Cyware Daily Threat Intelligence
Daily Threat Briefing • Jan 17, 2024
We use cookies to improve your experience. Do you accept?
Daily Threat Briefing • Jan 17, 2024
It’s not difficult to imagine the impact of successful zero-day exploits, especially when a product is widely in use. Google Chrome and Citrix found themselves in deep waters as they disclosed actively exploited zero-day flaws. Chrome’s zero-day could give access to sensitive information or trigger a crash, whereas Citrix zero-days in NetScaler ADC and NetScaler Gateway could allow RCE and DoS attacks. Additionally, PAX Technology's Android-based PoS terminals were found to be affected by a series of exploits.
Threat actors using Androxgh0st malware are orchestrating a botnet dedicated to cloud credential theft, warned the CISA and the FBI. Besides, the Python-scripted malware facilitates spam campaigns, web shell deployment, and unauthorized access to sensitive databases.
Spanish tourist hotspot hit by ransomware
A €10 million ($11 million) ransom demand followed after a crippling attack on the Calvià City Council in Majorca, Spain, impacting municipal services. Administrative deadlines are suspended until January 31. Forensic analysis is underway to understand the impact of the attack. While citizen services are reachable by phone, urgent document submissions can be made through the General State Administration portal. The mayor refused to pay the ransom.
macOS info-stealers bypass Apple's XProtect
Information stealers targeting macOS, such as KeySteal, Atomic Stealer, and CherryPie, demonstrate an ability to evade Apple's XProtect consistently, revealed experts at SentinelOne. Despite regular updates to XProtect's malware database, attackers rapidly adjust their tactics and code to bypass detection. KeySteal, for example, has evolved significantly to use techniques like code obfuscation and masquerading to persistently target macOS systems and steal sensitive information.
Gov agencies warn of Androxgh0st
The CISA and the FBI issued a joint warning about the Androxgh0st malware botnet, indicating that threat actors are building a botnet network to extract cloud credentials. The Androxgh0st malware targets .env files containing credentials for applications like Amazon Web Services, Office 365, SendGrid, and Twilio. The malware exploits three remote code execution vulnerabilities, namely, CVE-2017-9841 (PHPUnit), CVE-2021-41773 (Apache HTTP Server), and CVE-2018-15133 (Laravel).
PAX PoS terminals vulnerable to exploits
Chinese company PAX Technology's Android-based PoS terminals are reportedly susceptible to six vulnerabilities that could enable arbitrary code or command execution, warned STM Cyber. The flaws include kernel argument injections, bootloader downgrades, and command injections, providing attackers with various entry points. While the vulnerabilities generally require physical USB access or shell access, STM Cyber's PoC exploits highlight potential risks.
Google patches Chrome zero-day
Google addressed CVE-2024-0519, a zero-day vulnerability in the Chrome browser, marking the first instance of such a flaw being exploited in the wild this year. The vulnerability is an out-of-bounds memory access bug in the Chrome V8 JavaScript engine. Attackers could leverage this flaw to gain unauthorized access to data beyond the memory buffer, potentially leading to sensitive information exposure or system crashes.
Sensitive bugs in EDK II pose RCE risk
French security research firm Quarkslab has unveiled nine vulnerabilities in Tianocore EDK II, the widely used open-source implementation of the UEFI specification. Dubbed PixieFAIL, the flaws can potentially allow RCE attacks during the PXE network boot process. The investigation found vulnerabilities in NetworkPkg (the Tianocore EDK II PXE implementation), impacting various vendors, including Microsoft, Arm, Insyde, Phoenix Technologies, and American Megatrends.
Immediate fix advised for Citrix zero-days
Citrix has urgently advised customers to patch Netscaler ADC and Netscaler Gateway appliances against two actively exploited zero-day vulnerabilities, identified as CVE-2023-6548 and CVE-2023-6549. These vulnerabilities affect the Netscaler management interface and expose unpatched instances to RCE and DoS attacks. However, attackers require low-privilege account access and specific configuration settings to exploit the flaws. Only customer-managed Netscaler appliances are impacted, while Citrix-managed cloud services are unaffected.
GitHub patches bug exposing keys
GitHub has patched a vulnerability (CVE-2024-0200) that potentially exposed credentials within production containers through environment variables. The flaw could allow RCE on unpatched servers but require the admin access role. GitHub has rotated potentially exposed keys as part of its security procedures, recommending regular updates from the API to ensure using of the most current data. In a related fix, GitHub also addressed a high-severity Enterprise Server command injection vulnerability (CVE-2024-0507), preventing privilege escalation for certain user accounts.
Critical bug in VMware Aria Automation platform
A critical vulnerability, identified as CVE-2023-34063, was reported in the VMware Aria Automation platform. The flaw, with a CVSS score of 9.9, stems from a missing access control that could be exploited by an authenticated attacker. Successful exploitation could allow unauthorized remote access to organizations and their workflows. Users are advised to update to versions 8.16 and above of Cloud Foundation to mitigate the risk associated with this vulnerability.
RCE flaw in Atlassian Confluence
Atlassian addressed a critical RCE vulnerability, identified as CVE-2023-22527 (CVSS score 10.0), affecting the Confluence Data Center and Confluence Server. The flaw, categorized as a template injection vulnerability, allows unauthenticated attackers to execute arbitrary code on vulnerable Confluence deployments. The affected versions include Confluence Data Center and Server versions 8.0.x to 8.5.3.
Cheap domains sell fake health product
Cybersecurity firm Netcraft reported that scammers are utilizing newly registered, low-cost domain names with global top-level domain extensions (.cloud, .sbs) to host sites selling dubious health products. Perpetrators often use fake news campaigns, mimicking reputable layouts, and fabricate endorsements from TV shows like Shark Tank and Dragons’ Den. The affordability of these domains allows criminals to spread these campaigns cost-effectively.