Cyware Daily Threat Intelligence
Daily Threat Briefing • Dec 29, 2023
We use cookies to improve your experience. Do you accept?
Daily Threat Briefing • Dec 29, 2023
Spear-phishing attacks by Kimsuky have introduced a new twist as its tactic now involves the use of tools such as AppleSeed and AlphaSeed. AppleSeed, which can extract sensitive data such as files, keystrokes, and screenshots, uses HTTP/SMTP while AlphaSeed uses Golang and chromedp for C2 communications. Additionally, a Russian state-sponsored threat group has been discovered deploying a new Python malware downloader, MASEPIE, on Ukrainian systems, that too within an hour of gaining an initial foothold.
Moving on. The "Downfall" fan expansion for "Slay the Spire" game was compromised by adversaries to distribute the Epsilon stealer via Steam's update system. Also, Microsoft had to disable the ms-appinstaller protocol handler to prevent malware distribution.
Car dealership firm suffers breach
Eagers Automotive, the largest car dealership operator in Australia and New Zealand, was hit by a cyberattack, prompting a temporary stock trading halt. Concerns rose over potential data breach and exposure of sensitive customer information. While expressing regret for the inconvenience, Eagers Automotive did not explicitly address the possibility of a data leak. No ransomware group has claimed responsibility for the incident.
Europe’s largest parking app operator hit
Swedish parking app developer EasyPark Group revealed a data breach affecting an unspecified number of its millions of users. While details about the breach remain limited, compromised information includes names, phone numbers, addresses, emails, and partial credit card/IBAN details. EasyPark warned of potential phishing attacks but assured users that the exposed data doesn't pose a risk of unauthorized transactions.
FTX breach exposes claimants' wallet
Kroll, a risk and financial advisory firm, revealed further details about the August data breach affecting FTX bankruptcy claimants. The exposed data includes coin holdings and balances, enabling threat actors to identify attractive targets heavily invested in cryptocurrencies. The compromised information includes names, email addresses, phone numbers, addresses, claim numbers, claim amounts, FTX account IDs, and, for some, dates of birth.
Russian APT28 uses new malware
Ukraine's CERT reported a phishing campaign by the Russian state-sponsored hacking group APT28 (Fancy Bear) delivering new malware. The campaign featured a new Python malware downloader named 'MASEPIE,' which establishes persistence on infected devices, downloads additional malware, and steals data. APT28 also employed PowerShell scripts ('STEELHOOK') for data theft from Chrome-based browsers and a C# backdoor ('OCEANMAP') for stealthy command execution and retrieval.
Game mod exploited to spread malware
Cybercriminals breached the fan expansion "Downfall" for the game Slay the Spire, distributing the Epsilon info-stealer malware through the Steam update system. The compromised package was a standalone modified version, not a mod installed via Steam Workshop. The attackers compromised one of the developers' Steam and Discord accounts, allowing them to control the mod's Steam account. The malware collects cookies, saved passwords, credit card details, and more from browsers, as well as Steam and Discord information.
Kimsuky attacks with AppleSeed
The North Korean group Kimsuky has been observed using spear-phishing attacks to deliver various backdoors and tools, including AppleSeed, Meterpreter, and TinyNuke, to compromise targeted machines. Cybersecurity firm AhnLab attributed the activity to Kimsuky. The group's espionage campaigns involve spear-phishing attacks with malicious lure documents that deploy different malware families, with a notable Windows-based backdoor being AppleSeed.
GKE vulnerabilities allow privilege escalation
Palo Alto Networks reported vulnerabilities in Google Kubernetes Engine (GKE) that, when chained together, could allow an attacker to escalate privileges and take over a Kubernetes cluster. The vulnerabilities were identified in FluentBit, the default logging agent in GKE, and Anthos Service Mesh (ASM), an optional add-on for controlling service-to-service communication within the environment. If an attacker achieves RCE in the FluentBit container or breaks out of another container, they can exploit these vulnerabilities in the second stage of an attack to gain complete control of the Kubernetes cluster.