Cyware Daily Threat Intelligence
Daily Threat Briefing • Dec 22, 2023
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Daily Threat Briefing • Dec 22, 2023
LONEPAGE, FalseFont, and a new variant of Chameleon trojan have come under the lens of researchers. These malware were spotted in different espionage campaigns targeting users and organizations worldwide. While LONEPAGE is capable of deploying additional payloads to record keystrokes, steal victims’ information, and capture screenshots, FalseFont allows its operators to remotely access an infected system, launch additional files, and send information to its C2 servers. Meanwhile, the new variant of Chameleon trojan comes with a notable capability to disable fingerprint and face unlock authentication on Android phones.
In another story, the CISA issued ICS advisories for vulnerabilities affecting Future X Communications (FXC) routers and QNAP network video recorder (NVR) devices. Customers are advised to apply security patches at the earliest to stay safe.
Liberty Hospital deals with cyberattack
Liberty Hospital in Missouri faces patient care challenges due to a cyberattack causing computer system disruptions. While investigations are ongoing to identify the source, the hospital is being forced to shift some of its patients to other hospitals, owing to system downtime.
Espionage attack against companies
A Russian agro-industrial enterprise and a state-owned research company were targeted in a new espionage campaign by the Cloud Atlas group. As part of the infection chain, the attackers sent their victims phishing emails with malicious attachments that deployed an exploit for CVE-2017-11882, a vulnerability affecting Microsoft Office. Successful exploitation of this bug allows attackers to execute arbitrary code with user privileges.
St Vincent’s Health Australia affected
Australia’s largest not-for-profit health and aged care provider, St Vincent’s Health, confirmed that it fell victim to a cyberattack that impacted some of its data. An investigation is underway to understand the nature and scope of the attack. Meanwhile, the healthcare provider has confirmed that the ability to deliver services to patients, residents, and the broader community is not affected.
Goyzer leaks data of 690,000 customers
A passwordless MongoDB database belonging to Goyzer was found leaking details of around 690,000 customers before it was secured. The exposed details included names, email addresses, phone numbers, and scanned copies of receipts, checks, contracts, and IDs. According to security researchers, the specific database was populated with data about customers from Dubai.
First American affected
First American Financial Corporation took some of its systems offline following a cyberattack. The attack has disrupted computer networks at more than 1,000 business and government entities. It is working to return to normal operations as soon as possible.
New version of Chameleon trojan spotted
An updated version of an Android banking malware called Chameleon has expanded its targeting to include users in the U.K and Italy. The new variant is delivered via Zombinder DaaS. It is capable of disabling fingerprint and face unlock authentication to steal device PINs by abusing Android’s Accessibility Service.
LONEPAGE delivered via WinRAR flaw
The threat actor known as UAC-0099 has been found delivering a malware strain, named LONEPAGE, by exploiting a high-severity flaw in WinRAR. The attack was aimed at Ukrainian employees working for companies outside of Ukraine. LONEPAGE is a VBS malware capable of deploying additional payloads to record keystrokes, steal victims’ information, and capture screenshots.
FalseFont custom backdoor unveiled
A never-seen-before backdoor called FalseFont was used in a campaign to target organizations in the defense industrial base sector. The malware comes with a wide range of functionalities that allow operators to remotely access an infected system, launch additional files, and send information to its C2 servers. The malware is believed to be a work of APT33 (aka Refined Kitten).
CISA issues ICS advisories
The CISA released ICS advisories for vulnerabilities affecting Future X Communications (FXC) routers and QNAP network video recorder (NVR) devices. One of these flaws (CVE-2023-49897) affects AE1021 and AE1021PE outlet wall routers made by Japanese company FXC, which are typically used in hotels and residential units. The second advisory is for a high-severity vulnerability (CVE-2023-47565) affecting QNAP VioStor NVR devices.
ESET issues security patches
ESET has issued patches for several of its endpoint and server security products to address a high-severity flaw (CVE-2023-5594). It can be exploited to cause web browsers to trust websites that could be dangerous, using outdated and insecure algorithms. The flaw exists in the SSL/TLS protocol scanning feature of ESET products.