Cookie Settings

This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing Feb 21, 2024

Reiterating the importance of uninstalling unused programs, security experts at VMware warned admins to remove the discontinued VMware Enhanced Authentication Plug-in due to two unpatched security flaws. Attackers could exploit them for authentication relay and session hijacking. Meanwhile, researchers have noted a surge in banking malware campaigns exploiting Google Cloud Run, with indications of spreading beyond Latin America.

A widely used open-source CMS patched cross-site scripting (XSS) issues in its latest release, potentially affecting millions of websites and allowing for remote code execution. Furthermore, the NCSC warns small organizations of security risks to their Private Branch Exchange (PBX) phone systems, vulnerable to remote attacks due to misconfigurations.

Top Breaches Reported in the Last 24 Hours

Hacking contractor expose sensitive data

Internal documents leaked from iSoon, a Chinese hacking contractor, offered a peek into a workforce engaging in government-led hacking operations, mainly for China's Ministry of Public Security. The leak (including spreadsheets, chat logs, and marketing materials) posted on GitHub exposed low wages and shared hacking tools, such as the Winnti backdoor and PlugX RAT. Possibly, criminals also targeted NATO countries.

**Major attack on PSI Software **

Operation at Germany-based PSI Software suffered a ransomware attack that impacted internal systems, leading to external connections and systems being shut down. While the attack vector is being determined, no customer systems appear compromised. Hunters International, a RaaS operation, claimed responsibility for the attack, allegedly stealing over 36,000 files totaling 88GB.

School district in deep waters

Prince George’s County Public Schools, a Washington, D.C. suburban school district, disclosed that the ransomware attack from last year also compromised the personal information of nearly 100,000 individuals. The incident led to a network outage, with the Rhysida ransomware gang reportedly posting PGCPS data online in November. Affected data varied per person and included names, financial details, and Social Security Numbers.

Top Malware Reported in the Last 24 Hours

Banking malware exploit Google Cloud Run

Researchers from Cisco Talos identified a surge in campaigns leveraging the Google Cloud Run service to distribute banking malware, including Astaroth, Mekiotio, and Ousaban. The attackers use themes related to invoices or financial documents to lure victims, often posing as local government tax agencies. The malicious links in these emails lead to threat actor-controlled Cloud Run Web services, where the malware is dropped.

Ransomware source code for sale

The source code for the Knight ransomware 3.0 is reportedly up for sale, exclusively to a single buyer, on a hacker forum. The Knight ransomware, initially launched as a re-brand of the Cyclops operation, targeted Windows, macOS, and Linux/ESXi systems. Version 3.0 of the ransomware's locker, released on November 5, 2023, boasted faster encryption and other improvements. While the reason behind the sale remains unclear, the Knight ransomware operation appears to have been inactive since December 2023.

New Malware targets Redis servers

Cado, a cloud forensics firm, uncovered the new Migo malware targeting Redis servers, deploying a user mode rootkit and cryptocurrency miners. Threat actors disable server protections, allowing deployment of Migo, written in Golang. The malware retrieves an XMRig installer from GitHub and executes shell commands for persistence, system information gathering, and process hiding.

Top Vulnerabilities Reported in the Last 24 Hours

Small firms hit by PBX vulnerabilities

The NCSC issued a warning to smaller organizations regarding potential security risks associated with their PBX phone systems. Incorrectly configured PBX systems could be susceptible to remote attacks, leading to dial-through fraud or being used in denial-of-service attacks. The U.K agency has published guidance to help organizations mitigate these risks.

Request for dumping discontinued plugins

VMware issued a warning advising administrators to remove a discontinued authentication plugin known as VMware Enhanced Authentication Plug-in (EAP) due to two unpatched security flaws. Tracked as CVE-2024-22245 and CVE-2024-22250, these vulnerabilities expose systems to authentication relay and session hijack attacks in Windows systems. Although VMware announced the deprecation of EAP nearly three years ago, the vulnerabilities remain unaddressed.

Joomla fixes XSS bugs

The open-source project Joomla has released a patch to fix XSS vulnerabilities in its widely used CMS. With Joomla powering approximately 2% of global websites, the flaws (tracked as CVE-2024-21726) could potentially expose millions of sites to attacks resulting in RCE assaults. Researchers from SonarSource identified inadequate content filtering as the core issue behind the vulnerabilities.

Related Threat Briefings