Cyware Daily Threat Intelligence

Daily Threat Briefing • Feb 21, 2024
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Daily Threat Briefing • Feb 21, 2024
Reiterating the importance of uninstalling unused programs, security experts at VMware warned admins to remove the discontinued VMware Enhanced Authentication Plug-in due to two unpatched security flaws. Attackers could exploit them for authentication relay and session hijacking. Meanwhile, researchers have noted a surge in banking malware campaigns exploiting Google Cloud Run, with indications of spreading beyond Latin America.
A widely used open-source CMS patched cross-site scripting (XSS) issues in its latest release, potentially affecting millions of websites and allowing for remote code execution. Furthermore, the NCSC warns small organizations of security risks to their Private Branch Exchange (PBX) phone systems, vulnerable to remote attacks due to misconfigurations.
Hacking contractor expose sensitive data
Internal documents leaked from iSoon, a Chinese hacking contractor, offered a peek into a workforce engaging in government-led hacking operations, mainly for China's Ministry of Public Security. The leak (including spreadsheets, chat logs, and marketing materials) posted on GitHub exposed low wages and shared hacking tools, such as the Winnti backdoor and PlugX RAT. Possibly, criminals also targeted NATO countries.
**Major attack on PSI Software **
Operation at Germany-based PSI Software suffered a ransomware attack that impacted internal systems, leading to external connections and systems being shut down. While the attack vector is being determined, no customer systems appear compromised. Hunters International, a RaaS operation, claimed responsibility for the attack, allegedly stealing over 36,000 files totaling 88GB.
School district in deep waters
Prince George’s County Public Schools, a Washington, D.C. suburban school district, disclosed that the ransomware attack from last year also compromised the personal information of nearly 100,000 individuals. The incident led to a network outage, with the Rhysida ransomware gang reportedly posting PGCPS data online in November. Affected data varied per person and included names, financial details, and Social Security Numbers.
Banking malware exploit Google Cloud Run
Researchers from Cisco Talos identified a surge in campaigns leveraging the Google Cloud Run service to distribute banking malware, including Astaroth, Mekiotio, and Ousaban. The attackers use themes related to invoices or financial documents to lure victims, often posing as local government tax agencies. The malicious links in these emails lead to threat actor-controlled Cloud Run Web services, where the malware is dropped.
Ransomware source code for sale
The source code for the Knight ransomware 3.0 is reportedly up for sale, exclusively to a single buyer, on a hacker forum. The Knight ransomware, initially launched as a re-brand of the Cyclops operation, targeted Windows, macOS, and Linux/ESXi systems. Version 3.0 of the ransomware's locker, released on November 5, 2023, boasted faster encryption and other improvements. While the reason behind the sale remains unclear, the Knight ransomware operation appears to have been inactive since December 2023.
New Malware targets Redis servers
Cado, a cloud forensics firm, uncovered the new Migo malware targeting Redis servers, deploying a user mode rootkit and cryptocurrency miners. Threat actors disable server protections, allowing deployment of Migo, written in Golang. The malware retrieves an XMRig installer from GitHub and executes shell commands for persistence, system information gathering, and process hiding.
Small firms hit by PBX vulnerabilities
The NCSC issued a warning to smaller organizations regarding potential security risks associated with their PBX phone systems. Incorrectly configured PBX systems could be susceptible to remote attacks, leading to dial-through fraud or being used in denial-of-service attacks. The U.K agency has published guidance to help organizations mitigate these risks.
Request for dumping discontinued plugins
VMware issued a warning advising administrators to remove a discontinued authentication plugin known as VMware Enhanced Authentication Plug-in (EAP) due to two unpatched security flaws. Tracked as CVE-2024-22245 and CVE-2024-22250, these vulnerabilities expose systems to authentication relay and session hijack attacks in Windows systems. Although VMware announced the deprecation of EAP nearly three years ago, the vulnerabilities remain unaddressed.
Joomla fixes XSS bugs
The open-source project Joomla has released a patch to fix XSS vulnerabilities in its widely used CMS. With Joomla powering approximately 2% of global websites, the flaws (tracked as CVE-2024-21726) could potentially expose millions of sites to attacks resulting in RCE assaults. Researchers from SonarSource identified inadequate content filtering as the core issue behind the vulnerabilities.