Cookie Settings

This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing Jul 23, 2024

In the chilling depths of a Ukrainian winter, a previously unseen malware, launched a calculated cyberattack against a district energy company. Dubbed FrostyGoop, the malware targeted temperature controllers, crippling the central heating system of over 600 apartment buildings.

Meanwhile, ESET researchers uncovered a zero-day exploit, named EvilVideo, threatening Telegram for Android. This exploit allowed attackers to dispatch malicious APK payloads masquerading as innocuous video files in vulnerable versions of Telegram.

The recent buggy update from CrowdStrike has inadvertently thrown open the gates for cybercriminal exploitation. Phishing emails, masquerading as official CrowdStrike communications, have become the vector for disseminating data wipers and remote access tools, compromising millions of Windows hosts globally.

Top Malware Reported in the Last 24 Hours

FrostyGoop malware plays the cold game

A previously unseen malware called FrostyGoop was used in a cyberattack against a district energy company in Ukraine last winter. The attack targeted temperature controllers, disrupting the central heating system and leaving over 600 apartment buildings without heat for two days during sub-zero temperatures. FrostyGoop is able to disrupt industrial processes by altering values on ICS devices. The malware exploited the Modbus protocol to directly tamper with industrial control systems, posing a significant threat to OT environments globally.

Daggerfly updates arsenal

The espionage outfit Daggerfly updated its malware arsenal, releasing new versions in reaction to previously unknown varieties becoming public. A new iteration of the Macma macOS backdoor and a new malware family built on the MgBot modular malware framework have also been unveiled by the group. Recent iterations of Macma demonstrate continuous development; one has a new core module, while another has small enhancements to the functionality that already exists. More significant changes were also seen in the main module, which now included new logic to gather a file's system listing.

Beware of GTA VI Beta version

Threat actors are exploiting the hype around the upcoming Grand Theft Auto VI release by creating malicious Facebook ads promising a GTA VI beta version for download. These ads are designed to lure unsuspecting gamers into downloading malware instead of a legitimate game. The malicious ads lead users to download a fake GTA VI installer, which is actually a form of FakeBat loader malware. FakeBat can, in turn, deploy next-stage malware like info-stealers and RATs.

Credit card skimmer on Magento

In a sophisticated attack on a Magento e-commerce website, attackers used a swap file to maintain a persistent credit card skimmer. The malicious script captured sensitive customer data and was hidden in the code, making it challenging to remove. The attackers also leveraged a domain with a popular brand name to retrieve stolen credit card details. The malware was found in the app/bootstrap.php file and persisted even after replacing the file, hinting at a complex and resilient infection.

Top Vulnerabilities Reported in the Last 24 Hours

EvilVideo vulnerability exploit on Telegram

ESET researchers discovered a zero-day exploit targeting Telegram for Android, called EvilVideo. This exploit allowed attackers to send malicious Android payloads disguised as video files in unpatched versions of Telegram. The exploit relied on tricking users into installing a malicious app disguised as a multimedia file. Telegram fixed the issue in version 10.14.5, and the exploit no longer works in patched versions. The threat actor also advertised an Android cryptor-as-a-service on the same underground forum. The exploit did not work on Telegram Web or Desktop clients.

Buggy LangChain Gen AI

Palo Alto Networks discovered two vulnerabilities in the popular open source generative AI framework LangChain, which is widely used in app development and has over 81,000 stars on GitHub. The vulnerabilities, CVE-2023-46229 and CVE-2023-44467, could have allowed attackers to execute arbitrary code and access sensitive data. LangChain has since issued patches to address these issues.

Top Scams Reported in the Last 24 Hours

Cybercriminals capitalize on CrowdStrike outage

The recent glitchy update from CrowdStrike has led to cybercriminals exploiting the situation by distributing malware disguised as fixes and updates. Phishing emails impersonating CrowdStrike have been used to distribute data wipers and remote access tools, impacting millions of Windows hosts globally. The malware campaigns targeted businesses and even a bank's customers, leading to significant disruptions in various sectors. CrowdStrike and government agencies have warned about the increase in phishing attempts and advised organizations to verify communication through official channels.

Related Threat Briefings