Cyware Daily Threat Intelligence
Daily Threat Briefing • Jan 23, 2024
We use cookies to improve your experience. Do you accept?
Daily Threat Briefing • Jan 23, 2024
After Google Chrome, now Apple addressed the first zero-day flaw for 2024. Apple has released security updates for an actively exploited zero-day, a type confusion bug in WebKit impacting iOS, iPadOS, macOS, tvOS, and Safari. Advancing with strategic maneuvers is a North Korean group that has sharpened its evasion tactics while also enhancing its intelligence-gathering capabilities. It is deploying the fully-featured RokRAT backdoor using a novel lure. Meanwhile, Zloader, which was allegedly disrupted in 2022, is back in the headlines.
Speaking of malware upgrades, BianLian ransomware also registered itself as the first ransomware to go from double extortion attacks to pure data extortion; no more data encryption. Chae$ 4.1 has also been launched with advanced code polymorphism to dodge antivirus detection.
Massive 26 billion record database leak
Security researchers discovered a huge data trove containing 26 billion records, making it one of the largest breaches to date. The 12TB database was found on an open storage instance and is referred to as the "mother of all breaches" (MOAB). The data appears to be compiled from thousands of previous breaches and includes records from Chinese platforms Tencent and Weibo, as well as users of Twitter, Dropbox, LinkedIn, Adobe, Canva, and Telegram, among other companies.
Hole in Trezor’s support portal
Trezor, a key player in hardware wallets for cryptocurrencies, disclosed a data breach originating from unauthorized access to a third-party support portal. The breach impacted users who engaged with the firm’s support team since December 2021. Approximately 66,000 users had their email addresses and usernames exposed, though funds stored in the hardware wallets remained untouched. Trezor promptly notified affected users.
Aircraft leasing firm targeted by ransomware
AerCap, the world's largest aircraft leasing company, was hit by a ransomware incident. According to the firm, it has full control of all its IT systems, and to date, it has suffered no financial losses related to the incident. However, a ransomware group named Slug has claimed responsibility for the intrusion and listed AerCap as its first public target. The group alleges to have stolen 1TB of data belonging to AerCap.
North Korean group deploys RokRAT backdoor
The North Korean threat actor ScarCruft launched a malicious campaign targeting media organizations and North Korean affairs experts. Criminals utilized a threat research report about another North Korean APT, Kimsuky, as a decoy to deliver a ZIP archive file containing benign and malicious elements, including two .LNK files. These files initiate multi-stage infection chains delivering the custom-written backdoor RokRAT.
Zloader resurfaces after two-year hiatus
The Zloader banking trojan is back with updated anti-analysis techniques and enhancements, reported Zscaler. It now employs 1,024-bit RSA encryption, a revised domain generation algorithm, and is compiled for 64-bit Windows OS. The version focuses on anti-analysis measures, including API import hashing, junk code, filename checks, and string obfuscation. Zloader was taken down in 2022 but has reemerged with new features.
Ransomware group tries out new tactics
The operators of the BianLian ransomware group have reportedly shifted from a double extortion model to one focusing solely on extortion without encryption. Shared tools indicate a potential connection with the Makop ransomware group. BianLian now steals data to motivate victims to pay. The group's leak site suggests potential expansion, and attacks have primarily impacted North America, with healthcare organizations being a major target.
New Java-based info-stealer exploits Discord bot
Security researchers discovered NS-STEALER, a sophisticated Java-based information stealer that leverages a Discord bot to exfiltrate sensitive data. The malware is distributed via ZIP archives posing as cracked software. Once deployed, NS-STEALER collects data, including screenshots, cookies, credentials, and system information, storing it in a folder and exfiltrating it to a Discord bot channel. The malware's use of X509Certificate for authentication enhances its capability to quickly steal information.
Malware evolves with advanced code polymorphism
The latest iteration of the Chae$ malware series, Chae$ 4.1, was found employing advanced code polymorphism to bypass antivirus detection. Distributed through deceptive Portuguese emails posing as urgent messages from lawyers, the malware is activated when victims download a ZIP file from a misleading website. This update features an enhanced Chronod module, capable of stealing credentials from services like WhatsApp, AWS, and WordPress.
PyPI malware campaign by "WS"
The FortiGuard Labs team uncovered a malicious actor with the alias "WS" discreetly uploading infected packages to the PyPI repository. The identified packages, including nigpal, figflix, telerer, seGMM, fbdebug, sGMM, myGens, NewGends, and TestLibs111, target Windows users predominantly. The payloads exhibit info-stealing capabilities, such as cryptocurrency address pattern detection, clipboard manipulation, and data exfiltration to remote servers. Over 2000 individuals may have been impacted by these packages.
Apple patches actively exploited zero day bug
Apple released security updates for iOS, iPadOS, macOS, tvOS, and Safari to address a zero-day flaw (CVE-2024-23222) that is already under attack. The flaw is a type confusion bug in the WebKit browser engine that could be exploited for arbitrary code execution when processing maliciously crafted web content. Apple acknowledged that the flaw may have been exploited, and fixed the issue with improved checks. Apple also backported fixes for CVE-2023-42916 and CVE-2023-42917 to older devices.
MavenGate software supply chain attack
A new software supply chain attack has been identified targeting abandoned but still-in-use Java and Android libraries. The attack, labeled MavenGate, involves hijacking artifacts in dependencies and injecting malicious code into applications, potentially compromising the build process through a malicious plugin. All Maven-based technologies, including Gradle, are vulnerable to this attack. The method exploits shortcomings in default build configurations, making it challenging to detect the attack.
New MS bug obtains NTLM v2 hashes
Data security firm Varonis detected at least three attack methods—exploiting CVE-2023-35636—for obtaining NTLM v2 hashes by targeting Microsoft Outlook and two Windows programs. The vulnerability leverages a calendar-sharing function in Outlook, allowing attackers to obtain NTLM hashes by sending a specially crafted email. Other attack methods involve abusing the Windows Performance Analyzer (WPA) tool and the Windows File Explorer, both through specially crafted links in emails or other channels.