Cyware Daily Threat Intelligence
Daily Threat Briefing • Jul 15, 2024
We use cookies to improve your experience. Do you accept?
Daily Threat Briefing • Jul 15, 2024
In a stark warning, researchers flagged a surge in malevolent maneuvers by the Iranian cyber brigade MuddyWater. The threat group has unleashed a new backdoor dubbed BugSleep. The malware is engineered to execute a gamut of the threat actors' directives and facilitate a covert transfer of files.
In a parallel cybersecurity upheaval, Netgear has rolled out critical firmware patches addressing XSS and auth bypass vulnerabilities plaguing select WiFi 6 router models.
Meanwhile, a sophisticated malvertising campaign has ensnared Mac users on the prowl for Microsoft Teams, employing the Atomic Stealer malware while deftly evading detection. Traces of this campaign have been tracked back to Hong Kong.
**About this new HardBit Ransomware 4.0 **
Cybereason spotted the emergence of HardBit Ransomware version 4.0 that includes new obfuscation techniques and passphrase protection to hinder analysis. The ransomware group operates without a data leak site and uses double extortion tactics to pressure victims into paying. It is suspected to gain initial access through brute-forcing RDP and SMB services and then performs credential theft and network discovery. Once executed, HardBit encrypts victim data and has the capability to disable antivirus and terminate processes.
BugSleep: MuddyWater’s new toy
Check Point warned that the Iranian threat group MuddyWater has increased its cyber activities against Israel, deploying a new backdoor called BugSleep. The group has been using phishing emails to deploy legitimate remote management tools and has now introduced BugSleep to target organizations in Israel. BugSleep is designed to execute the threat actors' commands and transfer files between the compromised machine and the C2 server. The backdoor is currently in development, with the threat actors continuously improving its functionality and addressing bugs.
Patch bugs, warns Netgear
Netgear issued firmware updates to fix stored cross-site scripting (XSS) and authentication bypass vulnerabilities in certain WiFi 6 router models. The authentication bypass flaw (tracked as PSV-2023-0138) impacts Netgear's CAX30 Nighthawk AX6 6-Stream cable modem routers. This vulnerability could allow attackers to gain unauthorized access to the administrative interface and potentially take full control of the targeted devices. The stored XSS vulnerability (tracked as PSV-2023-0122) affects the XR1000 Nighthawk gaming router. Successful exploitation of this flaw could enable attackers to hijack user sessions, redirect users to malicious sites, steal restricted information, and more.
Palo Alto addressed five vulnerabilities
Palo Alto Networks released security updates to fix five vulnerabilities in its products. The most severe issue, CVE-2024-5910, is an authentication bypass flaw in the Expedition tool, which could allow attackers to take over admin accounts. Another vulnerability, CVE-2024-5911, affects the Panorama Web Interface of PAN-OS, potentially enabling an authenticated administrator to disrupt system processes. The remaining issues involve an improper file signature verification check in Cortex XDR Agent and input validation and authentication vulnerabilities in PAN-OS.
Mac users lured into a malvertising campaign
A sophisticated malvertising campaign targeted Mac users searching for Microsoft Teams, using Atomic Stealer malware and evading detection through deceptive ad techniques. The campaign involved redirecting users to a fake Microsoft Teams download site, which then prompted users to enter their password and grant access to their file system, enabling the theft of keychain passwords and files. The campaign ads were traced to Hong Kong.
URL protections mask phishing links
Cybercriminals are exploiting legitimate URL protection services to disguise malicious phishing links and bypass traditional security controls. Attackers gain access to URL protection accounts through compromised credentials and use the service to rewrite their phishing URLs, concealing the malicious nature of the links. This allows them to impersonate account owners, infiltrate email communications, and send phishing emails from the compromised accounts. Attackers can determine if a URL protection service is being used by analyzing links in emails or email signatures.