Cyware Daily Threat Intelligence

Daily Threat Briefing • Jul 19, 2023
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Daily Threat Briefing • Jul 19, 2023
A crafty and audacious scheme has come forth as ransomware actors slyly disguised themselves as a cybersecurity company - Sophos. Adversaries named their new Ransomware-as-a-Service (RaaS) infrastructure SophosEncrypt, which, as expected, misguided some folks in the cyber landscape. The other threat in the spotlight today is the FakeSG campaign that bears striking similarities to the tactics used by the infamous SocGholish group. This campaign utilizes compromised WordPress websites to distribute the NetSupport RAT.
Security researchers have linked WyrmSpy and DragonEgg spyware to the notorious Chinese espionage group APT41. The group has shown no signs of slowing down despite recent indictments by the U.S. government.
Two unsecured databases
Researchers found two misconfigured Google Cloud Storage buckets, belonging to Le Mans Endurance Management, containing over 1.1 million files. It included passports, government-issued IDs, and drivers' licenses of FIA World Endurance Championship (FIA WEC) drivers. The exposed datasets were secured after being notified, but the incident may have violated GDPR regulations.
Blackhat poses as whitehat
A new RaaS called SophosEncrypt was found impersonating the cybersecurity firm Sophos. Initially perceived as a red team exercise, the Sophos X-Ops team clarified it did not create the encryptor and is looking into the incident. The ransomware encryptor, written in Rust, prompts the affiliate to enter a victim token that is verified online. The affiliate is then prompted for additional information like contact email and password for encryption.
FakeSG drops NetSupport RAT
A new malicious campaign FakeSG has emerged, mirroring the tactics of the well-known SocGholish in delivering the NetSupport RAT through compromised WordPress websites. FakeSG imitates browser update templates based on the victim's browser and uses different layers of obfuscation and delivery techniques. The campaign utilizes either internet shortcuts or ZIP files to download the malicious payload.
APT41 behind a spyware duo
The Chinese nation-state group APT41 has been associated with two new Android spyware strains, named WyrmSpy and DragonEgg. The initial infection vector for the mobile surveillanceware campaign remains uncertain, but social engineering is suspected. WyrmSpy pretends to be a default system app or disguises itself as adult content, Baidu Waimai, or Adobe Flash. DragonEgg poses as third-party Android keyboards or messaging apps like Telegram.
CISA orders zero-day patch
The CISA has directed federal agencies to address RCE zero-days affecting Windows and Office products exploited by the cybercriminal group behind RomCom RAT in NATO-themed phishing attacks. Microsoft plans to release patches for the flaws, collectively known as CVE-2023-36884, via a monthly patch release. In the meantime, users are suggested to follow the provided mitigation steps.
Bugs risk Citrix ADC and Gateway
Citrix is warning its customers of an actively exploited critical flaw, tracked as CVE-2023-3519, impacting NetScaler Application Delivery Controller (ADC) and Gateway. The vulnerability allows code injection, leading to unauthenticated remote code execution. Affected versions include NetScaler ADC and Gateway 13.1, 13.0 and 12.1. Citrix also addresses two other flaws - CVE-2023-3466 and CVE-2023-3467.
Google patches Bad.Build bug
Google addressed a vulnerability in Cloud Build that could have enabled hackers to manipulate application images and compromise users. The bug, called Bad.Build, involved default service accounts with excessive permissions, allowing attackers to impersonate these accounts and inject malicious code during the build process. The vulnerability posed a supply chain threat, potentially affecting applications built from manipulated images, leading to DoS attacks, data theft, and malware distribution.
Security mishaps in medical devices
Medical device maker Becton, Dickinson and Co. has warned about eight vulnerabilities in its BD Alaris Guardrails Suite MX, potentially compromising data and device integrity. The highest severity issue is a cross-site scripting flaw that could allow a malicious file to be uploaded, resulting in a hijacked session. So far, there have been no reports of the vulnerabilities being exploited.
AFF camouflages as job offers
Proofpoint has uncovered a concerning trend of cyberattacks targeting university students in the U.S. through fraudulent job offers. The campaigns, active from March to June, primarily focused on luring victims with job opportunities related to bioscience and health organizations. The threat actor behind the attacks attempted to engage recipients in video calls to discuss the purported roles. However, the true objective behind these campaigns appears to be Advance Fee Fraud (AFF).
Tech support scam targets aged fellows
The FBI issued a warning about a rise in technical support scams targeting older adults nationwide. Scammers use various means to contact victims, posing as legitimate tech support from well-known companies. They claim to offer refunds or resolve fraudulent activity. Victims are persuaded to download software, granting remote access to their computers and bank accounts.