Cookie Settings

This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing Jun 11, 2020

COVID-19-related relief package schemes initiated by different governments have turned out to be a ripe opportunity for cybercriminals. Lately, business owners using Microsoft Office 365 in the U.K were targeted in a phishing email scam designed to steal their personal information. These emails impersonated legitimate authorities and claimed to offer financial relief to small businesses.

Furthermore, security experts also came across 12 malicious contact-tracing apps that are used to spread a variety of malware. These apps were distributed via websites, other mobile apps, and third-party stores, among other sources.

A new ransomware, dubbed Thanos, was also tracked in the past 24 hours. It uses the unique RIPlace technique to bypass anti-ransomware protections. The malware includes a ftp_file_exfil() function that automatically performs file exfiltration to a remote FTP site while it encrypts a targeted system.

Top Breaches Reported in the Last 24 Hours

A1 Telekom disclosed a hack

Austria’s largest internet service provider, A1 Telekom, admitted falling victim to a cyberattack in November 2019. The hack was believed to be the work of the China-based Gallium threat actor group. It took six months for the firm to restore its infected systems and servers.

Flawed app reveals data

A glitch in the Babylon Health app allowed users to gain access to other users’ video consultations with doctors. The flaw was addressed on June 9 after the telehealth company was informed by a user.

Top Malware Reported in the Last 24 Hours

New Thanos ransomware

A new ransomware, named Thanos, has been found utilizing the RIPlace technique to evade detection. Previously known as Quimera, the ransomware is now sold as a Ransomware-as-a-Service (RaaS) on Russian hacker forums since February 2020. It includes a ftp_file_exfil() function that automatically performs file exfiltration to a remote FTP site as it encrypts a computer.

XMRig installed

Microsoft has revealed a series of attacks against Kubeflow, a toolkit for running Machine Learning (ML) operations on Kubernetes clusters. The attacks, which are active since April this year, are being carried out to install an XMRig miner on vulnerable Kubernetes clusters. The attackers are taking advantage of publicly exposed Kubeflow management panel to launch these attacks.

TrickBot returns

A phishing email campaign asking recipients to vote anonymously on Black Lives Matter has been found spreading the TrickBot trojan. The subject line of the email states, “Leave a review confidentially about 'Black Lives Matter’. It prompts the recipients to fill out and return an attached document named ‘e-vote_form_3438.doc.’

Fake contact-tracing apps

Researchers have traced 12 malicious contact-tracing apps that contain a wide range of malware, including Anubis and SpyNote. These apps are likely being distributed via other mobile apps, third-party stores, and websites, among other sources. Researchers learned that these apps are targeting citizens across multiple countries.

Top Vulnerabilities Reported in the Last 24 Hours

Details of an RCE flaw released

Cisco’s Talos threat intelligence and research group has released details about a recently patched code execution vulnerability in Firefox. The flaw, tracked as CVE-2020-12405, features a CVSS score of 8.8 and can be exploited when the user navigates to a malicious page. It was fixed with the release of Firefox 77.

SAP patches flaw

SAP has addressed a total of 19 vulnerabilities as part of its June 2020 Patch Tuesday. Out of these, two are rated ‘Critical’. These flaws are identified as CVE-2020-1938 and CVE-2020-6265 and have a CVSS score of 9.8.

VMware issues patches

VMware has patched a high-severity information disclosure vulnerability affecting its Workstation, Fusion, and vSphere virtualization products. The flaw is tracked as CVE-2020-3960 and could allow attackers with non-admin access to a machine to read privileged information from memory.

SMBleed patched

Microsoft’s June 2020 Security Updates includes a fix for a Server Message Block (SMB) protocol bug that could allow attackers to leak kernel memory remotely without authentication. Called SMBleed and tracked as CVE-2020-1206, the flaw is linked to SMBGhost which was addressed in March 2020.

Top Scams Reported in the Last 24 Hours

Microsoft Office 365 users targeted

Business owners with Microsoft Office 365 accounts are being targeted in a phishing email campaign that appears to come from the U.K government. These emails claim to offer financial relief announced by the government to small businesses. Attached in the emails is a link to a COVID-19-Relief-Payment.PDF document, which if clicked, redirects the users to a benign Dropbox Transfer landing page. The purpose of the scam is to steal personal details of individuals.

Related Threat Briefings

Feb 13, 2025

Cyware Daily Threat Intelligence, February 13, 2025

Cybercriminals aren’t just after your data, they want full control of your device, and they’re getting better at it. The new BTMOB RAT is spreading through phishing sites disguised as streaming services and crypto platforms. This upgraded version of SpySolr RAT goes beyond basic spying and leverages Android’s Accessibility Service. Hackers never forget old exploits. Attackers are ramping up efforts to exploit vulnerabilities from 2022 and 2023, targeting unpatched ThinkPHP and ownCloud systems. Researchers have tracked nearly 600 unique IPs abusing these flaws, proving that even years-old vulnerabilities remain dangerous if left unresolved. Kimsuky is turning fake error messages into a weapon. Inspired by ClickFix campaigns, the North Korean APT has been pushing info-stealers through deceptive pop-ups, tricking victims into running malicious PowerShell commands. Masquerading as a South Korean official, the group lures targets into downloading malware under the guise of document registration.

Feb 12, 2025

Cyware Daily Threat Intelligence, February 12, 2025

Pirated software isn’t just a bargain, it’s a backdoor. Russian hackers are using fake KMS activators and bogus Windows updates to slip malware onto unsuspecting systems in Ukraine. By disguising malware as KMS activators and bogus updates, they deploy DarkCrystal RAT, turning routine software installations into a Trojan horse for cyber-espionage. Microsoft’s February Patch Tuesday is here. This month’s update tackles 55 security flaws, including four zero-days - two of which are actively exploited. Among the most critical fixes are three RCE vulnerabilities, reinforcing why timely patching isn’t just recommended, it’s essential. Romance scams aren’t new, but cybercriminals are getting bolder just in time for Valentine’s Day. A phishing campaign disguised as a Valentine basket giveaway has been circulating, tricking victims into handing over personal data. Researchers found tens of thousands of newly registered Valentine-themed websites in January alone, with 1 in 72 flagged as malicious.

Feb 11, 2025

Cyware Daily Threat Intelligence, February 11, 2025

Hackers are widening their attack surface, and Linux is now in their crosshairs. A new variant of the SystemBC RAT has emerged, stealthily infiltrating Linux environments. Given its history of pairing with ransomware, this development signals a growing threat to corporate systems and cloud infrastructures. Physical access shouldn’t mean instant compromise, but for iPhones and iPads, it briefly did. Apple has rushed to patch a flaw that allowed attackers to disable USB Restricted Mode on locked devices. Designed to prevent unauthorized access, this feature was rendered useless by the vulnerability. Thousands of firewalls meant to protect businesses are instead exposing them to serious risks. Over 12,000 GFI KerioControl firewalls remain unpatched against a critical remote code execution flaw. Despite a fix being available since December, many instances are still vulnerable.

Feb 10, 2025

Cyware Daily Threat Intelligence, February 10, 2025

Cybercriminals are finding new ways to poison the AI supply chain. Researchers uncovered two malicious ML models on Hugging Face, where attackers used corrupted pickle files to smuggle Python malware. This novel technique, dubbed nullifAI, aimed to bypass security scans and establish a backdoor. In another case of SEO manipulation, threat actors hijacked IIS servers in Asia, injecting BadIIS malware to manipulate search results and drive unsuspecting users to illegal gambling sites. Government and university servers in Asian countries were among those exploited. Researchers linked the campaign to DragonRank, a Chinese-speaking group. Patching delays could turn into a disaster. CISA warned that a vulnerability in Trimble Cityworks GIS software is being actively exploited for remote code execution. Even though patches were released, attackers continued taking advantage of unpatched systems, prompting its urgent addition to the KEV catalog.

Feb 7, 2025

Cyware Daily Threat Intelligence, February 07, 2025

North Korean hackers are refining their phishing playbook, now using the forceCopy malware to hijack credentials. The Kimsuky hacking group is targeting victims with deceptive emails containing Windows shortcut files disguised as Microsoft Office or PDF documents. The attack also involves the usage of additional malware. CISA has added critical vulnerabilities to its KEV catalog, signaling an urgent need for patching. The list includes flaws in Microsoft Outlook and Sophos XG Firewall, both carrying a CVSS score of 9.8. Federal agencies have until February 27 to patch these. A long-standing Chinese cyber-espionage group, GreenSpot APT, is running a phishing campaign that preys on users of the popular Chinese email service 163[.]com. The group, which has been active since 2007, has registered fake domains to steal login credentials from government and military personnel

Feb 6, 2025

Cyware Daily Threat Intelligence, February 06, 2025

Cybercriminals are getting more sophisticated, turning search engines into traps. A fake Google ad for Cisco AnyConnect led unsuspecting users to a counterfeit website, mimicking a German university to evade security filters. The fraudulent site redirected victims to a spoofed Cisco download page, pushing NetSupport RAT as the legitimate AnyConnect installer. Russian organizations are under fire as attackers distribute NOVA stealer, a new variant of SnakeLogger, through phishing emails. Advertised on underground forums as MaaS for as little as $50 per month, NOVA is designed for credential theft, keylogging, and clipboard data extraction. Cisco has patched two critical vulnerabilities in its Identity Services Engine, which could allow remote attackers to execute commands and manipulate system configurations. Exploited through specially crafted API requests, these flaws pose significant risks for enterprises using ISE for authentication and network control.

Feb 5, 2025

Cyware Daily Threat Intelligence, February 05, 2025

North Korean hackers are turning fake job interviews into a gateway for cyber espionage. SentinelOne identified new variants of the macOS malware FlexibleFerret, used in the Contagious Interview operation to lure targets with fake job interviews. Victims are tricked into downloading malicious software disguised as virtual meeting tools, allowing attackers to gain control over their systems. Cyberespionage groups are shifting their sights to the backbone of enterprise networks. A newly discovered malware, linked to the DaggerFly APT group, is targeting Linux-based network devices instead of standard endpoints. By hijacking SSH connections and replacing system binaries, the malware ensures long-term persistence while silently extracting sensitive data. A security flaw in AMD processors has raised concerns over hardware-based attacks. This bug could allow attackers with admin access to load malicious microcode, potentially undermining system integrity. This exploit underscores the growing risks of hardware security gaps, where even minor weaknesses can have major consequences.

Feb 4, 2025

Cyware Daily Threat Intelligence, February 04, 2025

Cybercriminals are finding new ways to weaponize everyday tools, and this time, they’re using TryCloudflare to hide their tracks. Researchers uncovered a phishing campaign that stealthily delivers AsyncRAT via Python scripting and cloud tunnels. The attack starts with a Dropbox link leading to a maze of scripts that ultimately drop a harmful payload. Even AI developers aren’t safe from deception. Threat actors have infiltrated PyPI with two malicious packages disguised as legitimate tools for DeepSeek. These fraudulent packages steal sensitive data, from user credentials to API keys, proving once again that trust in open-source repositories can be a double-edged sword. One small vulnerability, one massive risk. Russian cybercriminals exploited a zero-day in 7-Zip to deliver SmokeLoader in attacks on Ukrainian entities. By bypassing Windows Mark-of-the-Web protections, the attackers tricked victims into executing malware-laden files.

Feb 3, 2025

Cyware Daily Threat Intelligence, February 03, 2025

Cybercriminals are exploiting trust and social engineering at scale, preying on unsuspecting victims across industries. The Russian-speaking cybercrime gang Crazy Evil has been linked to over 10 social media scams, tricking users into installing malware like StealC and AMOS. Operating primarily through Telegram, the group specializes in identity fraud, cryptocurrency theft, and info-stealers. A wedding invitation should bring good news, not malware. Hackers in Malaysia and Brunei are targeting users with fake wedding invites spread via WhatsApp and Telegram, tricking them into installing a new Android malware called Tria. The campaign resembles UdangaSteal but focuses on new social engineering tactics. Even the tightest security can come undone with a race condition. Apple patched a critical vulnerability in macOS Sonoma, Sequoia, and iPadOS, which allowed hackers to escalate privileges and run code at the kernel level. Apple fixed the issue by improving memory management, but this serves as another reminder that even the most secure systems need constant vigilance.

Jan 31, 2025

Cyware Daily Threat Intelligence, January 31, 2025

Cybercriminals are sharpening their tactics, and Brazilian financial firms are the latest target. The Coyote banking trojan is on the prowl, using malicious Windows LNK files to execute PowerShell scripts that steal data and compromise systems. Meanwhile, a new browser-based threat is emerging—syncjacking. This attack exploits malicious extensions to hijack browsers, disable security settings, and access stored credentials. In its final stage, attackers gain full control of devices, including cameras and audio, without detection. Speaking of hidden threats, users of Microsoft Ads are being tricked by fraudulent Google ads leading to phishing pages designed to steal their login credentials. This campaign has persisted for two years, slipping past security filters and mimicking Microsoft’s login process with deceptive precision. For detailed Cyber Threat Intel, click ‘Read More’.

Jan 29, 2025

Cyware Daily Threat Intelligence, January 29, 2025

Cybercriminals are refining their tactics, blending deception with persistence to breach defenses. A financially motivated threat actor has been running a phishing email campaign since last year, targeting users in Poland and Germany. The attacks use payloads like Agent Tesla, Snake Keylogger, and a new backdoor named TorNet. Zyxel CPE Series devices are under siege as researchers uncover an actively exploited zero-day vulnerability. This flaw allows attackers to execute remote commands, potentially leading to system takeovers, data loss, and network intrusions. The attacks, originating primarily from Taiwan, have compromised over 1,500 devices, sparking urgent calls for users to apply security updates. Phishing scams continue to evolve, with a new campaign exploiting PDF documents to steal Amazon Prime credentials. Victims receive emails warning of an expired membership, leading them to a fake Amazon login page where they unknowingly hand over personal and credit card information.

Jan 28, 2025

Cyware Daily Threat Intelligence, January 28, 2025

Even the sleekest systems have their cracks. Apple has patched a critical CoreMedia vulnerability that hackers have already exploited to target devices. The flaw, which impacts how audio and video are processed, had been actively used against earlier versions of iOS prior to iOS 17.2. Apple’s fix is now available for iPhones XS and later, select iPads, and the company’s latest hardware. Security shouldn’t feel like Swiss cheese. Yet, SonicWall’s SMA1000 appliances are under siege, with attackers exploiting a critical vulnerability to install malware without requiring credentials. Despite a patch being available, over 5,000 devices remain exposed, allowing hackers to hijack SSL VPN sessions remotely. Think twice before clicking on that delivery notification. Phishers posing as USPS are sending fraudulent SMS messages claiming a package couldn’t be delivered due to “incomplete address information.” With over 630 phishing pages spanning 50 countries, the campaign targets unsuspecting individuals at an alarming scale. In today’s digital landscape, not all deliveries are worth opening - especially the fraudulent ones.