Cyware Daily Threat Intelligence

Daily Threat Briefing • Feb 1, 2024
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Daily Threat Briefing • Feb 1, 2024
Docker security has fumbled once again with the discovery of ‘Leaky Vessels’ - a set of four vulnerabilities exposing containers to security risks. Among them is a highly critical flaw that could potentially compromise entire host systems. In another headline, cybercriminals devised a fresh attack campaign that distributes malware, hosted on compromised WordPress sites, via rigged search ads. The malvertising scheme involves redirecting victims to a decoy site mimicking WinDirStat.
Ivanti attracted more heat with new severe flaws being reported in its VPN products. It noted ongoing evolution in the situation and anticipates increased exploitation. Honing the game of hide and seek is a financially motivated group that was observed hiding encoded payloads in user profiles on tech news sites or video descriptions on media platforms such as GitHub, Vimeo, and Ars Technica.
Ripple co-founder loses $112 million
Ripple co-founder and executive chairman, Chris Larsen, fell victim to a cryptocurrency theft, losing around $112 million worth of XRP from his personal wallet. The hackers targeted Larsen's accounts, while the official @Ripple account remained unaffected. Larsen, along with support from other exchanges, swiftly detected the fraudulent activity and froze the compromised address. The theft involved an attempt to launder the stolen funds through various crypto exchanges and platforms.
Europcar denies 50 million customer data breach
Car rental company Europcar refutes the claim of a data breach by a threat actor that allegedly involves the personal information of 50 million customers. Europcar insists the breach is fake, asserting that the data is artificially generated. The company points out inconsistencies, including non-existent addresses and mismatched information. Security experts also questioned the involvement of AI, while also noting the presence of real email addresses.
ALPHV attacks firm related to the U.S. govt
Ransomware group ALPHV reportedly stole 300GB of sensitive data from Technica, a Virginia-based IT services firm associated with the U.S. federal government. Criminals assert possession of data related to the Defense Counterintelligence and Security Agency (DCSA), responsible for background investigations. Screenshots posted by the group include names, SSNs, clearance levels, and roles of individuals, along with billing invoices and contracts involving entities like the FBI and U.S. Air Force.
Football Australia exposes passports and contracts
Football Australia (FA) suffered a data breach, exposing passports, player contracts, and personal information of Australian players and fans. Every Australian football customer is estimated to be affected. The breach, which likely occurred due to human error, revealed 127 "buckets" of FA data on AWS, including player details, ticket purchases, and digital infrastructure data.
Malicious search ads serve malware
Security researchers at Malwarebytes have uncovered a campaign that deploys malware through malicious search ads. The so-called Nitrogen campaign utilizes Python and DLL side-loading to connect to its C2 server and often hosts payloads on compromised WordPress sites. The malvertising scheme involves filtering visitors based on IP addresses and redirecting victims to a decoy site resembling the legitimate WinDirStat website.
Legitimate sites abused in USB-based attacks
Financially motivated threat actor UNC4990 has been leveraging USB devices for initial infection and exploiting legitimate online platforms (such as GitHub, Vimeo, and Ars Technica) to host encoded payloads, revealed Mandiant. The attackers hide encoded payloads in forum user profiles or video descriptions, posing no risk to site visitors but playing a crucial role in the attack chain.
New Python-based ransomware variant discovered
Security researchers at K7 Labs uncovered a new ransomware variant written in Python. The malware disguises its executable file with a PDF icon, and the code is compiled in C++. Behavioral analysis reveals that the ransomware scans drive partitions, identifies file types to encrypt, and starts encryption only after adding unlock notes to targeted file paths. The encrypted files receive the ".enc" extension.
US government disrupts botnet work
The U.S. government, through a court-authorized operation, announced the takedown of the KV Botnet malware, primarily consisting of end-of-life Cisco and Netgear routers. Researchers had previously identified the botnet being utilized by the Chinese state-backed hacking group Volt Typhoon. It exhibited a sophisticated infection procedure and a meticulously hidden C2 infrastructure.
RIP Grandoreiro
Authorities successfully dismantled the Grandoreiro criminal organization, known for using banking trojan malware to commit electronic banking fraud in Spain, Mexico, Brazil, and Argentina. The group, operational since 2017, is suspected of moving at least $3.9 million through fraudulent activities. ESET and the Brazilian Federal Police collaborated to take down the botnet.
‘Leaky Vessels’ affect Docker
Four vulnerabilities, collectively named ‘Leaky Vessels,’ were found affecting container engine components, with the most critical impacting runC, Docker's lightweight container runtime. The vulnerability in runC, CVE-2024-21626, enables container escape at both build-time and run-time, potentially leading to unauthorized access and compromise of host systems. The other three vulnerabilities affect Docker's default container image building toolkit, BuildKit, presenting risks like race conditions and file deletion flaws.
More critical bugs engulf Ivanti
Ivanti issued a warning regarding two newly discovered high-severity vulnerabilities in its Connect Secure and Policy Secure solutions. Tracked as CVE-2024-21888 and CVE-2024-21893, the first flaw allows privilege escalation, while the second is a server-side request forgery vulnerability. As per the firm, one of the vulnerabilities is currently being actively exploited in the wild. Ivanti emphasizes that the situation is dynamic, and multiple threat actors may quickly adapt their tactics to exploit these vulnerabilities. Temporary workarounds have been provided.
Tax-themed lures are back
Cybercriminal group TA576, known for tax-themed lures, has resurfaced targeting accounting and finance organizations during the U.S. tax season. Using compromised accounts, the group sends benign emails requesting tax assistance and delivers remote access trojans. In recent campaigns, TA576 employs a Google Firebase URL and a sophisticated attack chain involving LOLBAS (Living-off-the-Land Binaries, Scripts, and Libraries) and the Parallax RAT.