauthenticated attacker to execute arbitrary code on the system. Two other high-severity vulnerabilities were also found, allowing for remote code execution and the extraction of sensitive information.

Critical file upload flaw in Apache Struts 2

The Apache Software Foundation addressed a critical file upload vulnerability, CVE-2023-50164, in the Struts 2 open-source development framework. The flaw existed in the file upload logic and could be exploited by attackers to enable path traversal, leading to the uploading of a malicious file that could execute arbitrary code remotely. The vulnerability affects Struts versions 2.0.0 to 2.3.37, Struts versions 2.5.0 to 2.5.32, and Struts versions 6.0.0 to 6.3.0.

Related Threat Briefings