Cyware Daily Threat Intelligence

Daily Threat Briefing • Jun 6, 2024
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Daily Threat Briefing • Jun 6, 2024
Researchers forecasted a stormy cyber climate with the discovery of a new ransomware variant—aptly named Fog—sweeping through U.S. organizations in the education and recreation sectors. Unlike typical ransomware, Fog bypasses data exfiltration, zeroing in on encrypting VM storage for a quick cash grab, leaving the victims in a thick, ominous haze.
The Muhstik malware is making the headlines as it is exploiting an RCE bug in Apache RocketMQ version 5.1.0. With over 5,200 RocketMQ instances exposed online, the digital landscape is bracing for Muhstik's stormy reign of terror.
A Chinese research team has peeled back the layers of RISC-V processors to reveal a critical flaw, allowing attackers to sidestep security measures without needing administrative rights. This vulnerability unlocks a Pandora’s box of potential data theft and privacy breaches.
Foggy with a chance of ransomware
Arctic Wolf Labs discovered a new ransomware variant called Fog that has targeted organizations in the U.S., primarily in the education and recreation sectors. Threat actors gained access to victim environments by leveraging compromised VPN credentials and used techniques like pass-the-hash, credential stuffing, and PsExec to move laterally and encrypt data. The ransomware payload exhibits common techniques, with the threat actors focused on rapid encryption of VM storage data rather than data exfiltration, suggesting a financially motivated attack targeting the education sector.
New Muhstik malware campaign
Aqua Security discovered a new Muhstik malware campaign exploiting a known remote code execution vulnerability (CVE-2023-33246) in Apache RocketMQ versions 5.1.0 and below to gain initial access to vulnerable instances. The Muhstik malware is then downloaded and executed on the compromised instances, allowing the attackers to establish persistence, evade detection, and perform various malicious activities like cryptocurrency mining and DDoS attacks. Analysis shows that there are over 5,200 vulnerable RocketMQ instances exposed on the internet.
Lumma info-stealer targets Python devs
A counterfeit package named 'crytic-compilers' was uploaded to PyPI, resembling a legitimate Python library used by cryptocurrency developers. The malicious package scored 436 downloads before being taken offline from PyPI. The Russia-linked Lumma stealer was disguised by aligning its version numbers with the legitimate library and attempting to install the real library to avoid suspicion.
Advanced IP Scanner Installer: a Cobalt Strike Trap
Cybercriminals are using typo-squatted domains and fake ads to distribute a backdoored version of the Advanced IP Scanner tool, compromising unsuspecting users' systems. The compromised installer contains a malicious DLL module that injects a Cobalt Strike beacon into the system, enabling attackers to maintain control over compromised computers. The malicious code communicates with C2 servers at nanopeb[.]com and coldfusioncnc[.]com.
Kiuwan patches vulnerabilities
After two years, code security firm Kiuwan patched critical vulnerabilities in its static application security testing products, discovered by SEC Consult. The vulnerabilities include XSS, XXE injection, privilege escalation, and insecure direct object reference bugs. Despite the complexity of conducting remote attacks, the flaws could potentially compromise system confidentiality and allow unauthorized access to sensitive information.
Severe bug in RISC-V
A Chinese research team at Northwestern Polytechnical University identified a severe security flaw in the design of RISC-V processors. The vulnerability allows attackers to bypass modern processors' security measures without administrative rights, leading to potential theft of sensitive information and breaches of personal privacy. The discovery is part of China's national key research and development program in processor hardware security, initiated in 2021.