Cyware Daily Threat Intelligence

Daily Threat Briefing • Feb 14, 2024
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Daily Threat Briefing • Feb 14, 2024
Glupteba, a modular malware known for its longevity and adaptability, has resurfaced in a new campaign with a never-before-seen UEFI bootkit. Glupteba's transformation from a backdoor to a powerful botnet underscores its continuous evolution and evasion tactics. Furthermore, Microsoft issued a patch for a Windows Defender SmartScreen zero-day exploited by the financially motivated group Water Hydra to deploy the DarkMe RAT.
This week’s Patch Tuesday update addressed a critical vulnerability in SAP ABA (Application Basis) and dozens of Microsoft security issues, including two zero days. NAS device-maker QNAP also addressed a zero-day that laid the path for RCE attacks.
Cryptocurrency theft rocks PlayDapp
Cybercriminals utilized a stolen private key to mint and steal over $290 million in PLA tokens from the PlayDapp ecosystem, a blockchain-based platform facilitating NFT trading within games. It has now suspended trading, frozen hacker wallets, and advised users to be cautious. Despite efforts to mitigate the breach, stolen tokens are being laundered, impacting market value. PlayDapp had also announced a $1 million reward for the return of stolen assets.
ATO attack threatens Azure users
Proofpoint researchers uncovered an active campaign targeting Microsoft Azure environments, banking on credential phishing and cloud account takeover techniques. The threat actors target diverse roles, including senior executives, to access accounts associated with valuable resources across organizational functions. Attackers employ a complex operational infrastructure, including proxies and hijacked domains, to evade detection.
Healthcare breach exposes personal data of millions
Oklahoma's largest not-for-profit healthcare network Integris Health disclosed that it suffered a cyberattack last year, compromising the personal information of nearly 2.4 million individuals. Despite no network interruptions, threat actors accessed sensitive data, including full names, dates of birth, contact details, demographic information, and SSNs. The breach reportedly led to extortion emails sent to patients.
Glupteba returns with undocumented UEFI bootkit
Glupteba, a long-standing and adaptable malware, returned in a 2023 campaign featuring a previously unseen UEFI bootkit. This sophisticated malware, known for its modular design and multifunctional capabilities, leveraged pay-per-install (PPI) services for widespread distribution. The campaign targeted organizations globally through web-based distribution and phishing attacks, embedding Glupteba within complex infection chains alongside other malware families.
SAP releases critical security update
SAP issued 13 new and updated security notes, notably addressing a critical vulnerability (CVE-2024-22131) in SAP ABA. This flaw, with a CVSS score of 9.1, allows unauthorized users to execute code injections, potentially leading to data compromise and system unavailability. The vulnerability arises from insufficient checks on external calls to a function module, particularly affecting SAP ABA versions 700 to 75I.
QNAP discloses zero-day flaw
QNAP issued patches for two vulnerabilities, including a zero-day flaw. The zero-day (CVE-2023-50358), identified in November 2023, raised concerns despite its moderate severity rating. Unit 42 researchers warned of critical impact, echoed by Germany's BSI. The other flaw is tracked as CVE-2023-47218. The security bugs allow for RCE and command injection, affecting various firmware versions.
Microsoft's Patch Tuesday addresses 73 Flaws
Microsoft's Patch Tuesday for February included fixes for 73 vulnerabilities, with two zero-days under active exploitation. The flaws, CVE-2024-21351 and CVE-2024-21412, allow bypassing of security features SmartScreen and Internet Shortcut Files, potentially leading to code execution. Trend Micro links CVE-2024-21412 exploitation to Water Hydra, which installs the DarkMe malware on infected systems. Additionally, five critical flaws in Windows Hyper-V, Microsoft Exchange Server, and Outlook are patched.
DNS flaw disrupts DNSSEC-validating DNS resolvers
A severe flaw dubbed KeyTrap in the DNSSEC specification has been discovered by researchers at the German National Research Center for Applied Cybersecurity (ATHENE), rendering vulnerable DNSSEC-validating DNS resolvers susceptible to denial-of-service attacks. The flaw, which lasted for over 20 years, allowed threat actors to exploit a design flaw in DNSSEC to exhaust the processing capacity of vulnerable DNS servers with a single packet, effectively disabling them and disrupting internet connectivity for users relying on affected services.