We use cookies to improve your experience. Do you accept?

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing Jun 7, 2024

In the ever-evolving landscape of cyberspace, there's a mix of highs and lows. Ukrainian cyber defenders have uncovered the resurgence of the Vermin hacker group, targeting the country’s defense forces with spear-phishing emails containing SPECTR malware. This malware, acting as a RAT, marks the group's first major campaign, since March 2022, named SickSync.

Meanwhile, hackers are capitalizing on two old vulnerabilities in ThinkPHP applications (CVE-2018-20062 and CVE-2019-9082) to deploy a persistent web shell named Dama, enabling remote control and extensive system exploitation.

In a different corner of the digital world, attackers are wiping contents from GitHub repositories and extorting victims for data restoration, posing as cyber incident analysts under the handle Gitloker on Telegram. This wave of attacks underscores the persistent threats to users' private repositories, necessitating vigilant security practices.

Top Malware Reported in the Last 24 Hours

Vermin hackers resurface

Ukrainian cyber defenders have discovered the return of the Vermin hacker group, targeting the country’s defense forces with spear-phishing emails containing SPECTR malware. The malware acts as a RAT and is used to steal sensitive information. The group's latest campaign, named SickSync, marks its first significant activity since March 2022. The attackers exploited the legitimate Syncthing software for data exfiltration and used spear-phishing emails containing password-protected archives to initiate the attack.

New Mallox ransomware variant unleashed

The Mallox ransomware (aka TargetCompany) group has developed a new Linux variant targeting VMWare ESXi environments. This variant only proceeds with the attack if the system is running in a VMWare ESXi environment and has administrative rights. The group has been active in various sectors and regions, using sophisticated methods to target high-level users. The variant uses a custom shell script to deliver and execute ransomware, exfiltrate victim information, and create challenges for incident response.

Top Vulnerabilities Reported in the Last 24 Hours

PoC released for Apache HugeGraph RCE flaw

Apache HugeGraph versions prior to 1.3.0 are vulnerable to a critical remote code execution bug, posing a significant security risk to organizations using the graph database. Exploit code for the CVE-2024-27348 vulnerability is publicly available, potentially allowing attackers to gain complete control over servers and carry out malicious activities. The Apache Software Foundation has urged users to upgrade to version 1.3.0 with Java 11 and enable the Auth system to fix the flaw. Two proof-of-concept exploits have been made public, emphasizing the urgency for users to upgrade to the fixed version to prevent exploitation.

Attackers abuse 2018 ThinkPHP bugs

Hackers are exploiting two old vulnerabilities in ThinkPHP applications, CVE-2018-20062 and CVE-2019-9082, to install a persistent web shell named Dama. This web shell allows further exploitation of breached endpoints, enabling remote server control and advanced capabilities such as file system navigation, file upload, and system data gathering. The campaign, which started in October 2023, has recently intensified and expanded to target a broad range of systems. To mitigate this, organizations should upgrade to the latest ThinkPHP version (8.0).

RansomHub exploits ZeroLogon

The RansomHub RaaS operation has been exploiting the ZeroLogon flaw (CVE-2020-1472) in the Windows Netlogon Remote Protocol to gain access to victims' systems. The attackers have used remote access tools and network scanners to facilitate their attacks. The group shares similarities with the now- defunct Knight ransomware, indicating a potential purchase of its source code.

Top Scams Reported in the Last 24 Hours

New extortion scheme wipes GitHub repos

Attackers are targeting GitHub repositories, wiping their contents, and extorting victims for their data, posing as cyber incident analysts on Telegram. The attackers, using the handle Gitloker on Telegram, claim to have stolen the victims' data and offer to restore the deleted content. This incident is part of a series of attacks on GitHub accounts, with previous incidents involving data theft and phishing campaigns, highlighting the ongoing threat to users' private repositories.

Related Threat Briefings