Cyware Daily Threat Intelligence

Daily Threat Briefing • Feb 13, 2024
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Daily Threat Briefing • Feb 13, 2024
Orange Cyberdefense discovered a backdoor called DSLog being deployed after exploiting a flaw in Ivanti gateways. The ongoing exploitation unearthed nearly 700 compromised servers, underscoring the urgency of applying updates and mitigations. Another bug in the scope of abuse is a cross-site scripting (XSS) issue in the Roundcube email server. Agencies must patch by March 4, as per a CISA directive. Similar XSS flaws in Roundcube and Zimbra have been abused earlier to target government entities in Europe and NATO.
In malware-related stories, we have Revenge RAT hiding itself as legitimate tools, Warzone RAT has been put to rest by authorities, and a decryptor for Rhysida ransomware released. On the contrary, DarkGate loader infections are on the rise in the U.S. and Europe.
Finance firm takes systems offline
Willis Lease Finance Corporation disclosed a cybersecurity incident after Black Basta listed it as a victim on its leak site. The company detected a potential breach on January 31. While systems were taken offline and no unauthorized activity has been identified since February 2, the extent of data compromise is still under assessment. Black Basta claims to have stolen 910 GB of company data, including customer information, HR documents, and passport scans.
Criminals rig Venezuela's electoral system
Medusa and LockBit ransomware groups may have the Venezuela electoral system under their control for some time. The breach allegedly targeted Smartmatic and other entities, raising alarms about the security of the country's electoral infrastructure. Screenshots circulating on the dark web and social media, purportedly from Smartmatic, hint at compromised voting information.
Ransomware cripples large banking institution
Bank of America alerted customers of a data breach at Infosys McCamish Systems, impacting names, addresses, Social Security numbers, and financial data. Approximately 57,000 individuals were directly affected. The breach occurred in November 2023, attributed to the LockBit ransomware gang. This adds to a series of recent cybersecurity incidents affecting Bank of America's partners, highlighting ongoing security challenges.
U.S. manufacturer operations jeopardized
Garon Products Inc., a renowned U.S. manufacturer of concrete repair solutions, allegedly faced the brunt of a ThreeAM ransomware attack, threatening its operations. Despite no official statement from Garon Products, the cyberattack underscores the persistent danger posed to SMEs by ransomware groups like ThreeAM.
Ivanti flaw abused to deploy DSLog backdoor
Cybercriminals are leveraging an SSRF vulnerability in Ivanti Connect Secure, Policy Secure, and ZTA gateways to deploy the DSLog backdoor. Tracked as CVE-2024-21893, the flaw allows bypassing authentication on affected devices. The backdoor, discovered by Orange Cyberdefense, enables RCE attacks on affected servers. Nearly 700 Ivanti devices were found compromised.
Decryptor for Rhysida ransomware out
Korean researchers identified a security hole in Rhysida ransomware's encryption process, which helped create a decryptor. Rhysida, linked to double extortion tactics, encrypts files using a 4096-bit RSA key and ChaCha20 algorithm. Analyzing its encryption routine, the experts found that the ransomware's PRNG relies on execution time, allowing them to decipher the order of file encryption.
International operation seizes Warzone RAT
The DOJ, in collaboration with international agencies, reportedly shut down domains selling the Warzone RAT malware on February 9. The sophisticated RAT allowed cybercriminals to conduct various malicious activities, including stealing information and spying on victims. Two suspects were arrested in Malta and Nigeria for their involvement in distributing the malware.
Revenge RAT conceals as legitimate tools
Threat actors are leveraging tools like "smtp-validator" and "Email to SMS" to deploy Revenge RAT. The malware utilizes a complex flow, initiating with the execution of "setup.exe," which downloads additional malware, including svchost.exe and explorer.exe. These files are stealthily registered in autorun registry and connect to C2 servers to download and execute HTML files.
DarkGate emerges as key threat
EclecticIQ analysts noted a surge in DarkGate loader usage. DarkGate is in high demand by financially motivated groups like TA577 and Ducktail, and has been used against targets in Europe and the U.S. Exploiting legitimate services such as Google's DoubleClick and cloud storage, DarkGate is advertised as a Malware-as-a-Service (MaaS) on cybercrime forums. Recent phishing attempts targeted institutions like Bank Deutsches Kraftfahrzeuggewerbe using automotive-themed lures.
Bumblebee resurfaces with fresh attacks
Proofpoint research revealed the resurgence of Bumblebee malware after a four-month hiatus, featuring a notably different attack strategy. The campaign, observed in February 2024, employs social engineering tactics, sending emails with OneDrive URLs posing as voicemail notifications. While the threat actor behind the new campaign remains unidentified, similarities suggest potential ties to TA579 group activities.
Roundcube server bug
The CISA alerted about the exploitation of a previously patched Roundcube email server vulnerability. Tracked as CVE-2023-43770, the XSS flaw affects versions newer than 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3, allowing attackers to access restricted information via malicious links in plain text messages. The CISA urged federal agencies to prioritize the fix to secure their Roundcube webmail servers.
QR codes and voicemails used for credential harvesting
Check Point Harmony Email researchers underscored a surge in cyberattacks leveraging fake voicemails, with over 1,000 incidents detected in the last 14 days. Scammers exploit corporate phone systems linked to email servers, embedding malicious links in voicemail playbacks to harvest credentials. Attackers send QR codes with conditional routing, impersonating reputable brands like payment processor Square.