Cyware Daily Threat Intelligence

Daily Threat Briefing • Jul 26, 2024
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Daily Threat Briefing • Jul 26, 2024
Threat actors have once again taken to the gaming platform Steam to actively distribute the LummaC2 info-stealer. Armed with evolved execution methods, the malware has been pilfering information from a bunch of programs.
Simultaneously, attackers have seized upon unpatched vulnerabilities in ServiceNow, exploiting flaws including a critical RCE bug to steal credentials from government agencies and private enterprises. Nearly 300,000 internet-exposed instances of ServiceNow remain vulnerable to exploitation.
Adding to the digital mayhem, CrowdStrike has identified a sophisticated spear-phishing campaign leveraging a fake CrowdStrike Crash Reporter installer. This devious ploy impersonated a German entity, deploying a malicious InnoSetup installer via a cleverly crafted URL.
LummaC2 malware abuses Steam
The LummaC2 info-stealer is being actively distributed via SEO poisoning, search engine ads, and various platforms like Steam, posing as illegal programs and legitimate software installers. It has evolved in its execution methods, including using a DLL side-loading technique and abusing legitimate platforms like Steam to acquire C2 domains. The malware targets a wide range of programs for data theft, including crypto wallets, browsers, FTP clients, VPN programs, and more.
Belarusian hackers target Ukrainian orgs
A Belarusian state-sponsored hacker group known as GhostWriter targeted Ukrainian organizations and local government agencies with PicassoLoader malware. The group used phishing emails related to USAID's Hoverla project to infect victims and is suspected of being involved in cyber espionage, particularly focusing on Ukraine's financial, economic, and governance indicators. GhostWriter has a history of targeting Ukrainian entities, as well as allies of Kyiv such as Lithuania, Latvia, and Poland.
**Andariel targets U.S. critical infrastructure **
The FBI, the CISA, the NSA, and others published a joint advisory, warning of cyberattacks on critical U.S. infrastructure by the North Korean Andariel group. The group, known as Andariel, Silent Chollima, Onyx Sleet, and Stonefly, is primarily targeting defense, aerospace, nuclear, and engineering organizations in the US, Japan, South Korea, and India. It is using ransomware attacks on U.S. healthcare entities to fund the campaign. The information that Andariel is pursuing includes data on heavy and light tanks, fighter aircraft, missiles, and missile defense systems, and more.
Critical ServiceNow RCE bug exploited
Threat actors are exploiting unpatched ServiceNow flaws, including a critical RCE vulnerability, to steal credentials from government agencies and private firms. The exploitation of these flaws, which ServiceNow patched on July 10, 2024, has been observed for at least a week, according to Resecurity. The flaws, CVE-2024-4879, CVE-2024-5178, and CVE-2024-5217, can be chained together for full database access, and attackers are using readily available exploits and network scanners to target the nearly 300,000 internet-exposed instances of ServiceNow.
Cryptomining campaign targets Selenium Grid Services
Wiz warned about an ongoing campaign that exploits internet-exposed Selenium Grid services for illicit cryptocurrency mining. The campaign, called SeleniumGreed, has been active since at least April 2023 and targets older versions of Selenium (3.141.59 and prior). The threat actors target publicly exposed instances of Selenium Grid, making use of the WebDriver API to run Python code responsible for downloading and running an XMRig miner. Researchers identified more than 30,000 instances exposed to remote command execution, making it imperative that users take steps to fix misconfigurations.
BIND security updates released
The ISC released security updates for its DNS software suite BIND to address four high-severity vulnerabilities—CVE-2024-0760, CVE-2024-1737, CVE-2024-1975, and CVE-2024-4076—that could be exploited for DoS attacks. These vulnerabilities could cause the server to become unstable, slow down database processing, exhaust CPU resources, and result in assertion failures, potentially leading to unresponsiveness or termination of the BIND server. The updates are available in BIND versions 9.18.28 and 9.20.0.
New phishing scam targets German customers
CrowdStrike identified a targeted spear-phishing attempt using a fake CrowdStrike Crash Reporter installer. The spear-phishing page impersonated a German entity and delivered a malicious InnoSetup installer via a URL. The website hosting the page was likely created shortly after a specific issue with CrowdStrike’s Falcon sensor was identified. The installer, masquerading as a legitimate CrowdStrike tool, was password-protected and included German language prompts.