Cyware Daily Threat Intelligence
Daily Threat Briefing • Jun 17, 2024
We use cookies to improve your experience. Do you accept?
Daily Threat Briefing • Jun 17, 2024
The Spinning YARN threat actor, ever weaving its cryptic web, has embarked on a fresh cryptojacking campaign, casting its net wide over publicly exposed Docker Engine hosts. The attackers have been exploiting often-overlooked vulnerabilities in misconfigured Docker, Apache Hadoop, Redis, and Confluence servers.
A novel Linux malware, named DISGOMOJI, has emerged from the shadows. Utilizing the playful guise of emojis and leveraging Discord for C&C, this malware targets government entities in India with chilling precision.
Meanwhile, in the realm of network security, ASUS has rolled out a crucial firmware update addressing a grave authentication bypass vulnerability that threatens seven of its router models. This flaw, if left unchecked, could allow remote attackers to seize control of these devices.
Spinning YARN launches cryptojacking campaign
The Spinning YARN threat actors launched a new cryptojacking campaign that targets publicly exposed Docker Engine hosts using new binaries and a persistence mechanism. The campaign exploits misconfigured Docker, Apache Hadoop, Redis, and Confluence servers, gaining full access to the system and installing persistence for malicious activities. New payloads have been discovered, showing continued development of the campaign.
Websites in BadSpace
Legitimate websites are being used to deliver a Windows backdoor, BadSpace, through fake browser updates. The multi-stage attack chain involves infected websites, command-and-control servers, fake browser updates, and a JScript downloader to deploy the backdoor. The BadSpace backdoor is capable of anti-sandbox checks, system information harvesting, and executing commands, highlighting the advanced capabilities of the malware.
Emojis gone rogue
A new Linux malware named DISGOMOJI has been discovered, using emojis and Discord for command and control in attacks on government entities in India. The malware exfiltrates system information and uses nine emojis to execute commands on infected devices, maintaining persistence through @reboot cron command and other mechanisms. It was distributed through phishing emails and specifically targets a custom Linux distribution used by Indian government agencies. The malware maintains persistence on the device and can bypass security software that looks for text-based commands, making it a unique and concerning threat.
Cyber-espionage campaign drops PlugX
A sophisticated cyber espionage actor, known as Velvet Ant, with suspected ties to China, has been attributed to a prolonged attack on an organization in East Asia. The actor utilized legacy F5 BIG-IP appliances as internal command-and-control for defense evasion. The attack involved the use of the PlugX backdoor and open-source tools for lateral movement. The threat actor deployed two versions of PlugX, with one using an internal file server for C&C to blend in with legitimate network activity. Additionally, out-of-date F5 BIG-IP devices were abused as a covert channel for communication. The exact initial access vector is currently unknown.
Asus warns of critical vulnerability
ASUS has released a firmware update to fix a critical authentication bypass vulnerability (CVE-2024-3080) affecting seven router models, allowing remote attackers to take control of the devices. Users are advised to update to the latest firmware and strengthen their account and WiFi passwords. Additionally, other vulnerabilities, such as a buffer overflow issue and an arbitrary firmware upload problem, have been addressed. Certain router models have reached their end-of-life and will not receive security updates. ASUS also announced an update to Download Master to address medium to high-severity issues.
Ransomware attacks exploit Windows bug
The CISA added a high-severity Windows vulnerability, CVE-2024-26169, to its KEV Catalog. The vulnerability is caused by an improper privilege management weakness in the Windows Error Reporting service. This flaw allows local attackers to gain high-level permissions without user interaction. Microsoft has released a patch, but evidence suggests that the Black Basta ransomware group exploited the vulnerability before the patch was available. CISA has instructed federal agencies to patch the vulnerability within three weeks to prevent ransomware attacks.