Cyware Daily Threat Intelligence
Daily Threat Briefing • Jan 2, 2024
We use cookies to improve your experience. Do you accept?
Daily Threat Briefing • Jan 2, 2024
Happy New Year to all our readers! As we embrace the fresh beginnings of 2024, new concerning revelations in the digital realm unfold. Cybersecurity experts have unearthed a sophisticated exploit used by several malware families to manipulate an obscure Google OAuth endpoint named "MultiLogin." This tactic is used to restore expired authentication cookies, thereby illicitly infiltrating Google accounts. Along the same lines, a strain of the Meduza password stealer emerged on the dark web, exhibiting multiple advanced capabilities.
Peekaboo! Researchers spotted a new DLL search order hijacking technique that overcomes the protections on Windows 10 and Windows 11 systems. This cunning method masquerades under the guise of trusted executables in the WinSxS folder.
**TuneFab converter exposes data **
TuneFab converter exposed over 151 million users' private data due to a misconfiguration on MongoDB. The leaked data included sensitive information such as IP addresses, user IDs, emails, and device information. The leak was discovered and fixed within 24 hours, but the company has not yet commented on the matter.
Cactus ransomware claims Coop
The Cactus ransomware group claims to have hacked Coop, a major retail and grocery provider in Sweden, and is threatening to release over 21,000 directories of personal information. Coop had previously been affected by a supply chain ransomware attack in July 2021, which was traced back to their software provider Visma.
Cyber Toufan breaches Israeli entities
A pro-Palestinian hacking group, known as Cyber Toufan, claimed to have breached dozens of Israeli entities during the ongoing conflict in Gaza. The group has released stolen data from 60 websites, including Israeli companies and foreign firms doing business with Israel. The attackers targeted various organizations, including cybersecurity firms, government agencies, e-commerce platforms, and manufacturing companies.
Malware abuses Google OAuth endpoint
Multiple information-stealing malware families were found exploiting an undocumented Google OAuth endpoint called "MultiLogin" to restore expired authentication cookies and gain unauthorized access to Google accounts. The exploit works by extracting tokens and account IDs from Chrome profiles, decrypting them using an encryption key stored in Chrome's 'Local State' file, and using them to regenerate expired Google Service cookies.
New Meduza stealer variant shows up
A new version (2.2) of the Meduza password stealer has been released on the dark web. This update includes support for more software clients, an upgraded credit card grabber, and advanced mechanisms for extracting credentials and tokens. The stealer can grab data from various browsers, cryptocurrency wallets, file extensions, messaging apps, password managers, and more.
Go-based JinxLoader spotted in new campaign
A new malware loader called JinxLoader is being used by cyber threat actors to distribute malicious payloads such as Formbook and XLoader. It was discovered that the malware is being spread through phishing emails impersonating Abu Dhabi National Oil Company (ADNOC). The JinxLoader executable is dropped when recipients open password-protected RAR archive attachments.
Small relief for Black Basta victims
Researchers at SRLabs developed a decryptor that exploits a flaw in Black Basta ransomware’s encryption algorithm for the discovery of the ChaCha keystream used to XOR encrypt a file. This decryptor can help recover files larger than 5000 bytes. Using the decryptor, Black Basta victims from November 2022 to December 2023 could potentially recover their files for free.
New DLL search order hijacking technique spotted
Security researchers identified a new variant of a DLL search order hijacking technique that can be used by hackers to bypass security measures and execute malicious code on Windows 10 and Windows 11 systems. This method takes advantage of executables in the trusted WinSxS folder and exploits them using the classic DLL search order hijacking technique. By moving legitimate system binaries into non-standard directories and replacing them with malicious DLLs, attackers can run malicious code without elevated privileges.