Cyware Daily Threat Intelligence

Daily Threat Briefing • Jul 1, 2024
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Daily Threat Briefing • Jul 1, 2024
Enterprise software remains a hotbed for malicious cyber activity against critical infrastructure sectors. An adversary infiltrated a Korean ERP system, targeting the defense and manufacturing sectors. They embedded a malicious routine in the ERP's update framework, deploying the Xctdoor backdoor to steal system intel and execute covert commands.
Simultaneously, the Kimsuky group, linked to North Korea, launched TRANSLATEXT, a Google Chrome extension targeting South Korean academics. This tool stole email addresses, usernames, passwords, cookies, and browser snapshots.
Security researchers found several critical vulnerabilities in the Emerson Rosemount 370XA gas chromatograph, including command injection and authentication bypass flaws. The manufacturer and CISA urged firmware updates to mitigate these risks.
Xctdoor malware targets Korean companies
ASEC uncovered a case where an unidentified threat actor exploited a Korean ERP solution to attack the defense and manufacturing industries. The attack involved inserting a malicious routine into the ERP update program to distribute the Xctdoor backdoor, which is designed to steal system information and execute commands. The attack also targeted web servers, installing the XcLoader malware to inject Xctdoor into processes. The malware communicates with a C&C server using HTTP and employs encryption.
Kimsuky uses TRANSLATEXT Chrome extension
The North Korea-linked threat actor Kimsuky has been using a new malicious Google Chrome extension called TRANSLATEXT to steal sensitive information from South Korean academia focused on North Korean political affairs. This extension gathers email addresses, usernames, passwords, cookies, and browser screenshots. The attack starts with a ZIP archive that claims to be about Korean military history, containing a Hangul Word Processor document and an executable.
MerkSpy abuses MS Office bug
A complex cyberattack is exploiting the CVE-2021-40444 vulnerability in Microsoft Office to deploy a spyware payload known as MerkSpy. The attack begins with a malicious Word document posing as a job description, which triggers the remote code execution vulnerability to download and execute an HTML file called "olerender.html." This HTML file extracts and executes shellcode that downloads and decodes the core MerkSpy payload, which is designed to monitor user activities, capture sensitive information, and establish persistence on the compromised system.
Juniper released out-of-band security updates
Juniper Networks released out-of-band security updates to address critical vulnerabilities in its routers and devices. The most severe vulnerability, CVE-2024-2973, could allow an attacker to bypass authentication and take full control of the affected routers. The flaw impacts certain versions of Session Smart Router, Session Smart Conductor, and WAN Assurance Router running in high-availability redundant configurations. The company stated that there are no workarounds for this vulnerability.
RCE bug in OpenSSH server
Qualys discovered an RCE vulnerability (CVE-2024-6387) in OpenSSH's server on glibc-based Linux systems. The vulnerability, named regreSSHion, allows unauthenticated remote code execution as root and affects over 14 million potentially vulnerable OpenSSH server instances exposed to the Internet. This could lead to full system compromise, data breaches, and the installation of malware. The vulnerability is challenging to exploit due to its nature, but organizations are encouraged to patch it urgently.
Multiple flaws in Gas Chromatographs
The Emerson Rosemount 370XA gas chromatograph has multiple critical vulnerabilities identified by security researchers. The vulnerabilities include: an unauthenticated remote code execution or command injection vulnerability (CVE-2023-46687) with a CVSS v3 score of 9.8; an authentication bypass vulnerability (CVE-2023-51761); a user login bypass via a password reset mechanism (CVE-2023-49716); and a command injection vulnerability via reboot functionality (CVE-2023-43609). Emerson has released a security advisory recommending firmware updates, and the CISA has also issued an advisory regarding these vulnerabilities.