Cyware Daily Threat Intelligence, January 14, 2025

Daily Threat Briefing • Jan 14, 2025
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Daily Threat Briefing • Jan 14, 2025
Government officials in Central Asia have been ensnared by APT28’s latest cyberespionage campaign, where leaked Kazakhstan government documents serve as the perfect trap. With tools like HATVIBE and CHERRYSPY, the Russian-linked group casts a wide net to maintain geopolitical sway across key regions.
Codefinger, a new ransomware group has introduced a chilling new tactic to the ransomware scene, locking AWS S3 buckets with server-side encryption and customer-provided keys. By exploiting compromised AWS keys, the group targets native AWS software developers, encrypting critical data and threatening deletion within seven days.
Imagine logging in with Google, only to find your old startup’s downfall has exposed your data. That’s the reality for millions of former employees, as Google’s Sign in with Google flaw allows new domain owners to access sensitive accounts, leaving users and startups alike vulnerable.
Fancy Bear’s cyberespionage campaign
A hacking group with ties to Russian intelligence has been using documents from the Kazakhstan government as phishing lures to infect and spy on government officials in Central Asia. The group, known as APT 28 or Fancy Bear, has been targeting victims across Central Asia, East Asia, and Europe with malware named HATVIBE and CHERRYSPY. These attacks are believed to be linked to the Russian GRU and are part of an espionage campaign to maintain political influence and counter competing powers in the region.
New ransomware gang targets AWS S3 buckets
A new ransomware group called Codefinger has been targeting AWS S3 buckets and using AWS server-side encryption with customer-provided keys to lock up victims' data. The group has been carrying out attacks on AWS native software developers by exploiting compromised or exposed AWS keys. Codefinger encrypts the data and marks files for deletion within seven days, but does not threaten to leak or sell the data. The group leaves a ransom note with a Bitcoin address and client ID, and it's unclear if the victims paid the ransom.
BeyondTrust bug under exploit, warns CISA
The CISA has urged federal agencies to patch a second vulnerability in BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) solutions due to active exploitation. The flaw, tracked as CVE-2024-12686, allows attackers with administrative privileges to upload malicious files and execute operating system commands. This issue follows a previous zero-day vulnerability, CVE-2024-12356, which was exploited in a cyber incident targeting the U.S. Department of Treasury. The attackers, reportedly Chinese hackers linked to Silk Typhoon, targeted multiple offices of the U.S. Treasury.
“Sign in with Google" authentication system vulnerability
The Sign in with Google authentication system has a critical flaw that leaves millions of former startup employees vulnerable to data theft. When a startup fails and its domain is sold, the new owner can potentially access former employees' accounts on various services, including HR systems containing sensitive data. This affects around six million Americans currently working for tech startups, as many rely on Google Workspaces for email. Despite being reported, Google initially marked the issue as "Won’t fix," and there is currently no comprehensive solution.
Patch this macOS vulnerability
A macOS vulnerability (CVE-2024-44243) allows attackers with root privileges to bypass System Integrity Protection, a security feature that prevents unauthorized modifications to the system. Exploiting this vulnerability could lead to the installation of malicious kernel drivers, persistent malware, and unauthorized access to user data. Apple has released a security update to patch the vulnerability.