Cyware Daily Threat Intelligence

Daily Threat Briefing • Jul 28, 2023
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Daily Threat Briefing • Jul 28, 2023
Organizations in Europe remain a hotbed for cyberattacks. In the last 24 hours, a new GraphicalProton malware attack campaign, targeting diplomatic entities in Eastern Europe, has come to the notice of researchers. The campaign has been attributed to a Russian threat actor BlueBravo (aka APT29).
The cyber landscape also witnessed the emergence of two new Android malware - CherryBlos and FakeTrade. These malware families conducted cryptocurrency-mining and financially-motivated scam campaigns. In a separate incident, the new Predasus malware was found targeting Latin America, with an aim to steal specific victims’ personal and financial information.
Lazarus suspected behind CoinsPaid cyberattack
Cryptocurrency payments service provider CoinsPaid blamed Lazarus for a recent cyberattack that resulted in the theft of $37.3 million in cryptocurrency from its platform. It is now working with Estonian law enforcement agencies and several blockchain security firms to minimize the impact of the attack that occurred on July 22.
Breached forum’s database on sale
The Have I Been Pwned disclosed that the Breached cybercrime forum’s database is up for sale. The database contains 212,000 records including usernames, email addresses, private messages between site members, and passwords stored as argon2 hashes. The database is being sold at a price between $100,000 and $150,000.
Top Malware Reported in the Last 24 Hours
New GraphicalProton malware spotted
A new backdoor called GraphicalProton was used against diplomatic entities in Eastern Europe in a campaign launched between March and May. The campaign, which was attributed to the Russian nation-state actor BlueBravo (aka APT29, Cozy Bear), uses Microsoft OneDrive or Dropbox for C2 communication. The new malware serves as a loader and is spread via ISO or ZIP files through phishing emails.
New Android malware discovered
Two new related Android malware families—CherryBlos and FakeTrade—were found to be used in cryptocurrency-mining and financially-motivated scam campaigns. While CherryBlos was distributed via fraudulent services on popular social media platforms, FakeTrade leveraged fake money-earning apps for propagation.
New Predasus malware
Several malicious extensions are being used to infect several organizations in Latin America with a new malware dubbed Predasus. The targeted organizations include financial institutions, booking sites, and instant messaging services. The malware is designed to steal sensitive financial and personal details of users.
Zimbra releases patches for XSS flaw
Two weeks after the initial disclosure, Zimbra has now released security updates for a reflected cross-site scripting vulnerability affecting its Collaboration Suite email servers. The flaw is tracked as CVE-2023-38750 and can allow threat actors to steal sensitive information or execute malicious code on vulnerable systems. The flaw has been patched with the release of ZCS 10.0.2.
400,000 WordPress sites at risk
Around 400,000 WordPress sites are vulnerable to three flaws found in the Ninja Forms plugin. The flaws, tracked as CVE-2023-37979, CVE-2023-38393, and CVE-2023-38386, have been fixed in the latest version 3.6.26 of the plugin. They can allow attackers to escalate privileges and steal user data.