We use cookies to improve your experience. Do you accept?

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing Jan 26, 2024

In the constantly evolving landscape of cyber threats, a striking new development has emerged, shedding light on the sophisticated tactics of digital adversaries. Researchers have unearthed an advanced variant of the notorious backdoor malware, LODEINFO. This malware, attributed to a Chinese nation-state actor, has undergone significant evolution, now boasting an array of new features and refined anti-analysis techniques.

On the vulnerability front, Cisco has stepped into the spotlight, releasing critical patches for a severe security flaw (CVE-2024-20253) in its Unified Communications and Contact Center Solutions products. Meanwhile, Mozilla has fortified its digital ramparts, rolling out security updates for Firefox and Thunderbird. These updates address a set of 15 vulnerabilities, with five bearing the ominous 'high severity' tag.

Top Breaches Reported in the Last 24 Hours

Akira ransomware claims Lush

The Akira ransomware group claimed responsibility for a cybersecurity incident at British bath bomb merchant Lush, stating it stole 110GB of data, including personal documents such as passport scans. The data also includes company documents related to accounting, finances, tax, projects, and clients. Akira is threatening to make the data public.

Updates on 23andMe breach

In another update, 23andMe confirmed that attackers stole health reports and raw genotype data of customers in the credential stuffing attack that went unnoticed from April 29, 2023, to September 27, 2023. The hack impacted 6.9 million people, leading to lawsuits and updated Terms of Use.

Widening APT29 attacks - warns Microsoft

The Microsoft Threat Intelligence team published a new advisory stating that APT29 (aka Midnight Blizzard) is also targeting other organizations. This Russia-based cyberespionage group had targeted Microsoft in November 2023. The group utilizes techniques such as password spray attacks, malicious use of OAuth applications, and residential proxy infrastructure to gain access to Microsoft corporate email accounts and evade detection.

Healthcare faces ScreenConnect threats

The HHS issued a warning about a cybersecurity breach involving the self-hosted version of the remote access tool ScreenConnect from ConnectWise. The incident involved the compromise of the pharmacy supply chain and managed services provider, Outcomes, allowing threat actors to gain unauthorized access to their IT environment. The attackers used ScreenConnect for initial access and installed additional remote access tools, leading to concerns about potential impacts on Outcomes' clients and users.

Top Malware Reported in the Last 24 Hours

Mexican banks targeted with Allakore RAT

BlackBerry found a financially motivated threat actor targeting Mexican banks and cryptocurrency trading entities with custom-packaged installers delivering a modified version of the AllaKore RAT. The attackers use lures with Mexican Social Security Institute (IMSS) naming schemas and links to legitimate documents during the installation process. The payload is heavily modified to send stolen banking credentials and unique authentication information to a C2 server for financial fraud.

LODEINFO malware evolves

Researchers discovered an updated version of a backdoor malware called LODEINFO, distributed through spear-phishing attacks. The malware, attributed to the Chinese nation-state actor Stone Panda, has evolved to include new features and anti-analysis techniques. It is capable of executing arbitrary shellcode, taking screenshots, and exfiltrating files. The attacks involve phishing emails with malicious Word documents, and the latest version of LODEINFO includes a fileless downloader and backdoor shellcode.

Top Vulnerabilities Reported in the Last 24 Hours

Critical Cisco bug spotted

Cisco has released patches to fix a critical security flaw (CVE-2024-20253) in its Unified Communications and Contact Center Solutions products, which could allow remote attackers to execute arbitrary code on affected devices. The flaw was discovered by security researcher Julien Egloff and affects several Cisco products. There are no workarounds, but users are advised to set up access control lists to limit access until updates can be applied. This comes after Cisco recently issued fixes for another critical security flaw (CVE-2024-20272) in Unity Connection.

Firefox 122 Patches 15 Vulnerabilities

Mozilla has released security updates for Firefox and Thunderbird to address 15 vulnerabilities, including five rated as 'high severity'. These vulnerabilities could potentially lead to denial of service, arbitrary code execution, and other security issues. The updates include fixes for flaws such as out-of-bounds write (CVE-2024-0741), failure to update user input timestamp (CVE-2024-0742), unchecked return value in TLS handshake code (CVE-2024-0743), and stack buffer overflow in WebAudio (CVE-2024-0745). Firefox 122 and Thunderbird 115.7 have been released with patches for these security defects.

Critical severity bug in WordPress plugin

The 'Better Search Replace' WordPress plugin, used by over a million websites, has a critical security flaw (CVE-2023-6933) that allows attackers to execute code, access sensitive data, and delete files. Hackers have already initiated thousands of attacks targeting this vulnerability in the past 24 hours. The plugin's vendor, WP Engine, released version 1.4.5 to fix the issue, and users are urged to update immediately.

Jenkins flaw leads to RCE

A critical vulnerability in Jenkins' command line interface allows attackers to obtain cryptographic keys and execute arbitrary code remotely. The flaw, tracked as CVE-2024-23897, affects specific versions of Jenkins and Jenkins LTS, enabling attackers to read files and potentially execute remote code. The issue is resolved in Jenkins 2.442 and LTS 2.426.3 by disabling the command parser feature.

Top Scams Reported in the Last 24 Hours

Investment firm warns about scams

The National Investor, an Abu Dhabi-based investment firm, has issued a warning about the fraudulent use of its name, logo, and employees' names in online scams. These scams solicit personal and financial information from individuals and entities under the pretense of investment opportunities and tenders. This warning is part of a broader trend of phishing messages impersonating official entities and misleading search engine results related to prominent Dubai organizations and tourist sites.

Malicious ads target Chinese users

A malicious ad campaign has been targeting Chinese-speaking users with fake download links for popular messaging apps like Telegram and LINE. The ads lead to pages where users unknowingly download Remote Administration Trojans (RATs) that give attackers control of their machines. The threat actor is using Google advertiser accounts and infrastructure to distribute the malware. The campaign seems to be focused on restricted or banned applications in China, possibly for data collection and spying.

Related Threat Briefings