Cyware Daily Threat Intelligence
Daily Threat Briefing • Jan 31, 2024
We use cookies to improve your experience. Do you accept?
Daily Threat Briefing • Jan 31, 2024
Since the disclosure, multiple threat actors have been exploiting the Ivanti VPN zero-day bugs with a new Rust-based malware recently joining the band. Called KrustyLoader, it further acts as a loader to download the Sliver backdoor. Simultaneously, a new ransomware group, named Alpha, has surfaced and launched its leak site on the dark web, which displays data from industries impacted across the U.K, U.S., and Israel.
??In Linux security, a critical bug in the GNU C library allows local privilege escalation, providing unprivileged users full root access, unintentionally introduced in glibc 2.37 in August 2022. Additionally, Unit 42 researchers laid bare a large-scale campaign employing over 130,000 domains to distribute scareware, Potentially Unwanted Programs (PUPs), and scam pages.
Fintech firm exposes sensitive user data
Direct Trading Technologies, an international fintech company, exposed the sensitive information of over 300,000 users due to a misconfigured web server discovered by the Cybernews research team. The leaked data included trading activity, names, email addresses, IP addresses, plaintext passwords, home addresses, phone numbers, and credit card details. Additionally, internal comments from the company's outreach team about clients were exposed.
IntelBroker claims attack on mobile banking app
The IntelBroker group allegedly targeted a popular mobile banking app with over 10 million users. The threat actor posted details of the exploit on a hacker forum, offering an exploit capable of scraping and leaking sensitive information from the banking app. The data for sale included full names, countries, and payment methods of users. Cybercriminals demanded payment exclusively in XMR (Monero). While the name of the victim firm has not been made public, speculations hint at Nu Bank.
Romania’s lower house suffers breach
A hacker group infiltrated the database of the Romanian Chamber of Deputies, obtaining confidential information, including the prime minister's identity documents, medical analyses, and other personal data. The hackers threatened to release the personal data of deputies if they did not receive a ransom, demanding 0.8 bitcoins. The attackers reportedly published some information online, including the identity cards of Prime Minister Marcel Ciolacu and UDMR leader Kelemen Hunor.
KrustyLoader exploits Ivanti zero-day flaws
Threat actors are exploiting zero-day vulnerabilities in Ivanti Connect Secure VPN devices to deliver KrustyLoader. The exploit chain allows threat actors to access restricted resources without authentication and execute commands on compromised systems. The attackers, including the group UTA0178 (UNC5221), target diverse entities worldwide, deploying KrustyLoader to download a Golang-based Sliver backdoor.
Ransomware group showcases new leak site
A newly discovered ransomware group, Alpha, has emerged, launching its Dedicated/Data Leak Site (DLS) on the Dark Web. Despite its recent appearance, Alpha ransomware has been observed since May 2023. The ransomware appends a random 8-character alphanumeric extension to encrypted files, and its DLS, titled "MYDATA," is considered unstable and frequently offline. Victims, spanning various sectors in the U.K, the U.S., and Israel, are featured on the site.
Hitron DVR devices exploited by infectedSlurs botnet
Multiple DVR device models from South Korean manufacturer Hitron Systems are reportedly under active exploitation by the InfectedSlurs botnet, according to reports from Akamai. The botnet specifically targets Hitron DVRs and exploits six zero-day vulnerabilities (CVE-2024-22768 through CVE-2024-22772, and CVE-2024-23842). These vulnerabilities, categorized as improper input validation issues, allow attackers to inject OS commands and achieve remote code execution.
MS-SQL servers targeted with Mimic Malware
The Trigona ransomware threat actor has expanded its activities by installing Mimic malware targeting MS-SQL servers. The actor abuses the Bulk Copy Program (BCP) feature in MS-SQL servers, utilizing the bcp.exe command-line tool during the malware installation process. The threat actor uses the Everything file search tool to speed up file encryption and imitates aspects of the Conti ransomware. The installed files also contain tools for deactivating Windows Defender and port forwarding.
Critical GitLab bug allows file overwrite
GitLab addressed a critical vulnerability, tracked as CVE-2024-0402, in its Community Edition and Enterprise Edition. With a CVSS score of 9.9. the flaw affects versions 16.0 to 16.8.1. It could allow authenticated users to write files to arbitrary locations on the GitLab server while creating a workspace. The company has released patches and advised users to upgrade to mitigate risks.
Security bug opens Linux systems to root access
A sensitive security flaw in the GNU C library could allow malicious local attackers to gain full root access on Linux machines. Exploiting this flaw requires specific conditions but could lead to significant consequences due to the widespread use of the affected library. The vulnerability impacts major Linux distributions, including Debian, Ubuntu, and Fedora. Three additional flaws, including CVE-2023-6779, CVE-2023-6780, and a bug in the qsort() function, were also identified in glibc.
Malicious campaign delivers scareware
Researchers at Unit 42 have identified a large-scale campaign named ApateWeb that employs over 130,000 domains to distribute scareware, PUPs, and other scam pages. The campaign involves adware programs, a rogue browser, and various browser extensions. These serve as potential initial access points for cybercriminals, putting victims at risk of more severe threats.