Cookie Settings

This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing Jun 3, 2024

In the ever-shifting landscape of cybersecurity, new threats continue to surface. In a whirlwind of cyber chaos, the North Korean state-sponsored Andariel APT group was found targeting a myriad of South Korean corporations with a new malware. Named Dora RAT, this isn’t the only malware that the campaign uses.

Adding to the cyber woes, another WordPress plugin faces yet another bug. This time a critical vulnerability in wpDataTables has been found affecting all versions up to 6.3.1 and exposing sites to SQL injection attacks. Meanwhile, the immensely popular shopping app Shein is under attack, with over 1,000 phishing emails exploiting its name to lure users with fake "mystery box" offers, aiming to harvest their credentials.

Top Malware Reported in the Last 24 Hours

Andariel APT targets Korean firms

The Andariel APT group, part of the larger Lazarus umbrella, has been conducting attacks on South Korean organizations, including corporations, educational institutions, and companies in the manufacturing and construction sectors. The malware used in the attacks includes the Nestdoor backdoor, the Dora RAT, keyloggers, infostealers, and proxy tools. The group has shifted from targeting national security information to pursuing financial gains, and its attack methodologies include spear phishing, watering hole attacks, and exploiting software vulnerabilities.

Top Vulnerabilities Reported in the Last 24 Hours

Bugs in Cox Modems

Researcher Sam Curry discovered that Cox support agents could remotely control and update device settings, such as changing Wi-Fi passwords and viewing connected devices, using the TR-069 protocol. Analysis of the underlying mechanism identified about 700 exposed API endpoints, some of which could be exploited to gain administrative functionality and run unauthorized commands by weaponizing the permission issues and replaying the HTTP requests repeatedly. The issue has been addressed.

Critical vulnerability in wpDataTables

A critical vulnerability (CVE-2024-3820) has been discovered in the popular WordPress plugin wpDataTables, which affects all versions of the plugin up to and including 6.3.1. It allows attackers to perform SQL injection via the 'id_key' parameter of the wdt_delete_table_row AJAX action. This flaw is due to insufficient escaping of user-supplied parameters and inadequate preparation of the existing SQL query.

Unveiling LilacSquid APT group

Cisco Talos discovered a new suspected data theft campaign, active since at least 2021, attributed to the LilacSquid APT group. The group has targeted a diverse set of victims in the information technology, energy, and pharmaceutical sectors across the U.S., Asia, and Europe. LilacSquid uses a variety of initial access techniques, including exploiting vulnerabilities and using compromised RDP credentials. When using compromised RDP credentials, LilacSquid deploys the InkLoader malware loader, which then executes the PurpleInk implant - a customized Quasar RAT variant.

Top Scams Reported in the Last 24 Hours

New V3B phishing kit steals OTPs

The new V3B phishing kit is targeting European banking users by stealing their login credentials and OTPs through sophisticated social engineering tactics and customized templates mimicking online banking and e-commerce systems. The kit triggers a request for QR codes, a new twist on QR code phishing, and also uses PhotoTAN and Smart ID support, a popular method of authentication for mobile banking, to manipulate the victim's actions.

Credential harvesting scam spoofs Shein

Researchers from Harmony Email identified over 1,000 fraudulent emails in the past month that impersonated the popular shopping app Shein in an attempt to steal user credentials. Hackers are sending emails with subject lines like "Order Verification SHEIN" that claim to be from Shein customer service. These phishing attempts prey on users' excitement by claiming they've won a "mystery box" from Shein, to trick them into clicking the malicious link.

Related Threat Briefings