Cyware Daily Threat Intelligence
Daily Threat Briefing • July 19, 2024
Making the headlines once more, the Play ransomware group introduced a cunning Linux variant designed to infiltrate and cripple VMWare ESXi environments. The malware has predominantly targeted the U.S., leaving a trail of encrypted files in its wake.
The Chinese government-backed cyber espionage ensemble, APT41, has been found infiltrating organizations in Italy, Spain, Taiwan, Thailand, Turkey, and the U.K, targeting various industries with an array of malware in its arsenal.
In other news, SolarWinds sprung into action with crucial security updates for its Access Rights Manager, aiming to neutralize 13 vulnerabilities.
Top Malware Reported in the Last 24 Hours
Play Ransomware group’s new Linux variant
The Play ransomware group has developed a new Linux variant targeting VMWare ESXi environments, with most attacks concentrated in the U.S. This variant evades security measures and encrypts files in ESXi environments. The group appears to be using infrastructure from the Prolific Puma group. The ransomware encrypts VM files, powers off VMs, and drops a ransom note. The researchers also found a possible connection between Play Ransomware and Prolific Puma.
Revolver Rabbit's large-scale domain registration
The cybercriminal gang Revolver Rabbit has registered over 500,000 domain names using Registered Domain Generation Algorithms (RDGAs) to facilitate info-stealer campaigns targeting Windows and macOS systems. The threat actor is distributing the XLoader info-stealing malware, controlling more than 500,000 .BOND top-level domains to create decoy and live C2 servers for the malware. This massive domain registration campaign has cost the gang over $1 million in registration fees.
APT41 infiltrates multiple countries
Mandiant documented a sustained cyber campaign by the China-based hacker group APT41, targeting organizations in shipping and logistics, media, technology, and automotive sectors. The threat actor infiltrated networks and used various tools for data exfiltration, including ANTSWORD, BLUEBEAM, DUSTPAN, DUSTTRAP, SQLULDR2, and PINEGROVE. The group's victims were located in Italy, Spain, Taiwan, Thailand, Turkey, and the U.K. They also had a history of targeting the video game industry and were observed using non-public malware for espionage operations.
Top Vulnerabilities Reported in the Last 24 Hours
SolarWinds patches critical bugs
SolarWinds released security updates for Access Rights Manager to address 13 vulnerabilities, including eight critical-severity bugs. Six of the critical flaws could lead to remote code execution, while the remaining two could allow attackers to read and delete arbitrary files. The bugs have a high CVSS score and impact Access Rights Manager version 2023.2.4 and prior releases. The remaining five vulnerabilities resolved with the security update are high-severity issues that could allow attackers to perform arbitrary file deletion, information disclosure, and gain domain admin access.
Critical Splunk flaw spotted
A critical vulnerability (CVE-2024-36991) has been discovered in Splunk Enterprise on Windows, allowing attackers to access files outside the restricted directory through a specially crafted GET request. Exploitation does not require prior authentication, posing a significant risk. The vulnerability affects versions below 9.2.2, 9.1.5, and 9.0.10 on Windows with Splunk Web turned on. Admins are urged to implement the patch immediately or disable Splunk Web to mitigate the risk. Upgrading to a fixed version is also recommended.
SAP AI vulnerabilities expose secrets
The Wiz Research Team conducted a study on vulnerabilities within SAP's AI service, SAP AI Core. The research revealed multiple vulnerabilities that could allow attackers to access sensitive customer data, compromise internal artifacts, and gain unauthorized privileges within the AI infrastructure. The vulnerabilities were reported to SAP and subsequently fixed. Successful exploitation could allow attackers to gain access to customers' cloud credentials and private AI artifacts, potentially leading to data contamination and unauthorized access to sensitive files.