Cyware Daily Threat Intelligence
Daily Threat Briefing • Jan 24, 2024
We use cookies to improve your experience. Do you accept?
Daily Threat Briefing • Jan 24, 2024
Forta’s GoAnywhere MFT security bug strikes again, only this time it’s a different bug. The new issue enables unauthorized users to create admin accounts, posing a severe security risk. The flaw arises from a path traversal weakness. Meanwhile, Trend Micro exposed the Kasseika ransomware operation that employs Bring Your Own Vulnerable Driver (BYOVD) tactics and exploits the Martini driver to disable antivirus software. Moreover, Kasseika shares code similarities with BlackMatter.
Researchers have reported a spike in the use of SYSTEMBC tool. Originating in 2018, SYSTEMBC acts as a SOCKS5 proxy, providing persistent access for threat actors across various campaigns with malware families like Rhysidia and BlackBasta. Also, Google 121 has been released with 17 security patches.
U.S. restaurant chain attacked
Jason's Deli alerted 344,034 customers of a data breach resulting from credential stuffing attacks on its network. The credentials were reportedly obtained from other sources. Besides personal data, exposed data includes house account numbers, Deli Dollar points, redeemable amounts and rewards, truncated credit card and gift card numbers. It has detected unauthorized access attempts and, hence, urged customers to reset their passwords.
Exposed API affects millions of Trello users
A Trello API exposed private email addresses associated with Trello accounts, potentially leading to the creation of millions of data profiles containing both public and private information. The Atlassian-owned subsidiary laid bare emails, usernames, full names, and other account information for 15,115,516 Trello members.
Kasseika ransomware exploits BYOVD tactics
A new ransomware operation named Kasseika has been discovered utilizing BYOVD tactics to disable antivirus software before encrypting files. Kasseika abuses the Martini driver (Martini.sys/viragt64.sys) to disable antivirus processes in the targeted system. The ransomware begins with a phishing email to steal account credentials for initial access, then uses Windows PsExec to execute malicious .bat files. Kasseika operators demand payment in Bitcoin.
Malicious npm packages exploit GitHub
Two malicious npm packages, warbeast2000 and kodiak2k, were found actively exploiting GitHub to store stolen Base64-encrypted SSH keys obtained from infected systems. warbeast2000 was still in development with eight versions (1.0.0 - 1.0.8). Discovered shortly after warbeast2000, kodiak2k exhibited similar behavior but had more than 30 versions, with most being malicious. The packages have been removed from npm.
Asylum seekers target with MetaStealer
Cyble uncovered an ongoing cyber campaign targeting individuals seeking asylum in the U.S., employing MetaStealer malware. The attack involves a malicious ZIP archive disguised as a PDF document, distributed through a suspicious URL. Upon opening the ZIP file, victims encounter a seemingly innocent PDF that, when opened, executes a series of actions leading to the deployment of the malware. The attack leverages DLL sideloading, dropping an MSI installer, and a CAB file housing MetaStealer.
Malicious tool facilitates persistent network access
Security researchers at Kroll discovered an uptick in the use of the SYSTEMBC tool for network access. This tool serves as a SOCKS5 proxy and provides threat actors with a persistent backdoor for unauthorized access. First identified in 2018, SYSTEMBC is utilized across various campaigns and with different malware families. SYSTEMBC comes with malware, a C2 server, and a PHP admin portal. Rhysida ransomware group often employs it for post-compromise access.
Multiple flaws affect Splunk Enterprise
Splunk patched multiple vulnerabilities in Splunk Enterprise, including a high-severity flaw (CVE-2024-23678) affecting Windows instances. The vulnerability is related to incorrect sanitization of path input data, leading to the unsafe deserialization of untrusted data from a separate disk partition on the machine. Deserialization vulnerabilities can allow attackers to execute arbitrary code. This specific flaw only impacts Splunk Enterprise for Windows.
Flaws in Lamassu Douro Bitcoin ATMs
Security researchers from IOActive identified three vulnerabilities in the Lamassu Douro bitcoin ATMs, potentially allowing an attacker with physical access to take over devices and steal user assets. The vulnerabilities (CVE-2024-0175, CVE-2024-0176, and CVE-2024-0177) include weaknesses in the boot process that allow interaction with the operating system window manager, a vulnerability in the software update mechanism that could enable an attacker to supply a malicious file, and the use of a weak root password that could be cracked easily.
Chinese attackers exploit Ivanti VPN bugs
Chinese government-affiliated cybercriminals are allegedly exploiting critical vulnerabilities in Ivanti's VPN appliances, in what is believed to be a cyberespionage campaign. Security company Censys detected 492 infected Ivanti VPNs out of 26,000 devices exposed to the internet, with over 25% located in the U.S. Ivanti has not yet released patches to fix the vulnerabilities (CVE-2023-46805 and CVE-2024-21887), but a patch is expected this week.
Critical flaw in Fortra's GoAnywhere MFT
A critical security flaw was disclosed in Fortra's GoAnywhere MFT software. Tracked as CVE-2024-0204, the bug allows an unauthorized user to create an admin user via the administration portal. The flaw has a CVSS score of 9.8 out of 10. Users are advised to upgrade to version 7.4.1 or apply temporary workarounds in non-container deployments, such as deleting the InitialAccountSetup.xhtml file in the install directory and restarting services.
Google rolls out fixes for Chrome 121
Google released Chrome 121 to the stable channel, addressing 17 vulnerabilities. Three were rated as 'high' severity, covering issues in WebAudio, Accessibility, and WebUI. Users are advised to update to Chrome version 121.0.6167.85/86 on Windows and 121.0.6167.85 on macOS and Linux to ensure their browsers are protected against potential threats.