Cookie Settings

This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing Dec 23, 2021

Exploitation attempts ramping up against Log4j vulnerabilities have put the issue on the discussion table for all organizations. In a joint effort, CISA, FBI, NSA, and a team of cybersecurity leaders have issued an elaborated advisory to mitigate the flaws as they present a severe and ongoing threat to organizations and governments around the world. Meanwhile, NVIDIA and HPE have lately confirmed that some of their products are affected by the Log4j vulnerabilities.

In the last 24 hours, a new ransomware named AvosLocker that comes with unique evasion techniques has piqued the interest of security experts. One of its tactics includes the use of AnyDesk remote IT administrator tool in Windows Safe Mode.

Top Breaches Reported in the Last 24 Hours

Azure flaw exposes source code repositories

Microsoft informed users about source code leaks due to a serious security vulnerability in the Azure App service. The flaw has affected hundreds of source code repositories. It impacted the customers who deployed the application using Local Git. Following the disclosure, the company has taken steps to fix the issue.

Monongalia Health System affected

Monongalia Health System, a hospital system in West Virginia has suffered a data breach due to a phishing attack. As a result, the hackers had access to several email accounts between May and August. These emails also included the personal information of 40,000 patients, providers, employees, and contractors.

Data of Albanians affected

Personal data of some 637,000 Albanians were leaked due to a misconfigured database. The leaky database included employment details and salary data of individuals. So far, there is no evidence of misuse of the data.

Top Malware Reported in the Last 24 Hours

Dridex found in phishing emails

A new phishing email campaign is using fake employee termination emails as a lure to distribute the Dridex trojan. The email includes a malicious Excel document, which then surprises the victim with a season’s greeting message.

New AvosLocker ransomware spotted

A newly found AvosLocker ransomware is actively targeting its victims using new evasion techniques. One of the key features includes running the AnyDesk remote IT administrator tool in Windows Safe Mode. One of the other clever techniques used by the ransomware involves targeting VMware ESXi servers by killing the virtual machines and then encrypting the files.

Top Vulnerabilities Reported in the Last 24 Hours

Updates on Log4j flaws

NVIDIA and HPE join the list of companies that confirmed their products are affected by the Log4j vulnerabilities. The flaws, in concern, are tracked as CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105. Both the companies have already released patches and mitigations to resolve the vulnerabilities.

Flawed mySCADA product fixed

A dozen vulnerabilities have been addressed in the mySCADA product of myPRO. Addressed in two different advisories, the flaws could have left organizations in the energy, food, and agriculture, water, and transport sectors at risk.

Apache patches two HTTP server flaws

The Apache Software Foundation has released an update to address two separate flaws that can be exploited by attackers to take control over systems. The flaws are tracked as CVE-2021-44790 and CVE-2021-44224. The flaws, which have CVSS scores of 9.8 and 8.2, affect the HTTP server.

Related Threat Briefings

Mar 14, 2025

Cyware Daily Threat Intelligence, March 14, 2025

A new ransomware group is making waves with tactics reminiscent of LockBit. Mora_001 has been exploiting Fortinet vulnerabilities to gain access to networks. Subsequently, it deploys its SuperBlack ransomware, ensuring persistent control before encrypting critical systems. GitLab users should patch now as critical authentication flaws surface. Two newly discovered GitLab vulnerabilities could allow attackers to impersonate users, potentially leading to data breaches and privilege escalation. Security updates have been released to mitigate the risk. Cybercriminals are faking Clop ransomware attacks to scam businesses. Fraudsters are posing as the Clop ransomware gang, fabricating extortion claims to trick victims into paying ransoms for non-existent data breaches.

Mar 13, 2025

Cyware Daily Threat Intelligence, March 13, 2025

A new spyware is lurking in fake apps, and it’s tied to North Korea. KoSpy, a newly discovered Android surveillance tool, is believed to be the work of APT37 and has been targeting Korean and English-speaking users. Distributed via Google Play Store and Firebase Firestore, the spyware could access a plethora of information. Juniper routers are being turned into stealthy backdoors. The Chinese threat group UNC3886 has infiltrated older Juniper MX routers, deploying customized TinyShell backdoors to evade detection. By accessing devices via terminal servers with legitimate credentials, the attackers bypassed Junos OS security protections, allowing persistent access to compromised networks. A widely used font library is now a security risk. Facebook has warned of a critical flaw in FreeType. The bug, caused by an out-of-bounds write, can lead to arbitrary code execution and has been exploited in attacks.

Mar 12, 2025

Cyware Daily Threat Intelligence, March 12, 2025

Copy, paste, and lose everything - MassJacker turns a simple action into a costly mistake. The operation leverages 778,000 fraudulent wallet addresses to siphon digital assets from unsuspecting victims. It has targeted victims by replacing copied cryptocurrency wallet addresses with those controlled by attackers. Exploited in the wild and patched just in time. Microsoft has released security updates fixing 57 vulnerabilities, including six zero-days actively exploited by attackers. The update also addresses 17 Edge browser vulnerabilities, reinforcing the critical need for immediate patching before these flaws can be leveraged for malicious purposes. A botnet is turning home routers into attack platforms, and there’s still no fix in sight. The Ballista botnet is actively exploiting a remote code execution flaw in TP-Link Archer routers, allowing attackers to inject commands without authentication. With thousands of compromised devices and growing, the botnet uses Tor domains for stealth and has been traced back to an Italian-based threat actor.

Mar 11, 2025

Cyware Daily Threat Intelligence, March 11, 2025

A new ransomware strain isn’t just locking up files, it’s locking out hope of recovery. Researchers uncovered EByte Ransomware, a Golang-based malware that’s actively targeting Windows systems with advanced cryptographic techniques, making decryption nearly impossible without the attackers' key. A simple-looking PDF is all it takes for attackers to hijack your system. A new malware strain, Phantom Goblin, is being spread through RAR attachments in phishing campaigns, tricking users into opening a malicious LNK file disguised as a document. It also abuses VSCode tunnels for remote access. Attackers don’t need new tricks when unpatched systems do the job for them. The CISA has flagged five new vulnerabilities under active exploitation, affecting Advantive VeraCore and Ivanti Endpoint Manager. The VeraCore flaw exploitation is linked to a likely Vietnamese threat group, while the Ivanti EPM vulnerabilities allow attackers to coerce credentials for further access.

Mar 10, 2025

Cyware Daily Threat Intelligence, March 10, 2025

When cybercriminals upgrade their arsenal, staying hidden becomes easier than ever. Several ransomware and cybercrime groups are leveraging the Ragnar Loader malware toolkit to maintain long-term access to compromised systems. Constantly evolving with new features, Ragnar Loader has become more modular and harder to detect. A single flaw in a widely used API almost handed attackers full control over vulnerable applications. The Volt API for Livewire recently patched a critical remote code execution vulnerability. The issue has been fixed in version 1.7.0, and users are strongly urged to update to prevent exploitation. A billion devices, a hidden backdoor, and tens of undocumented commands that could change everything. Security researchers have uncovered a major issue in ESP32 revealing 29 undocumented commands that attackers could exploit for spoofing devices, unauthorized data access, and long-term persistence. This vulnerability raises concerns over supply chain security, as OEMs could unknowingly ship compromised devices.

Mar 7, 2025

Cyware Daily Threat Intelligence, March 07, 2025

Step right up to the slickest show in the digital shadows, where EncryptHub is running the ring. This rising cybercrime crew is dazzling victims across platforms like QQ Talk, WeChat, and Google Meet with trojanized apps and clever multi-stage attack chains. They’re even teasing a new act called EncryptRAT to keep their audience on edge. Something wicked is crashing the WordPress party, and it’s not on the guest list. Over 1,000 sites have been slipped a nasty surprise, planting backdoors that swing wide open for hackers. These uninvited intruders are ready to sneak back in and turn the festivities into a free-for-all. These dusty old cameras are stealing the spotlight, but it’s a scene straight out of a cyber horror flick. A critical flaw in Edimax IC-7100 IP cameras has botnets buzzing with excitement, exploiting shaky default passwords. They’re staging a takeover, dropping Mirai malware to keep the chaos rolling.

Mar 6, 2025

Cyware Daily Threat Intelligence, March 06, 2025

Social media’s open doors are proving a playground for malware with a Middle Eastern twist. Desert Dexter, a sly campaign, has been hitting the Middle East and North Africa with a tweaked AsyncRAT. It’s hunting cryptocurrency wallets and chatting with a Telegram bot, spreading through legit file-sharing accounts and Telegram channels. A WordPress plugin’s chatty nature just turned into a hacker’s dream. A critical flaw in the Chaty Pro plugin, used by tens of thousands of websites, lets attackers upload malicious files thanks to lax security checks. Left unpatched, it’s a fast track to site takeovers. LinkedIn’s polished veneer is getting a malware makeover, and it’s a convincing act. Cofense spotted a campaign mimicking LinkedIn InMail, complete with branding and a sales director’s pitch for a quote - though the person’s real, the company’s fake. Those “Read More” and “Reply To” buttons? They’re a one-way ticket to the ConnectWise RAT, sidestepping the usual phishing playbook for something nastier.

Mar 5, 2025

Cyware Daily Threat Intelligence, March 05, 2025

The internet’s weakest links are turning into a cyber army with an Iranian twist. The new Eleven11bot botnet, loosely tied to Iran, has hijacked tens of thousands of IoT devices to unleash massive DDoS attacks on telecoms and gaming servers across the world. Booking a trip shouldn’t come with a side of malware, but here we are. A slick new campaign is sneaking LummaStealer onto devices worldwide through fake CAPTCHAs on booking websites, leveraging malvertising to snag victims in places like the Philippines and Germany with this info-stealing menace. Snail mail just got a sinister upgrade in the scam department. Fraudsters posing as the BianLian ransomware gang are mailing tailored ransom notes, demanding Bitcoin payments to keep “stolen” data under wraps. However, it’s a bluff and not a breach.

Mar 4, 2025

Cyware Daily Threat Intelligence, March 04, 2025

In a digital masquerade, attackers are wielding trust as a weapon to breach elite targets. A highly targeted phishing campaign has struck a few UAE entities in aviation and satellite communications, deploying a new backdoor called Sosano. Using a hijacked email account from an Indian firm, the attackers sent polyglot PDFs, designed to exploit multiple formats. Your smartphone might be a gateway to more than just selfies in this lawless digital frontier. Google’s latest Android Security Bulletin confronts 44 vulnerabilities, with two actively exploited flaws in Cisco and Windows systems that could hand attackers the keys to your device. Patches are rolling out fast to help lock things down. Sometimes a simple click can unravel a digital Pandora’s box. A new ClickFix campaign is luring victims into running malicious PowerShell commands. It installs the Havoc post-exploitation framework, granting attackers remote access to the compromised device.

Mar 3, 2025

Cyware Daily Threat Intelligence, March 03, 2025

In a digital game of cat and mouse, cybercriminals are upping their ante with a new trick up their sleeve. The Black Basta and Cactus ransomware groups have armed themselves with BackConnect malware to maintain persistent control over compromised machines and exfiltrate sensitive data. Once inside, BackConnect—linked to the infamous QakBot loader—takes the reins, ensuring the attackers keep their grip even after initial access. Phishing emails are casting a wider net, and this time, they’re impersonating the taxman. FortiGuard Labs has uncovered a new wave of cyberattacks targeting Taiwanese companies with the sophisticated Winos 4.0 malware. Spread through phishing emails, the malware arrives via a malicious attachment posing as a tax inspection list. Winos 4.0 is a modular menace, boasting of multiple functionalities. Even the smallest chip can have a big impact when it comes to security. MediaTek revealed 10 newly discovered vulnerabilities in its chipsets, which power smartphones, tablets, AIoT devices, and smart TVs. Affected chipsets include the MT67xx, MT68xx, and MT69xx series. MediaTek has issued patches to manufacturers.

Feb 28, 2025

Cyware Daily Threat Intelligence, February 28, 2025

Stay ahead of emerging cyber threats with the latest intelligence on the Vo1d botnet infecting Android TV devices, Redox Stealer spreading via GitHub, and a critical Better Auth vulnerability. Plus, insights on Mustang Panda and Lotus Blossom espionage campaigns, Nakivo backup software flaws, and scams hijacking Google Chrome extensions and PayPal checkout. Get the latest cybersecurity updates now!

Feb 26, 2025

Cyware Daily Threat Intelligence, February 26, 2025

It took just one cleverly disguised Batch script to outmaneuver security tools for over 48 hours, slipping past defenses with ease. A new malware delivery framework is making waves with its advanced obfuscation techniques, allowing it to remain undetected for an extended period. The malware, deploying either XWorm or AsyncRAT, operates almost entirely in memory, minimizing its footprint. The irony couldn’t be greater - an advanced security training platform now carries a critical vulnerability that lets attackers turn the tables. A severe RCE flaw has been discovered in MITRE’s Caldera, an open-source tool designed for simulating cyber threats. The vulnerability affects all versions except 5.1.0+ and the latest master branch, enabling attackers to take over systems remotely. A viral video you’ll regret clicking - scammers have found a new way to bait their victims. Researchers uncovered a surge in phishing campaigns that use fake viral video links to lure users into downloading malware. The attack starts with a deceptive PDF file claiming to contain a must-watch clip, but clicking the link sends victims down a rabbit hole of fake pages, intrusive ads, and misleading download buttons.