Cyware Daily Threat Intelligence
Daily Threat Briefing • Feb 9, 2024
We use cookies to improve your experience. Do you accept?
Daily Threat Briefing • Feb 9, 2024
In a fresh finding, security experts highlighted Raspberry Robin's alarming tactic shift towards buying newer exploits for faster cyber attacks. This shift suggests either direct involvement or close association with exploit developers. Separately, a prominent e-commerce platform launched in 2022 faces phishing scams exploiting fake giveaway codes, with cybercriminals sending phishing emails using over 800 new domains. The past two weeks have witnessed dozens of these scams.
The crisis with Fortinet deepens with a couple of new critical bugs in FortiOS. Worst, one of them is being exploited in the wild and not much has been made public regarding the bug. Meanwhile, actors behind Raspberry Robin were spotted hoarding recent exploits to sharpen its attacks.
SEIU Local 1000 grapples with ransomware attack
SEIU Local 1000, a major California union, confirmed network disruptions following a cyber incident. The LockBit ransomware group claimed to have stolen 308GB of sensitive data, including SSNs and financial documents. Despite disruptions, the union asserts continued advocacy for workers' rights amidst ongoing operations, emphasizing resilience against coordinated attacks.
Black Basta hits Hyundai Motor Europe
Hyundai Motor Europe confirmed a ransomware attack by Black Basta threat actors, who claim to have stolen 3TB of corporate data. Initially downplayed as IT issues, Hyundai later acknowledged the breach, citing unauthorized access to a portion of its network. While the type of data impacted remains undisclosed, stolen folder lists hint at sensitive information across legal, sales, human resources, accounting, IT, and management departments.
The resurgence of .tprc ransomware
A ransomware strain dubbed .tprc resurfaced with a sophisticated overhaul, wreaking havoc on the healthcare and education sectors. Utilizing deceptive tactics, it infiltrates systems through regasm.exe, encrypting files and holding data hostage until a ransom is paid. It is also capable of pulling off file traversal attacks. Additionally, it establishes persistence via registry manipulation and PowerShell scripts, solidifying its foothold in compromised systems.
Raspberry Robin on a shopping spree
Check Point Research revealed a concerning trend in the tactics of the notorious malware, Raspberry Robin, indicating a transition towards purchasing exploits for swifter cyber assaults. Previously, the malware operators integrated exploits for year-old vulnerabilities but now prioritize exploits less than a month old, emphasizing speed for increased attack success rates. Raspberry Robin's evolution includes sophisticated anti-analysis measures and resilience enhancements.
XLoader evolves with automatic execution tactic
McAfee revealed a concerning evolution in the XLoader Android malware, operated by the financially motivated threat actor Roaming Mantis. This latest iteration now automatically executes upon installation, bypassing the need for user interaction. It employs sophisticated techniques, including Unicode string obfuscation and impersonation of legitimate apps like Chrome, to deceive users into granting risky permissions.
Coyote banking trojan poses global risk
Researchers uncovered a new banking trojan named Coyote. It is targeting at least 61 online banking applications, primarily in Brazil. Characterized by its sophisticated components and tactics, Coyote represents a significant evolution in Brazil's financial malware landscape. While currently Brazil-focused, its potential to expand globally warrants attention from security teams.
Zardoor backdoor targets non-profit org
Cisco Talos took the wraps off of an ongoing espionage operation, targeting a Saudi Arabian Islamic charity with the Zardoor malware. The threat actor employs sophisticated techniques, including custom backdoors and modified reverse proxy tools like FRP and Venom. Zardoor establishes persistence, moves laterally using WMI, and maintains C2 communication.
Fortinet warns of actively exploited bug
Fortinet issued warnings regarding two critical vulnerabilities in FortiOS, including CVE-2024-21762 which is being actively exploited in the wild. This RCE flaw affects SSL VPN and can be exploited via specially crafted HTTP requests. Another flaw, CVE-2024-23113, poses a similar risk but is not currently exploited. The firm has urged users to disable SSL VPN as a temporary fix.