Cookie Settings

This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing Jul 27, 2020

The Federal Bureau of Investigation (FBI) has raised an alarm about Distributed-Denial-of-Service (DDoS) attacks. The threat actors have added three new network protocols and a web application to amplify such attacks. The three new attack vectors are CoAP (Constrained Application Protocol), WS-DD (Web Services Dynamic Discovery), ARMS (Apple Remote Management Service), and the Jenkins web-based automation software.

A major source code leak incident that arose due to misconfigured repositories has also come to the light in the last 24 hours. The affected companies include Microsoft, Adobe, Lenovo, AMD, Qualcomm, Motorola, Hisilicon, Mediatek, GE Appliances, Nintendo, Roblox, Disney, and Johnson Controls.

Top Breaches Reported in the Last 24 Hours

Dave security breach

The digital banking app, Dave, disclosed a security breach after a hacker published the details of over 7 million users on a public forum. The incident originated on the network of a former business partner, Waydev. As a preventive measure, the company has plugged the hacker’s point of entry and is in the process of notifying its customers. It has also reset passwords of all the accounts.

Source code leaked

Source code from exposed repositories of dozen of companies is publicly available as a result of a misconfiguration issue. The affected companies include big names such as Microsoft, Adobe, Lenovo, AMD, Qualcomm, Motorola, Hisilicon, Mediatek, GE Appliances, Nintendo, Roblox, Disney, and Johnson Controls

Top Vulnerabilities Reported in the Last 24 Hours

Kubernetes flaw fixed

A security issue found in the Kube-proxy, a networking component running on Kubernetes nodes, has been fixed recently. The flaw assigned CVE-2020-8558 exposed internal services of Kubernetes nodes, often run without authentication. This can allow an unauthorized attacker to gain complete control over the cluster and later deploy crypto miners.

New DDoS attack vectors

The FBI has sent an alert warning about the discovery of new network protocols that have been used to launch large scale DDoS attacks. The three new attack vectors are CoAP (Constrained Application Protocol), WS-DD (Web Services Dynamic Discovery), ARMS (Apple Remote Management Service), and the Jenkins web-based automation software as well.

Top Scams Reported in the Last 24 Hours

Tax scam

Scammers are using COVID-19 as a lure in yet another phishing scam that promises the recipient a government-funded tax cut. The email appears to come from the ‘Government Digital Service Team’ and claims to offer a rebate of nearly £400. Users should be wary of such emails and double check the source address of the sender to stay safe. They should also carefully examine the body of the email in order to find typos and errors.

Related Threat Briefings

Feb 19, 2025

Cyware Daily Threat Intelligence, February 19, 2025

Cybercriminals are luring victims with the promise of free software but the price is your data. ASEC has observed a surge in ACRStealer infections, often disguised as cracks and keygens. The malware uses a Dead Drop Resolver technique, hiding its C2 infrastructure within Google Docs. It targets browser data, cryptocurrency wallets, and VPN credentials, feeding stolen information back to its operators. Firefox and Thunderbird users, update now. CERT-In has flagged multiple high-severity vulnerabilities in Mozilla products, which could allow attackers to spoof identities, steal sensitive data, or cause DoS attacks. Users are urged to upgrade immediately to patch these flaws before threat actors exploit them. Snake Keylogger isn’t going away - it’s evolving. Researchers uncovered a new, more advanced version that has already triggered 280 million blocked infection attempts globally. This info-stealer thrives on phishing emails, using AutoIt scripting to evade antivirus detection and harvesting credentials from popular browsers.

Feb 18, 2025

Cyware Daily Threat Intelligence, February 18, 2025

Earth Preta is stepping up its game. Trend Micro uncovered a new campaign where attackers use the Microsoft Application Virtualization Injector to sneak malicious payloads. The malware masquerades as an Electronic Arts application, deploying a backdoor to exfiltrate data. Proofpoint identified FrigidStealer, a fresh macOS malware spread by TA2727, an unknown but sophisticated threat actor. The campaign tricks users into bypassing Gatekeeper protections, allowing FrigidStealer to quietly siphon browser data, Apple Notes, and cryptocurrency credentials. With attackers refining their approach to slip past Apple’s defenses, even a cautious click could prove costly. Search results aren't what they seem. CloudSEK exposed a large-scale Search Engine Poisoning campaign targeting over 150 Indian government, educational, and financial websites. Attackers manipulate search rankings to redirect users to fraudulent rummy and investment scams. Mobile users are sent to scam pages, while desktop users see error messages.

Feb 17, 2025

Cyware Daily Threat Intelligence, February 17, 2025

XCSSET is back with a vengeance. Microsoft uncovered a new variant of the macOS-targeting malware, now with better obfuscation, stronger persistence, and stealthier infection methods. This version randomly generates payloads to dodge detection, injects itself into Xcode projects, and still goes after digital wallets, Notes app data, and system files. SonicWall and Palo Alto Networks customers have an urgent patching assignment. SonicWall’s authentication bypass bug lets attackers sidestep security in SonicOS. Meanwhile, Palo Alto’s PAN-OS vulnerability allows unauthenticated access to management interfaces. While no major exploits have been reported, researchers have already spotted attempts. Patch now, before attackers make these vulnerabilities their next playground. Russian hackers are getting creative with Microsoft 365 phishing. Since mid-January, three distinct groups have been impersonating high-profile officials, luring victims into fake Teams meetings and chatrooms. These attacks exploit Device Code Authentication, granting attackers stealthy access to compromised accounts.

Feb 14, 2025

Cyware Daily Threat Intelligence, February 14, 2025

Astaroth is rewriting the phishing playbook, bypassing 2FA and intercepting credentials in real time. Acting as a reverse proxy, this phishing kit manipulates traffic to services like Gmail and Microsoft, stealing login details and authentication tokens mid-session. Chinese state-backed hackers have set their sights on unpatched Cisco network devices, targeting global telecom giants. RedMike exploited two Cisco vulnerabilities to compromise over 1,000 devices. Their focus? Telecom networks and universities across Argentina, Bangladesh, and the U.S. Cybercriminals are turning Webflow’s trusted CDN into a phishing trap. A new campaign lures victims with fake PDF files that rank high in search results, tricking them into clicking CAPTCHA images that lead to phishing sites.

Feb 13, 2025

Cyware Daily Threat Intelligence, February 13, 2025

Cybercriminals aren’t just after your data, they want full control of your device, and they’re getting better at it. The new BTMOB RAT is spreading through phishing sites disguised as streaming services and crypto platforms. This upgraded version of SpySolr RAT goes beyond basic spying and leverages Android’s Accessibility Service. Hackers never forget old exploits. Attackers are ramping up efforts to exploit vulnerabilities from 2022 and 2023, targeting unpatched ThinkPHP and ownCloud systems. Researchers have tracked nearly 600 unique IPs abusing these flaws, proving that even years-old vulnerabilities remain dangerous if left unresolved. Kimsuky is turning fake error messages into a weapon. Inspired by ClickFix campaigns, the North Korean APT has been pushing info-stealers through deceptive pop-ups, tricking victims into running malicious PowerShell commands. Masquerading as a South Korean official, the group lures targets into downloading malware under the guise of document registration.

Feb 12, 2025

Cyware Daily Threat Intelligence, February 12, 2025

Pirated software isn’t just a bargain, it’s a backdoor. Russian hackers are using fake KMS activators and bogus Windows updates to slip malware onto unsuspecting systems in Ukraine. By disguising malware as KMS activators and bogus updates, they deploy DarkCrystal RAT, turning routine software installations into a Trojan horse for cyber-espionage. Microsoft’s February Patch Tuesday is here. This month’s update tackles 55 security flaws, including four zero-days - two of which are actively exploited. Among the most critical fixes are three RCE vulnerabilities, reinforcing why timely patching isn’t just recommended, it’s essential. Romance scams aren’t new, but cybercriminals are getting bolder just in time for Valentine’s Day. A phishing campaign disguised as a Valentine basket giveaway has been circulating, tricking victims into handing over personal data. Researchers found tens of thousands of newly registered Valentine-themed websites in January alone, with 1 in 72 flagged as malicious.

Feb 11, 2025

Cyware Daily Threat Intelligence, February 11, 2025

Hackers are widening their attack surface, and Linux is now in their crosshairs. A new variant of the SystemBC RAT has emerged, stealthily infiltrating Linux environments. Given its history of pairing with ransomware, this development signals a growing threat to corporate systems and cloud infrastructures. Physical access shouldn’t mean instant compromise, but for iPhones and iPads, it briefly did. Apple has rushed to patch a flaw that allowed attackers to disable USB Restricted Mode on locked devices. Designed to prevent unauthorized access, this feature was rendered useless by the vulnerability. Thousands of firewalls meant to protect businesses are instead exposing them to serious risks. Over 12,000 GFI KerioControl firewalls remain unpatched against a critical remote code execution flaw. Despite a fix being available since December, many instances are still vulnerable.

Feb 10, 2025

Cyware Daily Threat Intelligence, February 10, 2025

Cybercriminals are finding new ways to poison the AI supply chain. Researchers uncovered two malicious ML models on Hugging Face, where attackers used corrupted pickle files to smuggle Python malware. This novel technique, dubbed nullifAI, aimed to bypass security scans and establish a backdoor. In another case of SEO manipulation, threat actors hijacked IIS servers in Asia, injecting BadIIS malware to manipulate search results and drive unsuspecting users to illegal gambling sites. Government and university servers in Asian countries were among those exploited. Researchers linked the campaign to DragonRank, a Chinese-speaking group. Patching delays could turn into a disaster. CISA warned that a vulnerability in Trimble Cityworks GIS software is being actively exploited for remote code execution. Even though patches were released, attackers continued taking advantage of unpatched systems, prompting its urgent addition to the KEV catalog.

Feb 7, 2025

Cyware Daily Threat Intelligence, February 07, 2025

North Korean hackers are refining their phishing playbook, now using the forceCopy malware to hijack credentials. The Kimsuky hacking group is targeting victims with deceptive emails containing Windows shortcut files disguised as Microsoft Office or PDF documents. The attack also involves the usage of additional malware. CISA has added critical vulnerabilities to its KEV catalog, signaling an urgent need for patching. The list includes flaws in Microsoft Outlook and Sophos XG Firewall, both carrying a CVSS score of 9.8. Federal agencies have until February 27 to patch these. A long-standing Chinese cyber-espionage group, GreenSpot APT, is running a phishing campaign that preys on users of the popular Chinese email service 163[.]com. The group, which has been active since 2007, has registered fake domains to steal login credentials from government and military personnel

Feb 6, 2025

Cyware Daily Threat Intelligence, February 06, 2025

Cybercriminals are getting more sophisticated, turning search engines into traps. A fake Google ad for Cisco AnyConnect led unsuspecting users to a counterfeit website, mimicking a German university to evade security filters. The fraudulent site redirected victims to a spoofed Cisco download page, pushing NetSupport RAT as the legitimate AnyConnect installer. Russian organizations are under fire as attackers distribute NOVA stealer, a new variant of SnakeLogger, through phishing emails. Advertised on underground forums as MaaS for as little as $50 per month, NOVA is designed for credential theft, keylogging, and clipboard data extraction. Cisco has patched two critical vulnerabilities in its Identity Services Engine, which could allow remote attackers to execute commands and manipulate system configurations. Exploited through specially crafted API requests, these flaws pose significant risks for enterprises using ISE for authentication and network control.

Feb 5, 2025

Cyware Daily Threat Intelligence, February 05, 2025

North Korean hackers are turning fake job interviews into a gateway for cyber espionage. SentinelOne identified new variants of the macOS malware FlexibleFerret, used in the Contagious Interview operation to lure targets with fake job interviews. Victims are tricked into downloading malicious software disguised as virtual meeting tools, allowing attackers to gain control over their systems. Cyberespionage groups are shifting their sights to the backbone of enterprise networks. A newly discovered malware, linked to the DaggerFly APT group, is targeting Linux-based network devices instead of standard endpoints. By hijacking SSH connections and replacing system binaries, the malware ensures long-term persistence while silently extracting sensitive data. A security flaw in AMD processors has raised concerns over hardware-based attacks. This bug could allow attackers with admin access to load malicious microcode, potentially undermining system integrity. This exploit underscores the growing risks of hardware security gaps, where even minor weaknesses can have major consequences.

Feb 4, 2025

Cyware Daily Threat Intelligence, February 04, 2025

Cybercriminals are finding new ways to weaponize everyday tools, and this time, they’re using TryCloudflare to hide their tracks. Researchers uncovered a phishing campaign that stealthily delivers AsyncRAT via Python scripting and cloud tunnels. The attack starts with a Dropbox link leading to a maze of scripts that ultimately drop a harmful payload. Even AI developers aren’t safe from deception. Threat actors have infiltrated PyPI with two malicious packages disguised as legitimate tools for DeepSeek. These fraudulent packages steal sensitive data, from user credentials to API keys, proving once again that trust in open-source repositories can be a double-edged sword. One small vulnerability, one massive risk. Russian cybercriminals exploited a zero-day in 7-Zip to deliver SmokeLoader in attacks on Ukrainian entities. By bypassing Windows Mark-of-the-Web protections, the attackers tricked victims into executing malware-laden files.