Cookie Settings

This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing Feb 22, 2024

Cybercriminals have spun an iteration of the Lucifer botnet, targeting organizations using Apache Hadoop and Apache Druid big data technologies with cryptojacking and DDoS attacks. An analysis of the campaign suggests attackers are refining their strategies before a broader assault. A fresh threat to Facebook credentials appeared in Vietnam. Facebook advertisers in the country are under siege from an info-stealer dubbed VietCredCare. Sold as a service, it poses a risk to both public and private sectors, facilitating political messaging and financial scams.

Meanwhile, a study revealed that 80% of top global banking apps are vulnerable to the FjordPhantom malware infection. A different report has uncovered authentication bypass flaws in Wi-Fi software used in Android, Linux, and ChromeOS devices; attackers could spoof networks and gain unauthorized access.

Top Breaches Reported in the Last 24 Hours

Third-Party breach affects Tangerine

Australian telecom provider Tangerine reported a breach affecting 232,000 customers due to the compromised credentials of a third-party contractor. Personal details like names, birthdates, and contact information were exposed. However, no financial or sensitive data was compromised. The company confirmed that no credit or debit card numbers were compromised, as they do not store this information.

Healthcare attack disrupts services nationwide

Change Healthcare, a major U.S. healthcare technology company, acknowledged a cyberattack causing a nationwide network interruption. The incident led to login page outages and disruptions in patient payments and prescription processing for local pharmacies. The nature of the cyber incident remains undisclosed.

Top Malware Reported in the Last 24 Hours

FjordPhantom’s grows as potential threat

An analysis of FjordPhantom shed light on its propagation using social engineering techniques and exploitation of Android's virtual environment. The malware first leverages social engineering to install a malicious app to perform fraudulent transactions and steal credentials. Secondly, it exploits Android's virtual environment to manipulate legitimate apps. At last, it ensures that only legitimate users and devices execute transactions.

Lucifer botnet targets Apache servers

The resurgence of the Lucifer botnet has seen threat actors aiming at Apache Hadoop and Apache Druid servers for DDoS and cryptojacking, through new infection routines. Aqua Nautilus researchers identified over 3,000 unique attacks in the past month, indicating a testing phase for defense evasion techniques. The campaign unfolds in three phases, exploiting misconfigurations and vulnerabilities to deploy the malware.

Facebook credential stealer arrives in Vietnam

VietCredCare, a new information stealer, has been observed targeting Facebook advertisers in Vietnam since August 2022, aiming to hijack corporate accounts. Offered as a service, it filters out Facebook credentials and session cookies. It focuses on individuals managing business profiles with positive ad credit balances. The malware is being sold on social media platforms including Facebook and Telegram.

PyPI packages leverage DLL side-loading

Cybersecurity researchers singled out a couple of malicious packages on the PyPI repository using DLL side-loading to evade detection. Named NP6HelperHttptest and NP6HelperHttper, these packages mimic legitimate tools from ChapsVision to deceive developers. By side-loading a malicious DLL, the packages execute code capable of deploying a Cobalt Strike Beacon, posing a threat to supply chain security.

Top Vulnerabilities Reported in the Last 24 Hours

Authentication flaws in Wi-Fi software

Security researchers uncovered two authentication bypass vulnerabilities, CVE-2023-52160 and CVE-2023-52161, in open-source Wi-Fi software used in Android, Linux, and ChromeOS. These flaws could enable attackers to create malicious network clones or join trusted networks without passwords, potentially leading to malware infections and data theft. While CVE-2023-52160 affects Android devices using wpa_supplicant, CVE-2023-52161 impacts Linux devices running Intel's iNet Wireless Daemon (IWD).

Related Threat Briefings